Closed Bug 470061 Opened 16 years ago Closed 16 years ago

TM: "Assertion failure: cx->fp->regs->pc == f->ip && f->root == f"

Categories

(Core :: JavaScript Engine, defect, P1)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
macOS
Type:
defect

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: jruderman, Assigned: dvander)

References

(
URL
)

Details

(Keywords: assertion, testcase, verified1.9.1, Whiteboard: [fixed-in-tracemonkey])

Attachments

(2 files, 2 obsolete files)

reduced
204 bytes, text/javascript
Details
fix bogus assertion
511 bytes, patch
gal
: review+
Details | Diff | Splinter Review 
Loading http://www.unitconversion.org/unit_converter/power.html on mozilla-central triggers:

Assertion failure: cx->fp->regs->pc == f->ip && f->root == f, at /Users/jruderman/central/js/src/jstracer.cpp:2950
Attached file extracted script (obsolete) — 
This seems to be a decompressor or de-obfuscator.  It triggers the same assertion in a tracemonkey-branch-tip shell.
Attached file reduced a bit (obsolete) — 

    
    

    
  
Awesome testcase. Reproduced in the shell.
Status: UNCONFIRMED → NEW
Ever confirmed: true

    
    

    
  
Should be an easy fix.
Flags: blocking1.9.1?
Priority: -- → P1

    
    

    
  

      
      
      
      

        Attached file
          
        reduced
      

    


  
I think this is about as much as I can reduce it.  I pulled out a few constants and made them arguments to the function so that future constant-folding changes are less likely to change how the testcase is handled.

    
  
Flags: blocking1.9.1? → blocking1.9.1+

    
  

        Attachment #353534 -
        Attachment is obsolete: true

    
  

        Attachment #353529 -
        Attachment is obsolete: true

    
  
Keywords: testcase-wantedtestcase

    
    

    
  
Looks like something is getting confused when walking out of a loop.  Will investigate.
Assignee: general → danderson

    
    

    
  


  
This assertion is bogus.  There's no guarantee that when resuming state from a loop exit (stable or unstable), we'll be resuming at f->ip.  If a backwards branch is followed by a backwards goto, the exit's ip_adj will skip past the goto so nested trees don't attempt to record a break.

        Attachment #353639 -
        Flags: review?(gal)

    
  

        Attachment #353639 -
        Flags: review?(gal) → review+

    
    

    
  
Pushed fix as changeset: http://hg.mozilla.org/tracemonkey/rev/8353e26475a8
Whiteboard: [fixed-in-tracemonkey]

    
    

    
  
merged to mc
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED

    
    

    
  
Checking in js1_5/Regress/regress-470061.js
http://hg.mozilla.org/mozilla-central/rev/db39c91cd643
Flags: in-testsuite+
Flags: in-litmus-

    
    

    
  
v 1.9.1, 1.9.2
Status: RESOLVED → VERIFIED
Keywords: fixed1.9.1verified1.9.1

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: