Closed Bug 655505 Opened 13 years ago Closed 13 years ago

TI+JM: Assertion failure: checkedFreeRegs == a->freeRegs, at FrameState.cpp:1371

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: jandem, Assigned: jandem)

References

Details

Attachments

(2 files)

Patch
7.21 KB, patch
bhackett1024
: review+
Details | Diff | Splinter Review
Fix fixDoubleTypes
12.63 KB, patch
bhackett1024
: review+
Details | Diff | Splinter Review 
Mochitest-4 asserts with this and decoder posted a fuzz test case on IRC.
Attached patch PatchSplinter Review 

        Attachment #530860 -
        Flags: review?(bhackett1024)

    
    

    
  
Comment on attachment 530860 [details] [diff] [review]
Patch

Review of attachment 530860 [details] [diff] [review]:
-----------------------------------------------------------------

::: js/src/methodjit/Compiler.cpp
@@ +1331,4 @@
>              for (unsigned i = 0; i < fixedDoubleEntries.length(); i++) {
>                  FrameEntry *fe = frame.getOrTrack(fixedDoubleEntries[i]);
>                  frame.ensureInteger(fe);
> +                frame.assertValidRegisterState();

Not sure about these; the assertValidRegisterState before setting jumpMap should catch these shortly, and these assertions might be expensive to run.

@@ +1343,5 @@
>                      FrameEntry *fe = frame.getOrTrack(slot);
>                      JS_ASSERT(!fe->isType(JSVAL_TYPE_DOUBLE));
>                  }
>              }
> +            frame.assertValidRegisterState();

This one shouldn't be necessary, the code above it does not mutate the FS.

        Attachment #530860 -
        Flags: review?(bhackett1024) → review+

    
    

    
  
OK I removed the calls. Now we assert before and after the bytecode switch, I think that's most important to determine where it went wrong.

http://hg.mozilla.org/projects/jaegermonkey/rev/325744fbf7f0
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED

    
    

    
  


  
There was another bug here, we could call fixDoubleTypes twice for the same op, causing incorrect results because the same entry is converted twice. Now fixDoubleTypes is only called from generateMethod. Mochitest-4 test_transitions is green with this patch.

        Attachment #531000 -
        Flags: review?(bhackett1024)

    
  
Status: RESOLVED → REOPENED
Resolution: FIXED → ---

    
    

    
  
Comment on attachment 531000 [details] [diff] [review]
Fix fixDoubleTypes

Nice factoring, this was being done in a pretty sloppy fashion.

        Attachment #531000 -
        Flags: review?(bhackett1024) → review+

    
    

    
  
http://hg.mozilla.org/projects/jaegermonkey/rev/3d26d25a4f63
Status: REOPENED → RESOLVED
Closed: 13 years ago13 years ago
Resolution: --- → FIXED

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: