Closed
Bug 477048
Opened 16 years ago
Closed 16 years ago
"Assertion failure: cg->stackDepth == loopDepth, at ../jsemit.cpp"
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
People
(Reporter: gkw, Assigned: jorendorff)
Details
(Keywords: assertion, testcase, verified1.9.1, Whiteboard: fixed-in-tracemonkey)
Attachments
(1 file)
955 bytes,
patch
|
brendan
:
review+
|
Details | Diff | Splinter Review |
for each (this.__proto__ in x) {}
Assertion failure: cg->stackDepth == loopDepth, at ../jsemit.cpp:4433
Trace/BPT trap
asserts debug (TM not needed) but seems to work as expected in opt. Related to bug 467495?
Nominating blocking-1.9.1 in case it is a regression from bug 467495, which is a P1 critical trunk bug.
Flags: blocking1.9.1?
Reporter | ||
Comment 1•16 years ago
|
||
(In reply to comment #0)
> Nominating blocking-1.9.1 in case it is a regression from bug 467495, which is
> a P1 critical trunk bug.
... and also because jsfunfuzz is hitting it very very frequently due to simplicity.
Assignee | ||
Comment 3•16 years ago
|
||
Fallout from bug 469625.
This fixes the specific test case in the description. There are five calls to EmitPropOp in jsemit.cpp, need to check that none of them trip the assertion.
Attachment #360751 -
Flags: review?(brendan)
Comment 4•16 years ago
|
||
Comment on attachment 360751 [details] [diff] [review]
v1
Bad reviewer (me). Just a few lines more context would show the requirements. Thanks,
/be
Attachment #360751 -
Flags: review?(brendan) → review+
Assignee | ||
Comment 5•16 years ago
|
||
I checked, and FORPROP was the only opcode tripping the assertion there. Pushed.
http://hg.mozilla.org/tracemonkey/rev/dc636df847be
Whiteboard: fixed-in-tracemonkey
Updated•16 years ago
|
Flags: blocking1.9.1? → blocking1.9.1+
Comment 6•16 years ago
|
||
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
Comment 7•16 years ago
|
||
Flags: in-testsuite+
Flags: in-litmus-
Comment 8•16 years ago
|
||
Keywords: fixed1.9.1
Comment 9•16 years ago
|
||
js1_7/extensions/regress-477048.js
v 1.9.1, 1.9.2
Status: RESOLVED → VERIFIED
Keywords: fixed1.9.1 → verified1.9.1
You need to log in
before you can comment on or make changes to this bug.
Description
•