Closed
Bug 690645
Opened 13 years ago
Closed 13 years ago
"Assertion failure: pc_ >= script->code && pc_ < script->code + script->length," with trap
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla10
People
(Reporter: gkw, Assigned: luke)
Details
(Keywords: assertion, testcase, Whiteboard: js-triage-done)
Attachments
(2 files)
|
104.76 KB,
text/plain
|
Details | |
|
25.41 KB,
patch
|
Waldo
:
review+
|
Details | Diff | Splinter Review |
function f() {
default xml namespace =
Proxy.createFunction(function() {
return {
get: Namespace,
};
}(), Array.isArray);
}
dis(f)
trap(f, 0, '')
f()
asserts 32-bit js debug shell on JM changeset 44ef245b8706 and m-c changeset db9e99d537f2 with -m, -a and -d at Assertion failure: pc_ >= script->code && pc_ < script->code + script->length,
flags: HEAVYWEIGHT
loc op
----- --
main:
00000: getgname "Proxy" <-- trap goes here
00003: callprop "createFunction"
00006: lambda (function () {return {get: Namespace};})
00009: nullblockchain
00010: push
00011: call 0
00014: getgname "Array"
00017: getprop "isArray"
00020: call 2
00023: defxmlns
00024: stop
Source notes:
ofs line pc delta desc args
---- ---- ----- ------ -------- ------
0: 1 0 [ 0] newline
1: 2 0 [ 0] newline
2: 3 3 [ 3] pcbase offset 3
4: 3 11 [ 8] xdelta
5: 3 11 [ 0] pcbase offset 5
7: 3 14 [ 3] setline lineno 7
9: 7 17 [ 3] pcbase offset 3
11: 7 20 [ 3] pcbase offset 20
|
Assignee | |
Comment 1•13 years ago
|
||
AutoScriptUntrapper is again repointing script->code so that it is incoherent with cx->regs->pc. That's it, I'm just going to change it to just mutate the bytecode in-place.
Assignee: general → luke
|
|
Assignee | |
Comment 2•13 years ago
|
||
That was surprisingly easy. While I was touching the code in un-goto-ified things and moved decls inward.
Attachment #563768 -
Flags: review?(jwalden+bmo)
|
|
Assignee | |
Updated•13 years ago
|
Whiteboard: js-triage-needed → js-triage-done
|
||
Comment 3•13 years ago
|
||
Comment on attachment 563768 [details] [diff] [review] make AutoScriptUntrapper work in-place, tidy up Review of attachment 563768 [details] [diff] [review]: ----------------------------------------------------------------- I wish the declaration-moving stuff had been in a separate patch; most of it looked like it wasn't necessary to the trap-rewriting part. :-\ ::: js/src/jsopcode.cpp @@ +487,1 @@ > switch (type) { You can do |switch (uint32 type = ...)| here, right?
Attachment #563768 -
Flags: review?(jwalden+bmo) → review+
|
|
Assignee | |
Comment 4•13 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/76f63c5d3b76
Target Milestone: --- → mozilla10
|
|
Assignee | |
Comment 5•13 years ago
|
||
(In reply to Jeff Walden (remove +bmo to email) from comment #3) > I wish the declaration-moving stuff had been in a separate patch; most of it > looked like it wasn't necessary to the trap-rewriting part. :-\ Yeah, sorry. I only realized that afterwards...
|
||
Comment 6•13 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/76f63c5d3b76
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•