Closed
Bug 511837
Opened 15 years ago
Closed 15 years ago
TM: Crash [@ nanojit::Assembler::freeRsrcOf] or "Assertion failed: p->isQuad() (../nanojit/Nativei386.cpp:1325)" or "Assertion failure: s0->isQuad(), at ../jstracer.cpp" or "Assertion failure: m != TT_INT32 || isInt32(*vp), at ../jstracer.cpp" with Math
Categories
(Core :: JavaScript Engine, defect, P1)
Tracking
()
VERIFIED
FIXED
| Tracking | Status | |
|---|---|---|
| status1.9.2 | --- | beta1-fixed |
People
(Reporter: gkw, Assigned: gal)
References
Details
(5 keywords, Whiteboard: fixed-in-tracemonkey)
Crash Data
Attachments
(1 file)
|
3.01 KB,
patch
|
dvander
:
review+
|
Details | Diff | Splinter Review |
for each(l in ['', 0, 0, ]) {
print(Math.round(false))
}
asserts js debug shell with -j at Assertion failure: s0->isQuad(), at ../jstracer.cpp:1337
autoBisect shows this is probably related to bug 511307:
The first bad revision is:
changeset: 31632:ccf91ba2d62a
user: Andreas Gal
date: Wed Aug 19 15:31:10 2009 -0700
summary: Specialize math functions to integer arithmetic where appropriate (511307, r=dvander).Flags: blocking1.9.2?
|
Reporter | |
Comment 1•15 years ago
|
||
for (x = 0; x < 3; ++x) {
a = Math.floor('')
}
crashes js opt shell with -j at nanojit::Assembler::freeRsrcOf at null and asserts js debug shell with -j at Assertion failed: p->isQuad() (../nanojit/Nativei386.cpp:1325)
autoBisect also points fingers at bug 511307.Summary: TM: "Assertion failure: s0->isQuad(), at ../jstracer.cpp" with Math → TM: Crash [@ nanojit::Assembler::freeRsrcOf] or "Assertion failed: p->isQuad() (../nanojit/Nativei386.cpp:1325)" or "Assertion failure: s0->isQuad(), at ../jstracer.cpp" with Math
|
|
Reporter | |
Comment 2•15 years ago
|
||
options().n;
(function () {
Math
})()
for (let x in [0, 0]) {
''.replace((Math.min(3, /x/)))
}
asserts js debug shell with -j at Assertion failure: m != TT_INT32 || isInt32(*vp), at ../jstracer.cpp:3206, autoBisect fingering out bug 511307 too.Keywords: crash
Summary: TM: Crash [@ nanojit::Assembler::freeRsrcOf] or "Assertion failed: p->isQuad() (../nanojit/Nativei386.cpp:1325)" or "Assertion failure: s0->isQuad(), at ../jstracer.cpp" with Math → TM: Crash [@ nanojit::Assembler::freeRsrcOf] or "Assertion failed: p->isQuad() (../nanojit/Nativei386.cpp:1325)" or "Assertion failure: s0->isQuad(), at ../jstracer.cpp" or "Assertion failure: m != TT_INT32 || isInt32(*vp), at ../jstracer.cpp" with Math
|
|
Reporter | |
Comment 3•15 years ago
|
||
(In reply to comment #1) > for (x = 0; x < 3; ++x) { > a = Math.floor('') > } > > crashes js opt shell with -j at nanojit::Assembler::freeRsrcOf at null and > asserts js debug shell with -j at Assertion failed: p->isQuad() > (../nanojit/Nativei386.cpp:1325) > > autoBisect also points fingers at bug 511307. Now this morphed to asserting only at Assertion failure: s0->isQuad(), at ../jstracer.cpp:1337. That said, I still see nanojit::Assembler::freeRsrcOf js opt null deref crashes, I'll need to wait for a reduced testcase first.
|
Assignee | |
Updated•15 years ago
|
Assignee: general → gal
|
|
Assignee | |
Comment 4•15 years ago
|
||
Confirmed on TM tip. Good test case.
|
|
Assignee | |
Comment 5•15 years ago
|
||
|
|
Assignee | |
Updated•15 years ago
|
Attachment #396798 -
Flags: review?(dvander)
|
|
||
Updated•15 years ago
|
Attachment #396798 -
Flags: review?(dvander) → review+
|
|
Assignee | |
Comment 6•15 years ago
|
||
http://hg.mozilla.org/tracemonkey/rev/d4faaf65fefb
Whiteboard: fixed-in-tracemonkey
|
|
Reporter | |
Updated•15 years ago
|
Status: NEW → ASSIGNED
|
||
Updated•15 years ago
|
Flags: blocking1.9.2? → blocking1.9.2+
|
||
Comment 7•15 years ago
|
||
http://hg.mozilla.org/mozilla-central/rev/d4faaf65fefb
Status: ASSIGNED → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
|
|
||
Updated•15 years ago
|
Priority: -- → P1
|
|
||
Comment 8•15 years ago
|
||
http://hg.mozilla.org/releases/mozilla-1.9.2/rev/4e6fc06723d9
status1.9.2:
--- → beta1-fixed
|
||
Updated•13 years ago
|
Crash Signature: [@ nanojit::Assembler::freeRsrcOf]
You need to log in
before you can comment on or make changes to this bug.
Description
•