Closed Bug 684621 Opened 13 years ago Closed 13 years ago

Assertion failure: copied == 0, at methodjit/FrameEntry.h:180

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: decoder, Unassigned)

References

Details

(Keywords: assertion, testcase, Whiteboard: fixed-in-jaegermonkey) 

The following test asserts on mozilla-central revision a351ae35f2c4 (with shell build fix from mozilla-inbound rev fff3dc9478ce). Use options -m -n -a and a 32 bit debug build:


function runRichards() {
    queue = new Packet;
    Packet(queue, ID_DEVICE_A, KIND_DEVICE);
    new Packet;
}
var ID_DEVICE_A = 4;
var KIND_DEVICE = 0;
Packet = function (queue) {
    this.link = null
    if (queue == null) return;
    var peek, next = queue;
    while ((peek = next.link) != null)
    ID_HANDLER_B
};
runRichards()
Is this a TI regression?
Yes, working on a fix.
Blocks: infer-regress
After processing a loop backedge, we clear information about loop temporaries but did not uncopy any temporaries which there were copies of.  This can only happen when an assignment of a loop invariant entry occurs in the loop test.

http://hg.mozilla.org/projects/jaegermonkey/rev/1c934fd8ac88
Whiteboard: js-triage-needed → fixed-in-jaegermonkey
http://hg.mozilla.org/mozilla-central/rev/1c934fd8ac88
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
A testcase for this bug was automatically identified at js/src/jit-test/tests/jaeger/loops/bug684621.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.