Closed
Bug 496813
Opened 16 years ago
Closed 16 years ago
"Assertion failure: isInt32(*p)" with simple testcase
Categories
(Core :: JavaScript Engine, defect, P1)
Tracking
()
RESOLVED
FIXED
mozilla1.9.1
People
(Reporter: jruderman, Assigned: dvander)
Details
(Keywords: assertion, fixed1.9.1, testcase)
Attachments
(1 file)
|
518 bytes,
patch
|
gal
:
review+
|
Details | Diff | Splinter Review |
for (var i = 0; i < 4; ++i) {
var x = 1;
for (var j = 0; j < 3; ++j) {
if (j > 1) {
x = {};
}
}
}
print(x);
Incorrectly gives 2885984 when it should give "[object Object]". If I change the inner loop bound from 3 to 4, I get an assertion instead:
Assertion failure: isInt32(*p), at ../jstracer.cpp:2031
This bug affects both TM tip and 1.9.1 branch. The testcase is simple enough that I'd expect web sites to hit it.
Flags: blocking1.9.1?
|
||
Comment 1•16 years ago
|
||
This is really not fun. I don't understand why none of our tests catches this stuff.
Assignee: general → gal
Priority: -- → P1
Target Milestone: --- → mozilla1.9.1
|
||
Updated•16 years ago
|
Flags: blocking1.9.1? → blocking1.9.1+
|
Assignee | |
Comment 2•16 years ago
|
||
Reduced testcase:
function f() {
x = 1;
for (var j = 0; j < 3; ++j) {
if (j > 1) {
x = {};
}
}
}
f();
f();
f();
print(x);
|
|
Assignee | |
Comment 3•16 years ago
|
||
Silly bug. Side exit coalescing code wasn't checking that both exits had the same number of global types.
|
|
||
Comment 4•16 years ago
|
||
Comment on attachment 382165 [details] [diff] [review]
fix
Possible fix but I think it would be better to extend the destination map if it matches but is too short.
|
|
||
Updated•16 years ago
|
Attachment #382165 -
Flags: review?(gal) → review+
|
|
||
Comment 5•16 years ago
|
||
Comment on attachment 382165 [details] [diff] [review]
fix
r+ with the rationale that memcmp without length check is wrong for sure and this is a minimal fix. will discuss further whether this causes duplicate traces which could be avoided by growing an existing trace.
|
||
Comment 6•16 years ago
|
||
Are we memcmp'ing off the end of an allocation even with the patch?
/be
|
|
Assignee | |
Comment 7•16 years ago
|
||
(In reply to comment #6)
> Are we memcmp'ing off the end of an allocation even with the patch?
>
> /be
Since stack slots should always match, it should be okay.
|
|
||
Comment 8•16 years ago
|
||
Would asserting that be vacuous? Not obviously but maybe I am missing context.
/be
|
|
||
Comment 9•16 years ago
|
||
Status: ASSIGNED → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
|
|
||
Comment 10•16 years ago
|
||
Keywords: fixed1.9.1
|
||
Updated•12 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•