Closed
Bug 549393
Opened 15 years ago
Closed 15 years ago
TM: "Assertion failure: disp == ((base == lirbuf->sp) ? nativespOffset(p) : nativeGlobalOffset(p)), at ../jstracer.cpp"
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
People
(Reporter: gkw, Unassigned)
References
Details
(Keywords: assertion, regression, testcase)
Attachments
(1 file, 1 obsolete file)
|
(deleted),
patch
|
Details | Diff | Splinter Review |
function start() {
MAX_TOTAL_TIME = startTime = new Date
do {
if (rnd(0)) return (a[rnd()])()
lastTime = new Date
} while ( lastTime - startTime < MAX_TOTAL_TIME )
}
function MersenneTwister19937() {
this.init_genrand = function() {
for (mti = 1; mti < 4; mti++) {
Array[mti] = 1
}
};
this.genrand_int32 = function() {
if (mti > 4) {
mti = 0
}
return Array[mti++];
}
} (function() {
fuzzMT = new MersenneTwister19937;
fuzzMT.init_genrand()
rnd = function() {
return Math.floor(fuzzMT.genrand_int32())
}
} ())
function weighted(wa) {
a = []
for (i = 0; i < wa.length; ++i) {
for (var j = 0; j < 8; ++j) {
a.push(wa[i].fun)
}
}
}
statementMakers = weighted([{
fun: function makeMixedTypeArray() { [[, , , , , , , , , , , , , , , , , , , , , , , , ""][(a[rnd()])()]]}
}])
start()
Using JM repository rev 2e244af372f2 ( http://hg.mozilla.org/users/danderson_mozilla.com/jaegermonkey/rev/2e244af372f2 ), this asserts in Assertion failure: disp == ((base == lirbuf->sp) ? nativespOffset(p) : nativeGlobalOffset(p)), at ../jstracer.cpp:3643
This occurs only with -j and only in JM repository. dvander indicates Luke might be testing something there, so might not be methodJIT-related...
|
Reporter | |
Comment 1•15 years ago
|
||
Seems to be related to the patch in bug 540706...
Blocks: 540706
Summary: JM: "Assertion failure: disp == ((base == lirbuf->sp) ? nativespOffset(p) : nativeGlobalOffset(p)), at ../jstracer.cpp" → TM: "Assertion failure: disp == ((base == lirbuf->sp) ? nativespOffset(p) : nativeGlobalOffset(p)), at ../jstracer.cpp"
|
|
||
Comment 2•15 years ago
|
||
I tested with just the bug 540706 patch applied, with no assert. Will have to investigate further with David.
|
||
Updated•15 years ago
|
Blocks: JaegerFuzz
|
|
||
Updated•15 years ago
|
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
|
|
Reporter | |
Comment 5•15 years ago
|
||
Not yet completely fixed on JM:
(function () {
for (var q = 0; q < 6; ++q) {
x: (function () {
var m = (function () {})()
})([0, , 0, 0, 0, , 0, 0, 0, , 0, 0, 0, , 0, 0, 0, 0, 0, 0, Number(1)])
}
})()
asserts js debug shell with -j on JM rev 51898db0bbc9 at Assertion failure: disp == ((base == lirbuf->sp) ? nativespOffset(p) : nativeGlobalOffset(p)), at ../jstracer.cpp:3643Status: RESOLVED → REOPENED
Resolution: FIXED → ---
http://hg.mozilla.org/users/danderson_mozilla.com/jaegermonkey/rev/1583ef6e7c4e
Attachment #429632 -
Attachment is obsolete: true
|
|
||
Updated•15 years ago
|
Status: REOPENED → RESOLVED
Closed: 15 years ago → 15 years ago
Resolution: --- → FIXED
|
||
Comment 7•12 years ago
|
||
A testcase for this bug was automatically identified at js/src/jit-test/tests/jaeger/bug549393-1.js.
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•