Closed Bug 474935 Opened 17 years ago Closed 17 years ago

TM: "Assertion failure: !ti->typeMap.matches(ti_other->typeMap)" with global, large array

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: jruderman, Assigned: dvander)

Details

(4 keywords)

Attachments

(1 file)

proposed fix
3.00 KB, patch
gal
: review+
Details | Diff | Splinter Review
var a = ["", 0, 0, 0, 0, 0, "", "", 0, "", 0, ""]; var i = 0; var g = 0; for each (let e in a) { "" + [e]; if (i == 3 || i == 7) { for each (g in [1]) { } } ++i; } Assertion failure: !ti->typeMap.matches(ti_other->typeMap), at ../jstracer.cpp:3110
Assignee: general → danderson
Attached patch proposed fixSplinter Review
This bug occurred because a piece of the joinEdgesToEntry logic (which is somewhat duplicated in js_AttemptToStabilizeTree) was missing. If an unstable exit has an integer in its typemap while a peer has a double, and that slot is undemotable, the original tree should be trashed and js_RecordTree should not be called. This faults in a standalone file but I can't seem to replicate the conditions in trace-tests.
Attachment #358526 - Flags: review?(gal)
Comment on attachment 358526 [details] [diff] [review] proposed fix Did you test perf? I hope SS doesn't hit this case.
Attachment #358526 - Flags: review?(gal) → review+
No perf change, so pushed as changeset: http://hg.mozilla.org/tracemonkey/rev/e6c5ad00591d
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
http://hg.mozilla.org/mozilla-central/rev/d52de3f35735 /cvsroot/mozilla/js/tests/js1_8/regress/regress-474935.js,v <-- regress-474935.js initial revision: 1.1
Flags: in-testsuite+
Flags: in-litmus-
v 1.9.1, 1.9.2
Status: RESOLVED → VERIFIED
Keywords: fixed1.9.1verified1.9.1
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: