Closed Bug 600163 Opened 14 years ago Closed 14 years ago

JM: "Assertion failure: checkedFreeRegs == freeRegs,"

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
ARM
All
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
fennec 2.0b1+ ---

People

(Reporter: gkw, Assigned: dvander)

References

Details

(Keywords: assertion, regression, testcase, Whiteboard: fixed-in-tracemonkey)

Attachments

(1 file)

fix
1.09 KB, patch
dmandelin
: review+
Details | Diff | Splinter Review 
Function("x <<= functional.z = window")()

asserts js debug shell on TM changeset 54700fad8cf9 with -m on ARM at Assertion failure: checkedFreeRegs == freeRegs,

(gdb) bt
#0  0x4004211c in raise () from /lib/vfp/libpthread.so.0
#1  0x001f32f0 in JS_Assert (s=0x3dfafc "checkedFreeRegs == freeRegs", 
    file=0x3df8d8 "/mnt/nth10sd/Desktop/jsfunfuzz-dbg-32-tm-54576-54700fad8cf9/compilePath/methodjit/FrameState.cpp", ln=345)
    at /mnt/nth10sd/Desktop/jsfunfuzz-dbg-32-tm-54576-54700fad8cf9/compilePath/jsutil.cpp:83
#2  0x002f7490 in js::mjit::FrameState::assertValidRegisterState (this=0xbebadc60)
    at /mnt/nth10sd/Desktop/jsfunfuzz-dbg-32-tm-54576-54700fad8cf9/compilePath/methodjit/FrameState.cpp:345
#3  0x002dbb28 in js::mjit::Compiler::generateMethod (this=0xbebad248)
    at /mnt/nth10sd/Desktop/jsfunfuzz-dbg-32-tm-54576-54700fad8cf9/compilePath/methodjit/Compiler.cpp:1702
#4  0x002ddf24 in js::mjit::Compiler::Compile (this=0xbebad248) at /mnt/nth10sd/Desktop/jsfunfuzz-dbg-32-tm-54576-54700fad8cf9/compilePath/methodjit/Compiler.cpp:144
#5  0x002de3d8 in js::mjit::TryCompile (cx=0x472860, script=0x484f78, fun=0x40906d70, scopeChain=0x40902038)
    at /mnt/nth10sd/Desktop/jsfunfuzz-dbg-32-tm-54576-54700fad8cf9/compilePath/methodjit/Compiler.cpp:174
#6  0x0031dbd0 in UncachedInlineCall (f=@0xbebafed8, flags=0, pret=0xbebafe74, argc=0)
    at /mnt/nth10sd/Desktop/jsfunfuzz-dbg-32-tm-54576-54700fad8cf9/compilePath/methodjit/InvokeHelpers.cpp:447
#7  0x0031de4c in js::mjit::stubs::UncachedCallHelper (f=@0xbebafed8, argc=0, ucr=0xbebafe6c)
    at /mnt/nth10sd/Desktop/jsfunfuzz-dbg-32-tm-54576-54700fad8cf9/compilePath/methodjit/InvokeHelpers.cpp:528
#8  0x0031a2d4 in CallCompiler::update (this=0xbebafeac) at /mnt/nth10sd/Desktop/jsfunfuzz-dbg-32-tm-54576-54700fad8cf9/compilePath/methodjit/MonoIC.cpp:609
#9  0x00317cf4 in js::mjit::ic::Call (f=@0xbebafed8, index=1) at /mnt/nth10sd/Desktop/jsfunfuzz-dbg-32-tm-54576-54700fad8cf9/compilePath/methodjit/MonoIC.cpp:669
#10 0x002cce84 in JaegerStubVeneer ()
#11 0x408283a8 in ?? ()
Attached patch fixSplinter Review 
Hits on x86/64 with --disable-polyic. The bug is that FrameState::shimmy and another function, pass an FE directly into storeTop() without making sure it's tracked. Untracked FEs have uninitialized memory.
Assignee: general → dvander
Status: NEW → ASSIGNED
Attachment #479201 - Flags: review?(dmandelin)
Attachment #479201 - Flags: review?(dmandelin) → review+
tracking-fennec: --- → 2.0b1+
I checked this into m-c separately this morning:

http://hg.mozilla.org/mozilla-central/rev/16eee4664daf
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: