Last Comment Bug 653396 - JM: Assertion failure: length <= JS_ARGS_LENGTH_MAX, at ./methodjit/MonoIC.cpp:1209
: JM: Assertion failure: length <= JS_ARGS_LENGTH_MAX, at ./methodjit/MonoIC.cp...
: assertion, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: x86_64 Linux
-- critical (vote)
: ---
Assigned To: Luke Wagner [:luke]
: Jason Orendorff [:jorendorff]
Depends on:
Blocks: langfuzz
  Show dependency treegraph
Reported: 2011-04-28 04:42 PDT by Christian Holler (:decoder)
Modified: 2013-01-14 08:05 PST (History)
7 users (show)
choller: in‑testsuite+
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---

fix (1.38 KB, patch)
2011-05-01 02:09 PDT, Luke Wagner [:luke]
jwalden+bmo: review+
Details | Diff | Splinter Review

Description User image Christian Holler (:decoder) 2011-04-28 04:42:30 PDT
The following testcase asserts on TI revision 09cce9915b80 (run with -m -n -a),
tested on 64 bit:

function g(a, b, c, d) {}
function f(a, b, c) {
        g.apply(this, arguments);
Comment 1 User image Jan de Mooij [:jandem] 2011-04-30 00:39:30 PDT
This asserts also on the tracemonkey branch with -m -a at revision e2843f43757e.
Comment 2 User image Luke Wagner [:luke] 2011-05-01 02:09:34 PDT
Created attachment 529338 [details] [diff] [review]

Oh jeez, lame bug.  I think this assert survived from a previous bug where we were erroneously using getArgsInitialLength (where the assert would hold).

Great find!
Comment 3 User image Luke Wagner [:luke] 2011-05-03 03:41:10 PDT
Comment 4 User image Chris Leary [:cdleary] (not checking bugmail) 2011-05-10 15:13:36 PDT
cdleary-bot mozilla-central merge info:
Comment 5 User image Christian Holler (:decoder) 2013-01-14 08:05:42 PST
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/testBug653396.js.

Note You need to log in before you can comment on or make changes to this bug.