Closed Bug 600419 Opened 14 years ago Closed 14 years ago

"Assertion failure: fe_" with x<<x (LSH)

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: jruderman, Unassigned)

References

Details

(Keywords: assertion, regression, testcase, Whiteboard: fixed-in-tracemonkey)

Attachments

(2 files)

stack trace
3.48 KB, text/plain
Details
Fix pinReg() around copyDataIntoReg()
815 bytes, patch
dvander
: review+
Details | Diff | Splinter Review
js -m (function(){ var x; [1].map(function(){}, x << x); })() Assertion failure: fe_, at js/src/methodjit/FrameState.h:245 The first bad revision is: changeset: 1bbc0fc10747 user: David Anderson date: Tue Sep 21 18:34:42 2010 -0700 summary: Optimize FrameState for large linear scripts (bug 591836, r=dmandelin). Seems superficially similar to bug 596817, but that bug had a different regressor and a different fix.
Attached file stack trace
Blocks: JaegerFuzz
Only reproduces on x86, not x64.
copyDataIntoReg() calls forgetReg() if we're out of registers [x86 has greater register pressure, explaining why x64 doesn't see this]. But jsop_bitop() has pinned the data register, so it can't be forgotten. This only uses pinReg() in the case where it's necessary.
Attachment #479840 - Flags: review?(dvander)
Blocks: 601109
No longer blocks: 601109
Attachment #479840 - Flags: review?(dvander) → review+
http://hg.mozilla.org/mozilla-central/rev/6527251c2dbe
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
A testcase for this bug was automatically identified at js/src/jit-test/tests/jaeger/bug600419.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: