732759 - "Assertion failure: lifetime && lifetime->head == uint32_t(head - outerScript->code) && lifetime->entry == uint32_t(entryTarget - outerScript->code),"

Status: VERIFIED FIXED

(Core :: JavaScript Engine, defect)

Description

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Attachment: stack

mjitChunkLimit(26)
try {
    (function() {
        for (var a;;) {
            if (a % 1) {
                throw /x/
            } else {
                while ({}) {}
            }
        }
    })()
} catch (r) {}

asserts js debug shell on m-c changeset 343ec916dfd5 with -m and -n at Assertion failure: lifetime && lifetime->head == uint32_t(head - outerScript->code) && lifetime->entry == uint32_t(entryTarget - outerScript->code),

(not sure if the bisection is entirely right)

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   85157:f8d4887aae8d
user:        Jeff Walden
date:        Thu Jan 19 17:15:24 2012 -0800
summary:     Bug 720316 - Convert RegExp indexes into uint32_t.  r=luke

Comment 1

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

WFM on m-c changeset 406113c400a9, probably fixed by bug 732776.

autoBisect shows this is probably related to the following changeset:

The first good revision is:
changeset:   88293:54226ef0199e
user:        Brian Hackett
date:        Mon Mar 05 12:45:14 2012 -0800
summary:     Ensure 'for' loops have a leading JSOP_NOP, bug 732776. r=dvander.

Comment 2

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Erm, bug 732776 is s-s. This bug can be opened when that bug is opened.

Comment 3

[Christian Holler (:decoder)]

JSBugMon: This bug has been automatically verified fixed.

Comment 4

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Bug 732776 is now opened up, so opening this one up.