Closed Bug 657984 Opened 13 years ago Closed 13 years ago

TI: "Assertion failure: JSOp(*iterpc) == JSOP_ITER," or "Assertion failure: nop == JSOP_TRACE || nop == JSOP_NOTRACE," with trap

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: gkw, Unassigned)

References

Details

(Keywords: assertion, testcase)

Attachments

(1 file)

dis() information, and stack
3.89 KB, text/plain
Details 
function f(){ for(y in x); }
dis(f)
trap(f, 5, '')
f()

asserts js debug shell on JM changeset 5d1cbc94bc42 with -d, -a and -n at Assertion failure: JSOp(*iterpc) == JSOP_ITER,
Setting the third line to:

trap(f, 10, '')

results in a different assert:

Assertion failure: nop == JSOP_TRACE || nop == JSOP_NOTRACE,

(gdb) bt
#0  0xf7fdf430 in __kernel_vsyscall ()
#1  0xf7fb5ba0 in raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/pt-raise.c:42
#2  0x081ff2a9 in JS_Assert (s=0x8461f04 "nop == JSOP_TRACE || nop == JSOP_NOTRACE", file=0x8461c50 "/home/fuzz1/Desktop/jsfunfuzz-dbg-32-jm-69789-5d1cbc94bc42/compilePath/js/src/jsanalyze.cpp", ln=914)
    at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-jm-69789-5d1cbc94bc42/compilePath/js/src/jsutil.cpp:89
#3  0x0837d2e9 in js::analyze::ScriptAnalysis::analyzeLifetimes (this=0x85298f8, cx=0x84eb1b8) at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-jm-69789-5d1cbc94bc42/compilePath/js/src/jsanalyze.cpp:914
#4  0x0837d760 in js::analyze::ScriptAnalysis::analyzeSSA (this=0x85298f8, cx=0x84eb1b8) at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-jm-69789-5d1cbc94bc42/compilePath/js/src/jsanalyze.cpp:1175
#5  0x0811770a in js::analyze::ScriptAnalysis::analyzeTypes (this=0x85298f8, cx=0x84eb1b8) at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-jm-69789-5d1cbc94bc42/compilePath/js/src/jsinfer.cpp:3699
#6  0x0811cf50 in JSScript::typeSetThis (this=0x852aa88, cx=0x84eb1b8, type=1) at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-jm-69789-5d1cbc94bc42/compilePath/js/src/jsinferinlines.h:704
#7  0x0811225a in js::types::TypeCompartment::dynamicCall (this=0x84ebb58, cx=0x84eb1b8, callee=0xf750d1e0, args=..., constructing=false)
    at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-jm-69789-5d1cbc94bc42/compilePath/js/src/jsinfer.cpp:1780
#8  0x0812cb17 in JSContext::typeMonitorCall (this=0x84eb1b8, args=..., constructing=false) at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-jm-69789-5d1cbc94bc42/compilePath/js/src/jsinferinlines.h:483
#9  0x0839f302 in js::Interpret (cx=0x84eb1b8, entryFrame=0xf76e4030, inlineCallCount=0, interpMode=js::JSINTERP_NORMAL)
    at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-jm-69789-5d1cbc94bc42/compilePath/js/src/jsinterp.cpp:4682

/snip
Summary: TI: "Assertion failure: JSOp(*iterpc) == JSOP_ITER," with trap → TI: "Assertion failure: JSOp(*iterpc) == JSOP_ITER," or "Assertion failure: nop == JSOP_TRACE || nop == JSOP_NOTRACE," with trap
Fixed as part of bug 657975, both of these asserts are bogus.

http://hg.mozilla.org/projects/jaegermonkey/rev/176ee6b37ad0
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: