Closed
Bug 648839
Opened 14 years ago
Closed 14 years ago
TI: Assertion failure: stackDepth == newDepth, at jsanalyze.cpp:100
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: decoder, Unassigned)
References
Details
(Keywords: assertion, testcase)
The following testcase asserts on TI revision d3215d1e985a (run with -m -n -a), tested on 64 bit: ForIn_1( { length:4, company:"netscape", year:2000, 0:"zero" } ); function ForIn_1( object ) { PropertyArray = new Array(); for ( PropertyArray[PropertyArray.length] in object ) { object[1]; } }
Comment 1•14 years ago
|
||
Fixed by rev 3816e4abb158 I think, this also showed up in the jstest this was derived from. This was introduced by array bounds check hoisting --- we annotate SETELEMs which have been used to grow arrays by replacing them in the bytecode with a SETHOLE opcode (same semantics). The problem is we would also overwrite ENUMELEM with SETHOLE because ENUMELEM is implemented in terms of SETELEM by the method JIT, and the different stack usages of these opcodes broke downstream analysis. I'm going to try to avoid breaking the jstests again in the future.
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Reporter | ||
Comment 2•12 years ago
|
||
Automatically extracted testcase for this bug was committed: https://hg.mozilla.org/mozilla-central/rev/efaf8960a929
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•