Last Comment Bug 684824 - Assertion failure: !a->analysis->trackSlot(entrySlot(fe)), at methodjit/FrameState.cpp:801
: Assertion failure: !a->analysis->trackSlot(entrySlot(fe)), at methodjit/Frame...
Status: RESOLVED FIXED
fixed-in-jaegermonkey
: assertion, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: x86_64 Linux
: -- critical (vote)
: ---
Assigned To: general
:
Mentors:
Depends on:
Blocks: langfuzz
  Show dependency treegraph
 
Reported: 2011-09-06 04:51 PDT by Christian Holler (:decoder)
Modified: 2013-01-14 08:39 PST (History)
4 users (show)
choller: in‑testsuite+
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments

Description Christian Holler (:decoder) 2011-09-06 04:51:11 PDT
The following test crashes on mozilla-central revision fc78ee766770 (options -m -n -a):

function g(b) {
  for (var i = 0; b++; ++i) {  }
}
function f(xa_arg) {
  for (var i = 0; i < 5; ++i) {
    g();
  }
}
f([ 0, 1, (0x80000005), 3, 4 ]);


Note that I cannot reproduce this on the jaegermonkey branch, so this is either depending on an unmerged change from mozilla-central to jm, or a duplicate of a bug that has been fixed in jm already.
Comment 1 Christian Holler (:decoder) 2011-09-07 05:50:59 PDT
Test case no longer reproduces (tested on m-c revision 09935ede3c77), but the issue is not gone. Working on a new test right now.
Comment 2 Christian Holler (:decoder) 2011-09-07 06:02:38 PDT
New test case (tested on m-c revision 09935ede3c77 with options -m -n -a):


function X(n) {
    while ('' + (n--)) {
        break;
    }
}
X();
Comment 3 Brian Hackett (:bhackett) 2011-09-12 13:01:20 PDT
Loop registers assigned to variables must reflect the type of the variable at the head of a loop, but if a jump into the loop caused the known type of a variable to change we could still assign a register based on the new type, rather than the old type.

http://hg.mozilla.org/projects/jaegermonkey/rev/19ed9da5789d
Comment 4 Brian Hackett (:bhackett) 2011-09-22 14:06:02 PDT
https://hg.mozilla.org/mozilla-central/rev/c943bbf9dac4
Comment 5 Christian Holler (:decoder) 2013-01-14 08:39:23 PST
A testcase for this bug was automatically identified at js/src/jit-test/tests/jaeger/bug684824.js.

Note You need to log in before you can comment on or make changes to this bug.