Closed Bug 640102 Opened 15 years ago Closed 15 years ago

TI: "Assertion failure: !isEntryCopied(fe),"

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: gkw, Unassigned)

References

Details

(Keywords: assertion, testcase, Whiteboard: fixed-in-jaegermonkey)

Attachments

(1 file)

stack
4.90 KB, text/plain
Details
Attached file stack
eval("v>>([]=x)") asserts js debug shell on JM changeset 60670ecd2133 at Assertion failure: !isEntryCopied(fe), with -m, -n and -a.
FrameState::isEntryCopied, used to check whether the copied bit on a frame entry is correct, shouldn't look at entries which have been popped off the stack (but which still show up in the tracker). http://hg.mozilla.org/projects/jaegermonkey/rev/e348689923e5
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Whiteboard: fixed-in-jaegermonkey
Better to add nfe < sp to the loop condition? Why keep going with no hope of true return? /be
That should be correct, though it additionally depends on the invariant that tracker entries are ordered according to the stack slots. I've shot myself in the foot enough times using the FrameState that I tend to write code using it conservatively (and things still break everywhere). Can fix this when I fix bug 640614, which is the same problem as this one.
Actually, it looks like the ordering invariant in the tracker only applies to copies, i.e. we assert that if fe copies nfe, fe > nfe and fe's tracker index > nfe's tracker index. So you could get a premature return by moving the nfe < sp to the loop condition if the tracker was A B C where C copies A but B is >= sp.
A testcase for this bug was automatically identified at js/src/jit-test/tests/jaeger/bug640102.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: