Closed Bug 677373 Opened 13 years ago Closed 13 years ago

[jsdbg2] Assertion failure: *pc == JSOP_TRACE || *pc == JSOP_NOTRACE, at jstracer.cpp:7070

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Version:
Other Branch
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 680428

People

(Reporter: decoder, Unassigned)

Details

(Keywords: assertion, testcase) 

The following code asserts on jsdbg2 branch (revision 82545b1e4129, options -j -m -a):


var g = newGlobal('new-compartment');
var dbg = Debugger(g);
dbg.onDebuggerStatement = function (frame) {
    function handler(line) {
        return {hit: function (frame) { g.log += "" + line; }};
    }
    var s = frame.eval("f").return.script;
    for (var line = 2; line <= 6; line++) {
        var offs = s.getLineOffsets(g.line0 + line);
        var h = handler(line);
        for (var i = 0; i < offs.length; i++) {
            s.setBreakpoint(offs[i], h);
        }
    }
};
g.eval("var line0 = Error().lineNumber;\n" +
       "function f(n) {\n" +        // line0 + 1
       "    for (var i = 0;\n" +    // line0 + 2
       "         i < n;\n" +        // line0 + 3
       "         i++)\n" +          // line0 + 4
       "        log += '.';\n" +    // line0 + 5
       "}\n" +
       "debugger;\n");
g.f(0x8);
Existing bug in m-i with -j -m -a -d:

var log = '';
function f(n) {
    for (var i = 0; i < n; i++)
        log += '.';
}
var offset = +(/(0*\d+): *trace/.exec(disassemble(f))[1]);
trap(f, offset, '');
f(10);
The bug was that debug mode wasn't disabling the tracejit. It's fixed.
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.