Closed Bug 797163 Opened 11 years ago Closed 11 years ago

"Assertion failure: lifetime->entry == uint32_t(entryTarget - outerScript->code),"

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED
Tracking Flags:
Tracking Status
firefox15 --- wontfix
firefox16 --- wontfix
firefox17 + verified
firefox18 + verified
firefox19 + verified
firefox-esr10 --- unaffected

People

(Reporter: gkw, Assigned: jandem)

References

Details

(Keywords: assertion, sec-critical, testcase, Whiteboard: Fixed by patch in bug 781859 [jsbugmon:update,ignore][adv-track-main17+])

Attachments

(1 file)

stack
7.20 KB, text/plain
Details
Attached file stack 
function f() {
  switch (2) {
  default:
    y = newGlobal()
  }
  return function(code) {
    try {
      evalcx(code, y)
    } catch (e) {}
  }
}
function h(code) {
  g(code)
}
g = f()
mjitChunkLimit(1)
h("let x=s")
h("switch(x){\
  case 2:break;\
  b;\
  default:while(this){}\
}")

asserts js debug shell on m-c changeset 640a57ebab48 without any CLI arguments at Assertion failure: lifetime->entry == uint32_t(entryTarget - outerScript->code),

s-s because bug 781859 is s-s, also adapting flags from that bug.

This is likely fixed by the upcoming patch in bug 781859, filing to (hopefully) get this testcase in the tree.
Flags: in-testsuite?
Depends on: 781859
Whiteboard: [jsbugmon:update] → [jsbugmon:update] possibly will be fixed by patch in bug 781859
Assignee: general → jdemooij
Assignee: jdemooij → general
status-firefox19: --- → affected
Assignee: general → jdemooij
status-firefox16: affectedwontfix
tracking-firefox17: --- → +
tracking-firefox18: --- → +
tracking-firefox19: --- → +
Whiteboard: [jsbugmon:update] possibly will be fixed by patch in bug 781859 → possibly will be fixed by patch in bug 781859 [jsbugmon:update,ignore]
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 93cc1ee94291).
Whiteboard: possibly will be fixed by patch in bug 781859 [jsbugmon:update,ignore] → possibly will be fixed by patch in bug 781859 [jsbugmon:update,bisectfix]
Whiteboard: possibly will be fixed by patch in bug 781859 [jsbugmon:update,bisectfix] → possibly will be fixed by patch in bug 781859 [jsbugmon:update,ignore]
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 93cc1ee94291).
JSBugMon: Fix Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first good revision is:
changeset:   111150:0d60a2c574f4
user:        Brian Hackett
date:        Tue Oct 23 07:45:34 2012 -0700
summary:     Don't get confused by unreachable opcodes before loop headers when picking chunk boundaries, bug 781859. r=jandem

This iteration took 204.724 seconds to run.
Highly likely fixed by bug 781859.
status-firefox19: affectedfixed
Whiteboard: possibly will be fixed by patch in bug 781859 [jsbugmon:update,ignore] → Fixed by patch in bug 781859 [jsbugmon:update,ignore]
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Status: RESOLVED → VERIFIED
JSBugMon: This bug has been automatically verified fixed.
Matt - can you verify this is fixed in FF17/18 as well? Thanks!
Keywords: qawanted
QA Contact: general → mwobensmith
Keywords: qawantedverifyme
Confirmed assertion on build 2012-10-2, nightly
Verified fixed on build 2012-11-6, nightly
Verified fixed on build 2012-11-6, Aurora 18
Verified fixed on build 2012-11-6, Beta 17
Whiteboard: Fixed by patch in bug 781859 [jsbugmon:update,ignore] → Fixed by patch in bug 781859 [jsbugmon:update,ignore][adv-track-main17+]
Group: core-security
Bug 781859 already has a test, not taking this one.
Flags: in-testsuite? → in-testsuite-
You need to log in before you can comment on or make changes to this bug.