Closed
Bug 474935
Opened 16 years ago
Closed 16 years ago
TM: "Assertion failure: !ti->typeMap.matches(ti_other->typeMap)" with global, large array
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
People
(Reporter: jruderman, Assigned: dvander)
Details
(4 keywords)
Attachments
(1 file)
3.00 KB,
patch
|
gal
:
review+
|
Details | Diff | Splinter Review |
var a = ["", 0, 0, 0, 0, 0, "", "", 0, "", 0, ""]; var i = 0; var g = 0; for each (let e in a) { "" + [e]; if (i == 3 || i == 7) { for each (g in [1]) { } } ++i; } Assertion failure: !ti->typeMap.matches(ti_other->typeMap), at ../jstracer.cpp:3110
Assignee | ||
Updated•16 years ago
|
Assignee: general → danderson
Assignee | ||
Comment 1•16 years ago
|
||
This bug occurred because a piece of the joinEdgesToEntry logic (which is somewhat duplicated in js_AttemptToStabilizeTree) was missing. If an unstable exit has an integer in its typemap while a peer has a double, and that slot is undemotable, the original tree should be trashed and js_RecordTree should not be called. This faults in a standalone file but I can't seem to replicate the conditions in trace-tests.
Attachment #358526 -
Flags: review?(gal)
Comment 2•16 years ago
|
||
Comment on attachment 358526 [details] [diff] [review] proposed fix Did you test perf? I hope SS doesn't hit this case.
Attachment #358526 -
Flags: review?(gal) → review+
Assignee | ||
Comment 3•16 years ago
|
||
No perf change, so pushed as changeset: http://hg.mozilla.org/tracemonkey/rev/e6c5ad00591d
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
Comment 4•16 years ago
|
||
http://hg.mozilla.org/mozilla-central/rev/d52de3f35735 /cvsroot/mozilla/js/tests/js1_8/regress/regress-474935.js,v <-- regress-474935.js initial revision: 1.1
Flags: in-testsuite+
Flags: in-litmus-
Comment 5•16 years ago
|
||
http://hg.mozilla.org/mozilla-central/rev/e6c5ad00591d
Flags: blocking1.9.1+
Comment 6•15 years ago
|
||
http://hg.mozilla.org/releases/mozilla-1.9.1/rev/f6157412e3ed
Keywords: fixed1.9.1
Comment 7•15 years ago
|
||
v 1.9.1, 1.9.2
Status: RESOLVED → VERIFIED
Keywords: fixed1.9.1 → verified1.9.1
You need to log in
before you can comment on or make changes to this bug.
Description
•