Closed Bug 707384 Opened 14 years ago Closed 14 years ago

TI: "Assertion failure: getCode(offset).loop," with trap

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla11

People

(Reporter: gkw, Assigned: bhackett1024)

References

Details

(Keywords: assertion, regression, testcase, Whiteboard: js-triage-needed)

Attachments

(2 files)

stack with dis() information
5.41 KB, text/plain
Details
patch
2.16 KB, patch
dvander
: review+
Details | Diff | Splinter Review
function f() { do { return } while (e) } dis(f) trap(f, 1, '') f() asserts js debug shell on m-c changeset 6180c68bffbf with -m, -a, -n and -d at Assertion failure: getCode(offset).loop,
autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: 81128:d32ccb2b8a05 user: Brian Hackett date: Thu Dec 01 15:13:51 2011 -0800 summary: Remove JSOP_NOTRACE, rename JSOP_TRACE -> JSOP_LOOPHEAD, bug 706611. r=dvander
Blocks: 706611
Attached patch patchSplinter Review
One of the test changes in bug 706611 was incorrect, the compiler needs to check that a loop head has a reachable backedge before compiling it as a loop.
Assignee: general → bhackett1024
Attachment #579856 - Flags: review?(dvander)
Attachment #579856 - Flags: review?(dvander) → review+
https://hg.mozilla.org/mozilla-central/rev/7769ec8647b9
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla11
A testcase for this bug was automatically identified at js/src/jit-test/tests/jaeger/bug707384.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: