Last Comment Bug 755639 - "Assertion failure: L.isSet()" with gcPreserveCode()
: "Assertion failure: L.isSet()" with gcPreserveCode()
: assertion, regression, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: x86_64 Mac OS X
-- critical (vote)
: mozilla15
Assigned To: Brian Hackett (:bhackett)
: Jason Orendorff [:jorendorff]
Depends on:
Blocks: jsfunfuzz 750834
  Show dependency treegraph
Reported: 2012-05-16 00:19 PDT by Jesse Ruderman
Modified: 2013-01-19 14:02 PST (History)
7 users (show)
choller: in‑testsuite+
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---

patch (779 bytes, patch)
2012-05-19 09:27 PDT, Brian Hackett (:bhackett)
dvander: review+
Details | Diff | Splinter Review

Description User image Jesse Ruderman 2012-05-16 00:19:02 PDT
./js -m -a -n

function f(t)
    for (var i = 0; i < 1; ++i) {
        if (typeof(t) != "string") {
function m(d)
    if (d == 0)
        return "";
    f(m(d - 1));

Assertion failure: L.isSet(), at js/src/methodjit/Compiler.cpp:1408

Regression from: (bug 750834)

This was a mix of fuzzer-generated code with the fuzzer itself. m() and f() are reduced from parts of jsfunfuzz.
Comment 1 User image Brian Hackett (:bhackett) 2012-05-19 09:27:31 PDT
Created attachment 625419 [details] [diff] [review]

Mmmm, gcPreserveCode() doesn't play well with mjitChunkLimit().  The latter needs to clear out old code so that the new chunk limit will be reflected in future compilations, but this behavior is prevented by the former.  The fix watches for this case and throws in mjitChunkLimit().
Comment 2 User image Brian Hackett (:bhackett) 2012-05-21 20:34:56 PDT
Comment 3 User image Ed Morley [:emorley] 2012-05-22 05:05:33 PDT
Comment 4 User image Lukas Blakk [:lsblakk] use ?needinfo 2012-05-23 16:21:39 PDT
Fixed on 15, no need to track.
Comment 5 User image Christian Holler (:decoder) 2013-01-19 14:02:53 PST
Automatically extracted testcase for this bug was committed:

Note You need to log in before you can comment on or make changes to this bug.