Closed Bug 478205 Opened 13 years ago Closed 13 years ago

TM: "Assertion failed: p->isQuad() (../nanojit/Nativei386.cpp:1599)"

Categories

(Core :: JavaScript Engine, defect, P2)

defect

Tracking

()

VERIFIED FIXED

People

(Reporter: gkw, Assigned: dmandelin)

Details

(Keywords: assertion, testcase, verified1.9.1, Whiteboard: fixed-in-tracemonkey)

Attachments

(2 files)

Attached file verbose output
for each (let x in ['', '']) { switch([]) {} }

Assertion failed: p->isQuad() (../nanojit/Nativei386.cpp:1599)

- TM-only, seems to work as expected in opt.
- Occurs very often in fuzz testing, TM tip, suspect some checkin in the past day or so, or the mc to tm merge.
- Nominating blocking1.9.1 due to its simplicity.
Flags: blocking1.9.1?
Yeah, must be the new switch stuff.  We're calling js_DoubleToInt32 on the switch argument (which is an array).
Attached patch PatchSplinter Review
Assignee: general → dmandelin
Attachment #362061 - Flags: review?(gal)
Comment on attachment 362061 [details] [diff] [review]
Patch

We could also do StringToNumber but I guess this case is only an issue for fuzzer programs so not worth it.
Attachment #362061 - Flags: review?(gal) → review+
Flags: blocking1.9.1? → blocking1.9.1+
Priority: -- → P2
Pushed to TM as c31a7fa98db3.
(In reply to comment #4)
> Pushed to TM as c31a7fa98db3.

Adding fixed-in-tracemonkey to whiteboard per comment #4.
Whiteboard: fixed-in-tracemonkey
http://hg.mozilla.org/mozilla-central/rev/c31a7fa98db3
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
js1_8/regress/regress-478205.js	
v 1.9.1, 1.9.2
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.