Closed
Bug 536748
Opened 16 years ago
Closed 15 years ago
Assertion failed: i < callInfo()->count_args() | Crash [@ nanojit::Assembler::asm_arg(nanojit::ArgSize, nanojit::LIns*, nanojit::Register, int&)]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: bc, Assigned: dmandelin)
References
()
Details
(Keywords: assertion, Whiteboard: fixed-in-tracemonkey)
Attachments
(2 files, 1 obsolete file)
|
7.00 KB,
text/html
|
Details | |
|
1.36 KB,
patch
|
gal
:
review+
|
Details | Diff | Splinter Review |
1. http://www.irishq.dk/throwback.html
2. assert.
#0 NanoAssertFail () at /work/mozilla/builds/1.9.3/mozilla/js/src/nanojit/avmplus.cpp:70
#1 0x00409f3a in nanojit::LIns::arg (this=0x64b9768, i=4294967295) at LIR.h:976
#2 0x00409f7c in nanojit::LIns::callArgN (this=0x64b9768, n=1) at LIR.h:986
#3 0x003e2757 in fcallarg (i=0x64b9768, n=1) at /work/mozilla/builds/1.9.3/mozilla/js/src/jstracer.cpp:1764
#4 0x003e523b in TraceRecorder::f2i (this=0x6257800, f=0x64b9768) at /work/mozilla/builds/1.9.3/mozilla/js/src/jstracer.cpp:8383
#5 0x003f2d3c in TraceRecorder::binary (this=0x6257800, op=nanojit::LIR_and) at /work/mozilla/builds/1.9.3/mozilla/js/src/jstracer.cpp:9143
#6 0x003f32f1 in TraceRecorder::record_JSOP_BITAND (this=0x6257800) at /work/mozilla/builds/1.9.3/mozilla/js/src/jstracer.cpp:10216
#7 0x003fafca in TraceRecorder::monitorRecording (this=0x6257800, op=JSOP_BITAND) at jsopcode.tbl:136
#8 0x00306174 in js_Interpret (cx=0x6397600) at jsops.cpp:78
#9 0x00331176 in js_Invoke (cx=0x6397600, argc=1, vp=0x633ac24, flags=0) at jsinterp.cpp:1384
#10 0x00331735 in js_InternalInvoke (cx=0x6397600, obj=0x1eeffdc0, fval=519032416, flags=0, argc=1, argv=0x633ac20, rval=0xbfffc3a8) at jsinterp.cpp:1439
#11 0x0029d361 in JS_CallFunctionValue (cx=0x6397600, obj=0x1eeffdc0, fval=519032416, argc=1, argv=0x633ac20, rval=0xbfffc3a8) at /work/mozilla/builds/1.9.3/mozilla/js/src/jsapi.cpp:5098
trunk mac/windows at least. crashes opt. nightly does not generate a crash report. I don't assert 1.9.2
found from a url crashing with nanojit::Assembler::asm_arg(nanojit::ArgSize, nanojit::LIns*, nanojit::Register, int&)
|
Assignee | |
Comment 1•16 years ago
|
||
The |1| just looks wrong, I think it should be |0|. The call site I changed is on the call stack, and later we assert in LIR.h trying to read argument 1 when the function has only one argument.
This test case doesn't trip the bug. Anyone know why? Is the charCodeAt being constant-folded?
var s = "a";
var b = 32767;
for (var i = 0; i < 10; ++i) {
b = b & s.charCodeAt(0);
}
print(b);
Assignee: general → dmandelin
Status: NEW → ASSIGNED
|
||
Comment 2•16 years ago
|
||
I'm a non-expert on this code but (based on pattern-matching against the surrounding code) the patch looks good to me. dmandelin, presumably your were able to reproduce the crash and this fixed it?
|
|
Assignee | |
Comment 3•16 years ago
|
||
Attachment #419464 -
Attachment is obsolete: true
Attachment #419969 -
Flags: review?(dvander)
|
|
Assignee | |
Comment 4•16 years ago
|
||
(In reply to comment #2)
> I'm a non-expert on this code but (based on pattern-matching against the
> surrounding code) the patch looks good to me. dmandelin, presumably your were
> able to reproduce the crash and this fixed it?
Yes. My first try at a shell test case didn't work so I was waiting for help with that. But, encouraged by your comment, I checked it again and figured out that we need to call |charCodeAt| with no arguments to trip the bug.
|
||
Updated•16 years ago
|
Attachment #419969 -
Flags: review?(dvander) → review+
|
|
||
Comment 5•16 years ago
|
||
Comment on attachment 419969 [details] [diff] [review]
Patch 2 (with test case)
I broke that. Sorry. Thanks for the fix.
|
|
Assignee | |
Comment 6•16 years ago
|
||
Keywords: testcase-wanted
Whiteboard: fixed-in-tracemonkey
|
||
Comment 7•15 years ago
|
||
Status: ASSIGNED → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•