[Chunk Patch] Assertion failure: lifetime && lifetime->head == uint32_t(head - outerScript->code) && lifetime->entry == uint32_t(entryTarget - outerScript->code), at methodjit/LoopState.cpp:111

RESOLVED FIXED

Status

()

Core
JavaScript Engine
--
critical
RESOLVED FIXED
6 years ago
5 years ago

People

(Reporter: decoder, Assigned: bhackett)

Tracking

(Blocks: 1 bug, {assertion, testcase})

Other Branch
x86
Linux
assertion, testcase
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

6 years ago
The following test asserts on mozilla-central f3c943d2e763 with chunk patch (bug 706914) (options -m -n):


evaluate("mjitChunkLimit(5)");
expected = '1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,';
function slice(a, b) {
  return expected;
}
function f() {
  var length = 8.724e02 ;
  var index = 0;
  function get3() {
    return slice(index, ++index);
  }
  var bytes = null;
  while (bytes = get3()) {  }
}
f();
(Assignee)

Comment 1

6 years ago
When splitting a script into chunks, the lifetime analysis may not have been performed, which dropped loop information and ended up violating some invariants describing where chunk boundaries can occur around loops.  Fixed in the latest bug 706914 patch.
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED
Flags: in-testsuite?
(Reporter)

Comment 2

5 years ago
A testcase for this bug was automatically identified at js/src/jit-test/tests/jaeger/chunk/bug712267.js.
Flags: in-testsuite? → in-testsuite+
You need to log in before you can comment on or make changes to this bug.