Beginning on October 25th, 2016, Persona will no longer be an option for authentication on BMO. For more details see Persona Deprecated.
Last Comment Bug 657288 - TI: Assertion failure: offset < script->length, at ./jsanalyze.h:906
: TI: Assertion failure: offset < script->length, at ./jsanalyze.h:906
: assertion, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: x86_64 Linux
: -- critical (vote)
: ---
Assigned To: general
: Jason Orendorff [:jorendorff]
Depends on:
Blocks: infer-regress langfuzz
  Show dependency treegraph
Reported: 2011-05-16 00:36 PDT by Christian Holler (:decoder)
Modified: 2013-01-14 08:10 PST (History)
4 users (show)
choller: in‑testsuite+
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Description Christian Holler (:decoder) 2011-05-16 00:36:09 PDT
The following testcase asserts on TI revision 693a36f402ee (run with -m -n -a),
tested on 64 bit:

new DoWhileObject;
function DoWhileObject(breakOut, breakIn, iterations, loops) {
    loops.prototype = new DoWhile;
function DoWhile(object) {
    do {} while (object);
Comment 1 Brian Hackett (:bhackett) 2011-05-16 10:29:45 PDT
When calling back into the interpreter, InternalInterpret (invoked by the interpoline) used JSINTERP_SAFEPOINT to skip the script prologue, but this also could cause the interpreter to fail to finish the entry frame.  This adds a JSINTERP_REJOIN mode which satisfies InternalInterpret's requirements --- the interpreter can start anywhere within the entry frame, but must finish it before returning.
Comment 2 Christian Holler (:decoder) 2013-01-14 08:10:43 PST
A testcase for this bug was automatically identified at js/src/jit-test/tests/jaeger/recompile/bug657288.js.

Note You need to log in before you can comment on or make changes to this bug.