Closed Bug 602574 Opened 14 years ago Closed 14 years ago

Assertion failure: constOffset != 0, at js/src/jsscript.h:381

Categories

(Core :: JavaScript Engine, defect)

x86_64
Linux
defect
Not set
normal

Tracking

()

RESOLVED FIXED
Tracking Status
blocking2.0 --- beta7+

People

(Reporter: jst, Assigned: dvander)

Details

(Whiteboard: [compartments])

Attachments

(1 file)

We hit this seemingly reliably with the patch queue at http://hg.mozilla.org/users/mrbkap_mozilla.com/brain-transplants/ applied to the tracemonkey tree. The reason for the assert is that in JSScript::NewScript() we run this code:

        script->constOffset = (uint8)(cursor - (uint8 *)script);

where (cursor - (uint8 *)script) is 256, which ends up setting the constOffset to 0.
This blocks brain transplans, which means it blocks beta7.
blocking2.0: --- → beta7+
Oh, and this is only an issue on 64-bit systems.
Hrm. Compartments adds a new member to JSScript, that would cause it.
Attached patch fixSplinter Review
Johnny, if this patch works, please just add it to the compartment queue.
Assignee: general → dvander
Status: NEW → ASSIGNED
Whiteboard: [compartments]
You should ask for reviec etc?
For the record, this patch does seem to work!
Attachment #481612 - Flags: review+
This landed with compartments.

http://hg.mozilla.org/mozilla-central/rev/13e698bd1530
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.