Last Comment Bug 712267 - [Chunk Patch] Assertion failure: lifetime && lifetime->head == uint32_t(head - outerScript->code) && lifetime->entry == uint32_t(entryTarget - outerScript->code), at methodjit/LoopState.cpp:111
: [Chunk Patch] Assertion failure: lifetime && lifetime->head == uint32_t(head ...
Status: RESOLVED FIXED
: assertion, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Other Branch
: x86 Linux
: -- critical (vote)
: ---
Assigned To: Brian Hackett (:bhackett)
:
: Jason Orendorff [:jorendorff]
Mentors:
Depends on:
Blocks: langfuzz 706914
  Show dependency treegraph
 
Reported: 2011-12-20 05:09 PST by Christian Holler (:decoder)
Modified: 2013-01-14 08:29 PST (History)
3 users (show)
choller: in‑testsuite+
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments

Description Christian Holler (:decoder) 2011-12-20 05:09:05 PST
The following test asserts on mozilla-central f3c943d2e763 with chunk patch (bug 706914) (options -m -n):


evaluate("mjitChunkLimit(5)");
expected = '1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,';
function slice(a, b) {
  return expected;
}
function f() {
  var length = 8.724e02 ;
  var index = 0;
  function get3() {
    return slice(index, ++index);
  }
  var bytes = null;
  while (bytes = get3()) {  }
}
f();
Comment 1 Brian Hackett (:bhackett) 2011-12-21 08:31:06 PST
When splitting a script into chunks, the lifetime analysis may not have been performed, which dropped loop information and ended up violating some invariants describing where chunk boundaries can occur around loops.  Fixed in the latest bug 706914 patch.
Comment 2 Christian Holler (:decoder) 2013-01-14 08:29:34 PST
A testcase for this bug was automatically identified at js/src/jit-test/tests/jaeger/chunk/bug712267.js.

Note You need to log in before you can comment on or make changes to this bug.