Closed
Bug 529147
Opened 15 years ago
Closed 15 years ago
TM: "Assertion failure: numSideExitsBefore >= fragment->root->treeInfo->sideExits.length(), at ../jstracer.cpp"
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: gkw, Assigned: luke)
References
Details
(Keywords: assertion, regression, testcase, Whiteboard: fixed-in-tracemonkey)
Attachments
(1 file)
1.48 KB,
patch
|
dvander
:
review+
|
Details | Diff | Splinter Review |
var magicNumbers = [1, -1, 0, 0]; var magicIndex = 0; function foo(n) { for (var i = 0; i < n; ++i) { bar(); } } function bar() { var q = magicNumbers[magicIndex++]; if (q != -1) { foo(q); } } foo(3); asserts js debug shell with -j on TM tip at Assertion failure: numSideExitsBefore >= fragment->root->treeInfo->sideExits.length(), at ../jstracer.cpp:2560 Many thanks to Jesse for his help in reduction of the testcase. autoBisect shows this has the following (not exactly the smallest regression window): http://hg.mozilla.org/tracemonkey/pushloghtml?fromchange=81afd53646d4&tochange=30f8f6dcf808
Reporter | ||
Comment 1•15 years ago
|
||
This is impacting jsfunfuzz significantly. :(
Reporter | ||
Comment 2•15 years ago
|
||
After some manual bisects, this is probably related to bug 520636.
Blocks: 520636
Assignee | ||
Comment 3•15 years ago
|
||
Flipped relational operator; pretty dim on my part. At first I was surprised that something so wrong could pass debug trace-tests, but its actually quite a corner case, so I'm adding it. Thanks again Gary!
Updated•15 years ago
|
Attachment #412742 -
Flags: review?(dvander) → review+
Assignee | ||
Comment 4•15 years ago
|
||
http://hg.mozilla.org/tracemonkey/rev/81b3a2e0c807
Whiteboard: fixed-in-tracemonkey
Comment 5•15 years ago
|
||
http://hg.mozilla.org/mozilla-central/rev/81b3a2e0c807
Status: ASSIGNED → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Comment 6•11 years ago
|
||
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/testBug529147.js.
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•