Bug 666003

Assertion failure: size_t((regs.fp()->hasImacropc() ? regs.fp()->imacropc() : regs.pc) - script->code) < script->length, at jsinterp.cpp:6534

RESOLVED FIXED

Get help with this page

Status

()

Product:

▸

Core

Component:

▸

JavaScript Engine

Importance:

critical

Status:

RESOLVED FIXED

Reported:

6 years ago

Modified:

5 years ago

People

(Reporter: jandem, Assigned: luke)

Tracking

({assertion, regression, testcase})

Version:

unspecified

Target:

---

Keywords:

assertion, regression, testcase

Points:

---

Blocks:

630996, 664252

Dependency tree / graph

Bug Flags:

decoder

in-testsuite

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: fixed-in-tracemonkey)

Attachments

(1 attachment)

fix and test 6 years ago Luke Wagner [:luke] 1.43 KB, patch	Waldo : review+	Details \| Diff \| Splinter Review

Jan de Mooij [:jandem]

(Reporter)

Description

•

6 years ago

--
function f() {
    f = function() { g(); };
    f();
}
g = f;
f();
--
$ ./js test.js
Assertion failure: size_t((regs.fp()->hasImacropc() ? regs.fp()->imacropc() : regs.pc) - script->code) < script->length, at jsinterp.cpp:6534

Revision 2ff6092157a5, 32-bit OS X.

Luke Wagner [:luke]

(Assignee)

Comment 1

•

6 years ago

Assigning to 'script' before guaranteed success.  Nice testcase, thanks.

Assignee: general → luke

Luke Wagner [:luke]

(Assignee)

Comment 2

•

6 years ago

Created attachment 540866 [details] [diff] [review]
fix and test

Attachment #540866 - Flags: review?(jwalden+bmo)

Jesse Ruderman

Comment 3

•

6 years ago

The first bad revision is:
changeset:   ce10e78d030d
user:        Luke Wagner
date:        Tue Jun 14 16:36:13 2011 -0700
summary:     Bug 664252 - Turn lemons (LLVM-only build bustage) into lemonade (rewrite JSOP_CALL/EVAL/NEW to have less goto madness) (r=waldo)

Blocks: 664252

Keywords: assertion, regression, testcase

Jeff Walden [:Waldo] (not taking new requests -- poke me on IRC if it's important)

Updated

•

6 years ago

Attachment #540866 - Flags: review?(jwalden+bmo) → review+

Luke Wagner [:luke]

(Assignee)

Comment 4

•

6 years ago

http://hg.mozilla.org/tracemonkey/rev/d416abec8cd3

Whiteboard: fixed-in-tracemonkey

Chris Leary [:cdleary] (not checking bugmail)

Comment 5

•

6 years ago

cdleary-bot mozilla-central merge info:
http://hg.mozilla.org/mozilla-central/rev/d416abec8cd3

Chris Leary [:cdleary] (not checking bugmail)

Updated

•

6 years ago

Status: NEW → RESOLVED

Last Resolved: 6 years ago

Resolution: --- → FIXED

Christian Holler (:decoder)

Comment 6

•

5 years ago

A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/testBug666003.js.

Flags: in-testsuite+

You need to log in before you can comment on or make changes to this bug.

Assertion failure: size_t((regs.fp()->hasImacropc() ? regs.fp()->imacropc() : regs.pc) - script->code) < script->length, at jsinterp.cpp:6534

Status

()

People

(Reporter: jandem, Assigned: luke)

Tracking

({assertion, regression, testcase})

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: fixed-in-tracemonkey)

Security

(public)

User Story

Attachments

(1 attachment)

Description

Updated

Comment 1

Comment 2

Comment 3

Updated

Comment 4

Comment 5

Updated

Comment 6