Last Comment Bug 684824 - Assertion failure: !a->analysis->trackSlot(entrySlot(fe)), at methodjit/FrameState.cpp:801
: Assertion failure: !a->analysis->trackSlot(entrySlot(fe)), at methodjit/Frame...
: assertion, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: x86_64 Linux
-- critical (vote)
: ---
Assigned To: general
: Jason Orendorff [:jorendorff]
Depends on:
Blocks: langfuzz
  Show dependency treegraph
Reported: 2011-09-06 04:51 PDT by Christian Holler (:decoder)
Modified: 2013-01-14 08:39 PST (History)
4 users (show)
choller: in‑testsuite+
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Description User image Christian Holler (:decoder) 2011-09-06 04:51:11 PDT
The following test crashes on mozilla-central revision fc78ee766770 (options -m -n -a):

function g(b) {
  for (var i = 0; b++; ++i) {  }
function f(xa_arg) {
  for (var i = 0; i < 5; ++i) {
f([ 0, 1, (0x80000005), 3, 4 ]);

Note that I cannot reproduce this on the jaegermonkey branch, so this is either depending on an unmerged change from mozilla-central to jm, or a duplicate of a bug that has been fixed in jm already.
Comment 1 User image Christian Holler (:decoder) 2011-09-07 05:50:59 PDT
Test case no longer reproduces (tested on m-c revision 09935ede3c77), but the issue is not gone. Working on a new test right now.
Comment 2 User image Christian Holler (:decoder) 2011-09-07 06:02:38 PDT
New test case (tested on m-c revision 09935ede3c77 with options -m -n -a):

function X(n) {
    while ('' + (n--)) {
Comment 3 User image Brian Hackett (:bhackett) 2011-09-12 13:01:20 PDT
Loop registers assigned to variables must reflect the type of the variable at the head of a loop, but if a jump into the loop caused the known type of a variable to change we could still assign a register based on the new type, rather than the old type.
Comment 4 User image Brian Hackett (:bhackett) 2011-09-22 14:06:02 PDT
Comment 5 User image Christian Holler (:decoder) 2013-01-14 08:39:23 PST
A testcase for this bug was automatically identified at js/src/jit-test/tests/jaeger/bug684824.js.

Note You need to log in before you can comment on or make changes to this bug.