Closed
Bug 755639
Opened 13 years ago
Closed 13 years ago
"Assertion failure: L.isSet()" with gcPreserveCode()
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla15
| Tracking | Status | |
|---|---|---|
| firefox15 | - | --- |
People
(Reporter: jruderman, Assigned: bhackett1024)
References
Details
(Keywords: assertion, regression, testcase)
Attachments
(1 file)
|
779 bytes,
patch
|
dvander
:
review+
|
Details | Diff | Splinter Review |
./js -m -a -n
function f(t)
{
for (var i = 0; i < 1; ++i) {
if (typeof(t) != "string") {
}
}
}
function m(d)
{
if (d == 0)
return "";
f(m(d - 1));
}
m(1);
gcPreserveCode();
mjitChunkLimit(1);
gcslice(0);
m(1);
gc();
m(2);
Assertion failure: L.isSet(), at js/src/methodjit/Compiler.cpp:1408
Regression from:
https://hg.mozilla.org/mozilla-central/rev/fbff86190de6 (bug 750834)
This was a mix of fuzzer-generated code with the fuzzer itself. m() and f() are reduced from parts of jsfunfuzz.
|
Reporter | |
Updated•13 years ago
|
tracking-firefox15:
--- → ?
|
Assignee | |
Comment 1•13 years ago
|
||
Mmmm, gcPreserveCode() doesn't play well with mjitChunkLimit(). The latter needs to clear out old code so that the new chunk limit will be reflected in future compilations, but this behavior is prevented by the former. The fix watches for this case and throws in mjitChunkLimit().
Assignee: general → bhackett1024
Attachment #625419 -
Flags: review?(dvander)
|
||
Updated•13 years ago
|
Attachment #625419 -
Flags: review?(dvander) → review+
|
|
Assignee | |
Comment 2•13 years ago
|
||
|
|
||
Comment 3•13 years ago
|
||
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla15
|
||
Comment 5•13 years ago
|
||
Automatically extracted testcase for this bug was committed:
https://hg.mozilla.org/mozilla-central/rev/efaf8960a929
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•