Closed
Bug 470187
Opened 16 years ago
Closed 16 years ago
TM: "Assertion failure: entry->kpc == (jsbytecode*) atoms[index]" with valueOf, regexp
Categories
(Core :: JavaScript Engine, defect, P1)
Core
JavaScript Engine
Tracking
()
VERIFIED
FIXED
mozilla1.9.1b3
People
(Reporter: jruderman, Assigned: brendan)
Details
(Keywords: assertion, testcase, verified1.9.1, Whiteboard: fixed-in-tracemonkey)
Attachments
(1 file)
|
2.81 KB,
patch
|
jorendorff
:
review+
|
Details | Diff | Splinter Review |
for (var j=0;j<3;++j) ({valueOf: function(){return 2}}) - /x/;
Assertion failure: entry->kpc == (jsbytecode*) atoms[index], at ../jstracer.cpp:5026
|
Assignee | |
Updated•16 years ago
|
Assignee: general → brendan
Status: NEW → ASSIGNED
OS: Mac OS X → All
Priority: -- → P1
Hardware: PC → All
Target Milestone: --- → mozilla1.9.1b3
|
Reporter | |
Comment 1•16 years ago
|
||
js> for (var j=0;j<3;++j) ({valueOf: function(){return 2}}) - [];
Assertion failure: ATOM_IS_STRING(atom), at ../jstracer.cpp:7010|
|
Assignee | |
Comment 2•16 years ago
|
||
WFM on tm tip -- please verify or reopen if I'm missing something. Suspect this was fixed by imacros. /be
Status: ASSIGNED → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
|
|
Reporter | |
Comment 3•16 years ago
|
||
Both assertions still happen, but only when the testcases are fed to ./js as files (rather than pastes into the shell).
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
|
|
Assignee | |
Comment 4•16 years ago
|
||
I can't repro:
Yoyodyne:src brendaneich$ cat /tmp/fooey.js
for (var j=0;j<3;++j) ({valueOf: function(){return 2}}) - /x/;
Yoyodyne:src brendaneich$ ./Darwin_DBG.OBJ/js !$
./Darwin_DBG.OBJ/js /tmp/fooey.js
Yoyodyne:src brendaneich$ cat /tmp/fooey2.js
for (var j=0;j<3;++j) ({valueOf: function(){return 2}}) - [];
Yoyodyne:src brendaneich$ ./Darwin_DBG.OBJ/js !$
./Darwin_DBG.OBJ/js /tmp/fooey2.js
What's the secret ingredient?
/be|
|
Assignee | |
Comment 5•16 years ago
|
||
Argh, I was confusing this bug with bug 453955 insofar as being independent of -j -- but of course the assertions that are botching are in jstracer.cpp. Duh! /be
Status: REOPENED → ASSIGNED
Summary: "Assertion failure: entry->kpc == (jsbytecode*) atoms[index]" with valueOf, regexp → TM: "Assertion failure: entry->kpc == (jsbytecode*) atoms[index]" with valueOf, regexp
|
|
Assignee | |
Comment 6•16 years ago
|
||
Fix (in final hunk) plus cleanup that avoids repeating the atoms = fp->imacpc ? ... : ...; three-liner all over creation. /be
Attachment #358352 -
Flags: review?(jorendorff)
|
|
Assignee | |
Comment 7•16 years ago
|
||
This should block, we are failing to restore the correct atoms pointer in the recorder when tracing out of a trace-inlined function call. Manifold disaster ensues. /be
Flags: blocking1.9.1?
|
||
Updated•16 years ago
|
Flags: blocking1.9.1? → blocking1.9.1+
|
||
Comment 8•16 years ago
|
||
Comment on attachment 358352 [details] [diff] [review] fix Looks good.
Attachment #358352 -
Flags: review?(jorendorff) → review+
|
|
Assignee | |
Comment 9•16 years ago
|
||
Fixed in tm: http://hg.mozilla.org/tracemonkey/rev/f53361213469 /be
Whiteboard: fixed-in-tracemonkey
|
|
||
Comment 10•16 years ago
|
||
http://hg.mozilla.org/mozilla-central/rev/bf99bd959cfb
Status: ASSIGNED → RESOLVED
Closed: 16 years ago → 16 years ago
Resolution: --- → FIXED
|
||
Updated•15 years ago
|
Whiteboard: fixed-in-tracemonkey → fixed-in-tracemonkey [needs 191 landing]
|
|
||
Comment 11•15 years ago
|
||
http://hg.mozilla.org/releases/mozilla-1.9.1/rev/103adc44c092
Keywords: fixed1.9.1
Whiteboard: fixed-in-tracemonkey [needs 191 landing] → fixed-in-tracemonkey
|
||
Comment 12•15 years ago
|
||
http://hg.mozilla.org/mozilla-central/rev/885326d3cf5c
Flags: in-testsuite+
Flags: in-litmus-
|
|
||
Comment 13•15 years ago
|
||
js1_5/Regress/regress-470187-01.js js1_5/Regress/regress-470187-02.js v 1.9.1, 1.9.2
Status: RESOLVED → VERIFIED
Keywords: fixed1.9.1 → verified1.9.1
You need to log in
before you can comment on or make changes to this bug.
Description
•