Closed
Bug 660737
Opened 14 years ago
Closed 14 years ago
TI: "Assertion failure: rejoin == REJOIN_BINDNAME || rejoin == REJOIN_GETTER || rejoin == REJOIN_POS || rejoin == REJOIN_BINARY,"
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: gkw, Unassigned)
References
Details
(Keywords: assertion, regression, testcase)
(function() {
function f(l) {
w++
}
for each(let w in ['', '', 0]) {
try {
f(w)
} catch (e) {}
}
})()
asserts js debug shell on JM changeset 68620d37fb23 with -m, -a and -n at Assertion failure: rejoin == REJOIN_BINDNAME || rejoin == REJOIN_GETTER || rejoin == REJOIN_POS || rejoin == REJOIN_BINARY,
(gdb) bt
#0 0x00000001001f957b in JS_Assert (s=0x1003cbd38 "rejoin == REJOIN_BINDNAME || rejoin == REJOIN_GETTER || rejoin == REJOIN_POS || rejoin == REJOIN_BINARY", file=0x1003cbb38 "/Users/fuzz4/Desktop/jsfunfuzz-dbg-64-jm-70356-68620d37fb23/compilePath/js/src/methodjit/InvokeHelpers.cpp", ln=1219) at /Users/fuzz4/Desktop/jsfunfuzz-dbg-64-jm-70356-68620d37fb23/compilePath/js/src/jsutil.cpp:86
#1 0x000000010035b1eb in FinishObjIncOp (f=@0x7fff5fbff170, rejoin=js::mjit::REJOIN_CHECK_ARGUMENTS, objv={data = {asBits = 18445477440625057992, debugView = {payload47 = 4310704328, tag = JSVAL_TAG_OBJECT}, s = {payload = {i32 = 15737032, u32 = 15737032, why = 15737032, word = 18445477440625057992}}, asDouble = -nan(0xb800100f020c8), asPtr = 0xfffb800100f020c8}}, ov={data = {asBits = 0, debugView = {payload47 = 0, tag = 0}, s = {payload = {i32 = 0, u32 = 0, why = JS_ARRAY_HOLE, word = 0}}, asDouble = 0, asPtr = 0x0}}, nv={data = {asBits = 0, debugView = {payload47 = 0, tag = 0}, s = {payload = {i32 = 0, u32 = 0, why = JS_ARRAY_HOLE, word = 0}}, asDouble = 0, asPtr = 0x0}}, vp=0x100a751c0) at /Users/fuzz4/Desktop/jsfunfuzz-dbg-64-jm-70356-68620d37fb23/compilePath/js/src/methodjit/InvokeHelpers.cpp:1218
#2 0x000000010035dff9 in js_InternalInterpret (returnData=0x7fff5fbff130, returnType=0x100900000, returnReg=0x1, f=@0x7fff5fbff170) at /Users/fuzz4/Desktop/jsfunfuzz-dbg-64-jm-70356-68620d37fb23/compilePath/js/src/methodjit/InvokeHelpers.cpp:1362
#3 0x00000001002b2358 in JaegerInterpoline () at MacroAssemblerCodeRef.h:151
#4 0x00000001002b424b in js::mjit::EnterMethodJIT (cx=0x100912220, fp=0x100a75048, code=0x100e75080, stackLimit=0x100b2aaf0) at /Users/fuzz4/Desktop/jsfunfuzz-dbg-64-jm-70356-68620d37fb23/compilePath/js/src/methodjit/MethodJIT.cpp:884
#5 0x00000001002b4380 in CheckStackAndEnterMethodJIT (cx=0x100912220, fp=0x100a75048, code=0x100e75080) at /Users/fuzz4/Desktop/jsfunfuzz-dbg-64-jm-70356-68620d37fb23/compilePath/js/src/methodjit/MethodJIT.cpp:916
#6 0x00000001002b448e in js::mjit::JaegerShot (cx=0x100912220) at /Users/fuzz4/Desktop/jsfunfuzz-dbg-64-jm-70356-68620d37fb23/compilePath/js/src/methodjit/MethodJIT.cpp:933
#7 0x000000010011e0f5 in js::RunScript (cx=0x100912220, script=0x1009202b0, fp=0x100a75048) at jsinterp.cpp:614
#8 0x000000010011e6c1 in js::Execute (cx=0x100912220, chain=@0x100f020c8, script=0x1009202b0, prev=0x0, flags=0, result=0x7fff5fbff5e0) at jsinterp.cpp:1002
#9 0x0000000100029736 in JS_ExecuteScript (cx=0x100912220, obj=0x100f020c8, scriptObj=0x100f046c0, rval=0x7fff5fbff5e0) at /Users/fuzz4/Desktop/jsfunfuzz-dbg-64-jm-70356-68620d37fb23/compilePath/js/src/jsapi.cpp:5077
#10 0x00000001000114db in Process (cx=0x100912220, obj=0x100f020c8, filename=0x0, forceTTY=0, last=1) at /Users/fuzz4/Desktop/jsfunfuzz-dbg-64-jm-70356-68620d37fb23/compilePath/js/src/shell/js.cpp:555
#11 0x0000000100011ec1 in ProcessArgs (cx=0x100912220, obj=0x100f020c8, argv=0x7fff5fbff7b0, argc=3) at /Users/fuzz4/Desktop/jsfunfuzz-dbg-64-jm-70356-68620d37fb23/compilePath/js/src/shell/js.cpp:984
#12 0x0000000100012072 in Shell (cx=0x100912220, argc=3, argv=0x7fff5fbff7b0, envp=0x7fff5fbff7d0) at /Users/fuzz4/Desktop/jsfunfuzz-dbg-64-jm-70356-68620d37fb23/compilePath/js/src/shell/js.cpp:5974
#13 0x00000001000122ba in main (argc=3, argv=0x7fff5fbff7b0, envp=0x7fff5fbff7d0) at /Users/fuzz4/Desktop/jsfunfuzz-dbg-64-jm-70356-68620d37fb23/compilePath/js/src/shell/js.cpp:6107
|
Reporter | |
Comment 1•14 years ago
|
||
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: 69789:5d1cbc94bc42
user: Brian Hackett
date: Tue May 17 20:29:41 2011 -0700
summary: Read barriers for property accesses, bug 656920.
Blocks: 656920
Keywords: regression
|
||
Comment 2•14 years ago
|
||
Additional rejoin that is possible at the start of the script. When that start opcode coincided with an incop we thought we were rejoining in the middle of the incop and got confused. It would be nice if scripts had a no-op JSOP_PROLOGUE or something at the start so we could have a meaningful pc to attach these prologue stub calls to.
http://hg.mozilla.org/projects/jaegermonkey/rev/0d8de54ff332
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
|
||
Comment 3•13 years ago
|
||
A testcase for this bug was automatically identified at js/src/jit-test/tests/jaeger/recompile/bug660737.js.
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•