Closed
Bug 741110
Opened 12 years ago
Closed 12 years ago
Assertion failure: lifetime && lifetime->head == uint32_t(head - outerScript->code) && lifetime->entry == uint32_t(entryTarget - outerScript->code), at methodjit/LoopState.cpp:111
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 781859
People
(Reporter: decoder, Assigned: Waldo)
References
Details
(Keywords: assertion, regression, testcase, Whiteboard: js-triage-needed [jsbugmon:update])
The following test asserts on mozilla-central revision 92fe907ddac8 (options -m -n -a):
mjitChunkLimit(10);
function e() {
try {
var t = undefined;
} catch (e) { }
while (t)
continue;
}
for (var i = 0; i < 20; i++)
e();
Making this s-s because there has been a previous bug with this assert that was s-s and mjit chunking bugs are likely to be s-s too.
|
||
Comment 1•12 years ago
|
||
Is this a regression from chunked compilation landing, or a later regression?
|
Reporter | |
Updated•12 years ago
|
Whiteboard: js-triage-needed → js-triage-needed [jsbugmon:update,reconfirm]
|
|
Reporter | |
Comment 2•12 years ago
|
||
JSBugMon: This bug has been automatically confirmed to be still valid (reproduced on revision e4f9e2eab6b1+).
|
|
Reporter | |
Updated•12 years ago
|
Whiteboard: js-triage-needed [jsbugmon:update,reconfirm] → js-triage-needed [jsbugmon:update,reconfirm,ignore]
|
|
Reporter | |
Comment 3•12 years ago
|
||
(In reply to David Mandelin from comment #1) > Is this a regression from chunked compilation landing, or a later regression? Regression from chunked compilation landing: The first bad revision is: changeset: 87165:3b8ad7252ccb user: Brian Hackett date: Sat Feb 18 08:52:04 2012 -0800 summary: Enable chunked compilation on x64, bug 728372. r=dvander
Keywords: regression
|
||
Updated•12 years ago
|
Assignee: general → bhackett1024
Blocks: 728372
status-firefox-esr10:
--- → unaffected
status-firefox14:
--- → affected
status-firefox15:
--- → affected
status-firefox16:
--- → affected
|
||
Comment 4•12 years ago
|
||
Another testcase found by jsfunfuzz:
mjitChunkLimit(42);
Function("\
switch (/x/) {\
case 8:\
break;\
t(function(){})\
}\
while (false)(function(){})\
")()
Tested on m-c changeset 3be950fe9e1e with -m, -n and -a.OS: Linux → All
|
|
||
Comment 5•12 years ago
|
||
Comment 4 (through autoBisect) points to bug 720316 as the regressing changeset instead, so I spun that testcase into bug 770089.
|
|
||
Comment 6•12 years ago
|
||
Testcases in comment 0 and comment 4 still assert with http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2012-08-09-mozilla-central-debug/jsshell-mac64.zip
|
|
Reporter | |
Updated•12 years ago
|
Whiteboard: js-triage-needed [jsbugmon:update,reconfirm,ignore] → js-triage-needed [jsbugmon:update]
|
||
Comment 7•12 years ago
|
||
Brian, any updates here?
|
|
||
Updated•12 years ago
|
|
||
Comment 8•12 years ago
|
||
Assigning to Jeff to complete the bug trifecta.
Assignee: bhackett1024 → jwalden+bmo
|
||
Comment 9•12 years ago
|
||
Patches in bug 781859 fix this.
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → DUPLICATE
|
|
||
Updated•10 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•