Assertion failure: !a->analysis->trackSlot(entrySlot(fe)), at methodjit/FrameState.cpp:801

RESOLVED FIXED

Status

()

Core
JavaScript Engine
--
critical
RESOLVED FIXED
6 years ago
4 years ago

People

(Reporter: decoder, Unassigned)

Tracking

(Blocks: 1 bug, {assertion, testcase})

Trunk
x86_64
Linux
assertion, testcase
Points:
---
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: fixed-in-jaegermonkey)

(Reporter)

Description

6 years ago
The following test crashes on mozilla-central revision fc78ee766770 (options -m -n -a):

function g(b) {
  for (var i = 0; b++; ++i) {  }
}
function f(xa_arg) {
  for (var i = 0; i < 5; ++i) {
    g();
  }
}
f([ 0, 1, (0x80000005), 3, 4 ]);


Note that I cannot reproduce this on the jaegermonkey branch, so this is either depending on an unmerged change from mozilla-central to jm, or a duplicate of a bug that has been fixed in jm already.
(Reporter)

Comment 1

6 years ago
Test case no longer reproduces (tested on m-c revision 09935ede3c77), but the issue is not gone. Working on a new test right now.
(Reporter)

Comment 2

6 years ago
New test case (tested on m-c revision 09935ede3c77 with options -m -n -a):


function X(n) {
    while ('' + (n--)) {
        break;
    }
}
X();
Loop registers assigned to variables must reflect the type of the variable at the head of a loop, but if a jump into the loop caused the known type of a variable to change we could still assign a register based on the new type, rather than the old type.

http://hg.mozilla.org/projects/jaegermonkey/rev/19ed9da5789d
Whiteboard: js-triage-needed → fixed-in-jaegermonkey
https://hg.mozilla.org/mozilla-central/rev/c943bbf9dac4
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED
(Reporter)

Comment 5

4 years ago
A testcase for this bug was automatically identified at js/src/jit-test/tests/jaeger/bug684824.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.