666003 – Assertion failure: size_t((regs.fp()->hasImacropc() ? regs.fp()->imacropc() : regs.pc) - script->code) < script->length, at jsinterp.cpp:6534

Last Comment Bug 666003 - Assertion failure: size_t((regs.fp()->hasImacropc() ? regs.fp()->imacropc() : regs.pc) - script->code) < script->length, at jsinterp.cpp:6534


Summary:	Assertion failure: size_t((regs.fp()->hasImacropc() ? regs.fp()->imacropc() :...

Status:	RESOLVED FIXED
Whiteboard:	fixed-in-tracemonkey
Keywords:	assertion, regression, testcase

Product:	Core
Classification:	Components
Component:	JavaScript Engine (show other bugs)
Version:	unspecified
Platform:	All All

Importance:	-- critical (vote)
Target Milestone:	---
Assigned To:	Luke Wagner [:luke]
QA Contact:
Triage Owner:
Mentors:

URL:

Depends on:
Blocks:	630996 664252
	Show dependency tree / graph

Reported:

2011-06-21 13:13 PDT by Jan de Mooij [:jandem]

Modified:

2013-01-14 08:18 PST (History)

CC List:

6 users (show)

Flags:

choller: in‑testsuite+

See Also:

Crash Signature:

(edit)

QA Whiteboard:

Iteration:

---

Points:

---

Has Regression Range:

---

Has STR:

---

Tracking Flags:

Attachments
fix and test (1.43 KB, patch) 2011-06-21 13:41 PDT, Luke Wagner [:luke]	jwalden+bmo: review+	Details \| Diff \| Splinter Review
View All Add an attachment (proposed patch, testcase, etc.)

Description

Jan de Mooij [:jandem] 2011-06-21 13:13:23 PDT

--
function f() {
    f = function() { g(); };
    f();
}
g = f;
f();
--
$ ./js test.js
Assertion failure: size_t((regs.fp()->hasImacropc() ? regs.fp()->imacropc() : regs.pc) - script->code) < script->length, at jsinterp.cpp:6534

Revision 2ff6092157a5, 32-bit OS X.

Comment 1

Luke Wagner [:luke] 2011-06-21 13:23:26 PDT

Assigning to 'script' before guaranteed success.  Nice testcase, thanks.

Comment 2

Luke Wagner [:luke] 2011-06-21 13:41:17 PDT

Created attachment 540866 [details] [diff] [review]
fix and test

Comment 3

Jesse Ruderman 2011-06-21 14:58:23 PDT

The first bad revision is:
changeset:   ce10e78d030d
user:        Luke Wagner
date:        Tue Jun 14 16:36:13 2011 -0700
summary:     Bug 664252 - Turn lemons (LLVM-only build bustage) into lemonade (rewrite JSOP_CALL/EVAL/NEW to have less goto madness) (r=waldo)

Comment 4

Luke Wagner [:luke] 2011-06-21 17:51:32 PDT

http://hg.mozilla.org/tracemonkey/rev/d416abec8cd3

Comment 5

Chris Leary [:cdleary] (not checking bugmail) 2011-06-27 11:37:06 PDT

cdleary-bot mozilla-central merge info:
http://hg.mozilla.org/mozilla-central/rev/d416abec8cd3

Comment 6

Christian Holler (:decoder) 2013-01-14 08:18:49 PST

A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/testBug666003.js.

Note You need to log in before you can comment on or make changes to this bug.