Closed
Bug 552196
Opened 14 years ago
Closed 14 years ago
TM: "Assertion failure: size_t(p - cx->fp->slots) < cx->fp->script->nslots, at ../jstracer.cpp" or "Assertion failure: size_t(p - cx->fp->slots()) < cx->fp->script->nslots, at ../jstracer.cpp"
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: gkw, Assigned: dvander)
References
Details
(Keywords: assertion, regression, testcase, Whiteboard: fixed-in-tracemonkey)
Attachments
(1 file)
|
3.41 KB,
patch
|
gal
:
review+
|
Details | Diff | Splinter Review |
(Function("\
for (a = 0; a < 5; a++)\
(function f(b) {\
if (b > 0) {\
f(b - 1)\
}\
})\
(3)\
"))()
asserts js debug shell with -j on TM tip at Assertion failure: size_t(p - cx->fp->slots) < cx->fp->script->nslots, at ../jstracer.cpp:2545
|
Reporter | |
Comment 1•14 years ago
|
||
autoBisect shows this is probably related to bug 551705: The first bad revision is: changeset: 38596:1f812d89de66 user: David Anderson date: Fri Mar 12 11:47:44 2010 -0800 summary: Fixed regression with recursion and type unstable frame slurping (bug 551705, r=gal).
Blocks: 551705
|
|
Reporter | |
Comment 2•14 years ago
|
||
Also asserts at: Assertion failure: size_t(p - cx->fp->slots()) < cx->fp->script->nslots, at ../jstracer.cpp:2546 on JM tip.
Summary: TM: "Assertion failure: size_t(p - cx->fp->slots) < cx->fp->script->nslots, at ../jstracer.cpp" → TM: "Assertion failure: size_t(p - cx->fp->slots) < cx->fp->script->nslots, at ../jstracer.cpp" or "Assertion failure: size_t(p - cx->fp->slots()) < cx->fp->script->nslots, at ../jstracer.cpp"
|
|
Assignee | |
Updated•14 years ago
|
Assignee: general → dvander
|
|
Assignee | |
Comment 3•14 years ago
|
||
Bleh. Backing out this part of the code in bug 551705 was not entirely correct. If branching directly off a JSOP_STOP, there's no stackval(-1) to read. Fortunately it is valid (and necessary) to read regs.pc iff not anchoring off a "slurp fail exit", to see where to get the return value from. This patch contains a free prize at the bottom: a big comment explaining what slurpDownFrames is.
Attachment #434007 -
Flags: review?(gal)
|
||
Updated•14 years ago
|
Attachment #434007 -
Flags: review?(gal) → review+
|
||
Comment 4•14 years ago
|
||
Pushed to tracemonkey at Gary's request. Hope this is ok! http://hg.mozilla.org/tracemonkey/rev/9a0a4c64da0a
Whiteboard: fixed-in-tracemonkey
|
|
Reporter | |
Comment 5•14 years ago
|
||
Thanks Jason and everyone. This was kind-of hurting TM fuzzing for awhile.
|
||
Comment 6•14 years ago
|
||
http://hg.mozilla.org/mozilla-central/rev/9a0a4c64da0a
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
|
||
Comment 7•11 years ago
|
||
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/bug552196.js.
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•