Closed
Bug 606662
Opened 14 years ago
Closed 14 years ago
Crash [@ js::mjit::JITScript::release] or "Assertion failure: unsigned(sp - entries) < nargs + script->nslots,"
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
Tracking | Status | |
---|---|---|
blocking2.0 | --- | betaN+ |
People
(Reporter: gkw, Assigned: dmandelin)
References
Details
(4 keywords, Whiteboard: fixed-in-tracemonkey)
Crash Data
Attachments
(2 files)
138 bytes,
text/plain
|
Details | |
671 bytes,
patch
|
dvander
:
review+
|
Details | Diff | Splinter Review |
new(function() { #1# }) asserts js debug shell on TM changeset ee1746020149 with -m at Assertion failure: unsigned(sp - entries) < nargs + script->nslots,
Reporter | ||
Updated•14 years ago
|
blocking2.0: betaN+ → ?
Reporter | ||
Comment 1•14 years ago
|
||
Due to skipped revisions, the first bad revision could be any of: changeset: 55675:e000b5963fde user: David Anderson date: Fri Oct 15 11:36:56 2010 -0700 summary: Remove JSOP_BEGIN and fix tracer integration issues (bug 603044, r=luke+dmandelin). changeset: 55676:ae031ec5ad63 user: David Anderson date: Mon Oct 18 20:30:36 2010 -0700 summary: Build bustage fix. So likely to be bug 603044.
Blocks: 603044
Comment 2•14 years ago
|
||
A bogus assertion. Fixable per script->hasSharps() usage in js::Execute. /be
Reporter | ||
Comment 3•14 years ago
|
||
I could make another testcase (that asserts similarly in a debug shell) crash in an opt shell, but it has to lie in a subdirectory for some reason. === (gdb) r Starting program: /Users/fuzz1/Desktop/jsfunfuzz-dbg-32-tm-56418-1c573c884629/js-opt-32-tm-darwin -m test/w36966-cj.js Reading symbols for shared libraries .+++...................................................................................... done Program received signal EXC_BAD_ACCESS, Could not access memory. Reason: KERN_PROTECTION_FAILURE at address: 0x00000001 0x001eec6e in js::mjit::JITScript::release () (gdb) bt #0 0x001eec6e in js::mjit::JITScript::release () #1 0x001eefd7 in js::mjit::ReleaseScriptCode () (gdb) x/i $eip 0x1eec6e <_ZN2js4mjit9JITScript7releaseEv+14>: mov (%edi),%eax (gdb) x/b $edi 0x1: Cannot access memory at address 0x1 (gdb) x/b $eax 0x413580: 0x02 (gdb)
Reporter | ||
Updated•14 years ago
|
Keywords: crash
Summary: "Assertion failure: unsigned(sp - entries) < nargs + script->nslots," → Crash [@ js::mjit::JITScript::release] or "Assertion failure: unsigned(sp - entries) < nargs + script->nslots,"
Updated•14 years ago
|
blocking2.0: ? → betaN+
Assignee | ||
Updated•14 years ago
|
Assignee: general → dmandelin
Assignee | ||
Comment 4•14 years ago
|
||
Attachment #488096 -
Flags: review?(dvander)
Updated•14 years ago
|
Attachment #488096 -
Flags: review?(dvander) → review+
Assignee | ||
Comment 5•14 years ago
|
||
http://hg.mozilla.org/tracemonkey/rev/258744efa972
Status: NEW → ASSIGNED
Whiteboard: fixed-in-tracemonkey
Comment 6•14 years ago
|
||
http://hg.mozilla.org/mozilla-central/rev/258744efa972
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Updated•13 years ago
|
Crash Signature: [@ js::mjit::JITScript::release]
Comment 7•11 years ago
|
||
A testcase for this bug was automatically identified at js/src/jit-test/tests/jaeger/bug606662-2.js.
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•