Closed
Bug 602574
Opened 14 years ago
Closed 14 years ago
Assertion failure: constOffset != 0, at js/src/jsscript.h:381
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
Tracking | Status | |
---|---|---|
blocking2.0 | --- | beta7+ |
People
(Reporter: jst, Assigned: dvander)
Details
(Whiteboard: [compartments])
Attachments
(1 file)
3.90 KB,
patch
|
gal
:
review+
|
Details | Diff | Splinter Review |
We hit this seemingly reliably with the patch queue at http://hg.mozilla.org/users/mrbkap_mozilla.com/brain-transplants/ applied to the tracemonkey tree. The reason for the assert is that in JSScript::NewScript() we run this code: script->constOffset = (uint8)(cursor - (uint8 *)script); where (cursor - (uint8 *)script) is 256, which ends up setting the constOffset to 0.
Reporter | ||
Comment 1•14 years ago
|
||
This blocks brain transplans, which means it blocks beta7.
blocking2.0: --- → beta7+
Reporter | ||
Comment 2•14 years ago
|
||
Oh, and this is only an issue on 64-bit systems.
Assignee | ||
Comment 3•14 years ago
|
||
Hrm. Compartments adds a new member to JSScript, that would cause it.
Assignee | ||
Comment 4•14 years ago
|
||
Johnny, if this patch works, please just add it to the compartment queue.
Assignee: general → dvander
Status: NEW → ASSIGNED
Updated•14 years ago
|
Whiteboard: [compartments]
Reporter | ||
Comment 6•14 years ago
|
||
For the record, this patch does seem to work!
Updated•14 years ago
|
Attachment #481612 -
Flags: review+
Reporter | ||
Comment 7•14 years ago
|
||
This landed with compartments. http://hg.mozilla.org/mozilla-central/rev/13e698bd1530
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•