Closed Bug 684621 Opened 14 years ago Closed 14 years ago

Assertion failure: copied == 0, at methodjit/FrameEntry.h:180

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: decoder, Unassigned)

References

Details

(Keywords: assertion, testcase, Whiteboard: fixed-in-jaegermonkey)

The following test asserts on mozilla-central revision a351ae35f2c4 (with shell build fix from mozilla-inbound rev fff3dc9478ce). Use options -m -n -a and a 32 bit debug build: function runRichards() { queue = new Packet; Packet(queue, ID_DEVICE_A, KIND_DEVICE); new Packet; } var ID_DEVICE_A = 4; var KIND_DEVICE = 0; Packet = function (queue) { this.link = null if (queue == null) return; var peek, next = queue; while ((peek = next.link) != null) ID_HANDLER_B }; runRichards()
Is this a TI regression?
Yes, working on a fix.
Blocks: infer-regress
After processing a loop backedge, we clear information about loop temporaries but did not uncopy any temporaries which there were copies of. This can only happen when an assignment of a loop invariant entry occurs in the loop test. http://hg.mozilla.org/projects/jaegermonkey/rev/1c934fd8ac88
Whiteboard: js-triage-needed → fixed-in-jaegermonkey
http://hg.mozilla.org/mozilla-central/rev/1c934fd8ac88
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
A testcase for this bug was automatically identified at js/src/jit-test/tests/jaeger/loops/bug684621.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.