Closed Bug 680759 Opened 13 years ago Closed 13 years ago

TI: Assertion failure: offset < script->length, at ./jsanalyze.h:235

Categories

(Core :: JavaScript Engine, defect)

x86_64
Linux
defect
Not set
critical

Tracking

()

RESOLVED FIXED

People

(Reporter: decoder, Unassigned)

References

Details

(Keywords: assertion, testcase)

The following testcase asserts on TI revision a2bbe9c999b4 (run with -j -m -n -a), tested on 64 bit:


TryToCatch();
TryToCatch();
function Thrower( v ) {
  throw "Caught";
}
function Eval( v ) { 
	SECTION : Thrower(TryToCatch, v, ': 3')
}
function TryToCatch( value, expect ) {
  try {
    Eval( value )
  } catch (e) {  }
}
We need to ensure that inline frames have been expanded in the compartment before walking to find the exception handler after an exception has been thrown.  The correct handler was still found, but subsequent frame expansion led to this handler having an incoherent script/pc.

http://hg.mozilla.org/projects/jaegermonkey/rev/194a7ad3ecd2
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
A testcase for this bug was automatically identified at js/src/jit-test/tests/jaeger/inline/bug680759.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.