Last Comment Bug 658465 - TI: "Assertion failure: JSOp(*pc) != JSOP_TRAP,", with trap
: TI: "Assertion failure: JSOp(*pc) != JSOP_TRAP,", with trap
Status: RESOLVED FIXED
: assertion, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: x86 Linux
: -- critical (vote)
: ---
Assigned To: general
:
: Jason Orendorff [:jorendorff]
Mentors:
Depends on:
Blocks: jsfunfuzz infer-regress
  Show dependency treegraph
 
Reported: 2011-05-19 22:16 PDT by Gary Kwong [:gkw] [:nth10sd]
Modified: 2011-05-21 07:05 PDT (History)
5 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments

Description Gary Kwong [:gkw] [:nth10sd] 2011-05-19 22:16:07 PDT
function f() {
  "use strict";
  print(Math.min(0, 1));
}
dis(f)
trap(f, 10, '')
f()

asserts js debug shell on JM changeset aec367836312 with -m, -d, -a and -n at Assertion failure: JSOp(*pc) != JSOP_TRAP,

flags: NULL_CLOSURE
off     op
-----   --
main:
00000:  callname "print"
00005:  name "Math"
00010:  callprop "min"      <-- trap goes here
00015:  zero
00016:  one
00017:  call 2
00020:  call 1
00023:  pop
00024:  stop

Source notes:
 ofs  line    pc  delta desc     args
---- ---- ----- ------ -------- ------
  0:    1     0 [   0] newline 
  1:    2     0 [   0] newline 
  2:    3    10 [  10] xdelta  
  3:    3    10 [   0] pcbase   offset 5
  5:    3    17 [   7] pcbase   offset 12
  7:    3    20 [   3] pcbase   offset 20
Comment 1 Brian Hackett (:bhackett) 2011-05-21 07:05:24 PDT
Missed path where inference did not untrap before accessing an opcode.

http://hg.mozilla.org/projects/jaegermonkey/rev/07412de099f6

Note You need to log in before you can comment on or make changes to this bug.