Closed
Bug 505314
Opened 15 years ago
Closed 15 years ago
"Assertion failed: i != 0" on collecta.com
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: jruderman, Assigned: dmandelin)
References
()
Details
(Keywords: assertion)
Attachments
(2 files, 2 obsolete files)
1.80 KB,
patch
|
gal
:
review+
|
Details | Diff | Splinter Review |
3.40 KB,
text/html
|
Details |
Loading http://collecta.com/ in a debug build triggers: Assertion failed: i != 0 (/Users/jruderman/central/js/src/nanojit/Assembler.cpp:1605)
Comment 1•15 years ago
|
||
Important catch. Can you grab a local copy? Is this reproducible?
Reporter | ||
Comment 2•15 years ago
|
||
Comment 3•15 years ago
|
||
This seems to involve js_Arguments
Assignee | ||
Updated•15 years ago
|
Assignee: general → dmandelin
Assignee | ||
Comment 4•15 years ago
|
||
I don't have a reduced test case either. The bug seems to depend on the exact state of the register allocator, which is hard to control by writing JS. The problem seems to be caused by writing a LIR_ialloc instruction with size 0. Somehow that makes the allocator get confused. It ends up giving slot 2 in the AR to 2 different calls. When call 1 is processed, it ends up clearing the slot. When call 2 is processed, it tries to clear the slot and asserts. I fixed by making the call not allocate a 0-sized buffer, and improved the nanojit asserts so they should be able to catch related problems faster in the future.
Attachment #389591 -
Flags: review?(gal)
Reporter | ||
Comment 5•15 years ago
|
||
Attachment #389560 -
Attachment is obsolete: true
Updated•15 years ago
|
Attachment #389591 -
Flags: review?(gal) → review+
Reporter | ||
Comment 6•15 years ago
|
||
Getting harder to reduce :(
Attachment #389598 -
Attachment is obsolete: true
Assignee | ||
Comment 7•15 years ago
|
||
Pushed to TM as 57f03473969d.
Comment 8•15 years ago
|
||
http://hg.mozilla.org/mozilla-central/rev/57f03473969d
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Comment 9•11 years ago
|
||
Filter on qa-project-auto-change: Bug in removed tracer code, setting in-testsuite- flag.
Flags: in-testsuite-
Updated•9 years ago
|
Keywords: testcase-wanted
You need to log in
before you can comment on or make changes to this bug.
Description
•