Closed Bug 554580 Opened 15 years ago Closed 15 years ago

JM: Crash [@ js_CloseIterator] or (64-bit) Crash [@ js_Invoke] or (64-bit) Crash [@ js_PutBlockObject] or (64-bit) Crash [@ js::jsl_LeaveBlock] or "Assertion failure: what do i do, at ../methodjit/Stubs.cpp"

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: gkw, Unassigned)

References

Details

(Keywords: assertion, regression, testcase) 

for (var a = 0; a < 7; ++a) {
    if (a == 1) {
        Iterator()
    }
}

assert js debug shell on JM tip with -m and -j at Assertion failure: what do i do, at ../methodjit/Stubs.cpp:3629
Awesome, I've been waiting for a test case on this.
(function() {
  for each(let a in [function() {}, Infinity]) {
    new Array(a)
  }
})()

crashes js opt shell with -m and -j on JM tip at js_CloseIterator

===

Function("\n\
  for (a = 0; a < 3; a++) {\n\
    if (a == 0) {} else {\n\
      __defineSetter__(\"\",1)\n\
    }\n\
  }\n\
")()

crashes js opt shell with -m and -j on JM tip at js_Invoke (64-bit only)

===

(function() {
  try {
    (eval("\
      function() {\
        for each(let y in [0]) {\
          for (var a = 0; a < 9; ++a) {\
            if (a) {\
              this.__defineGetter__(\"\",this)\
            }\
          }\
        }\
      }\
    "))()
  } catch(e) {}
})()

crashes js opt shell with -m and -j on JM tip at js_PutBlockObject (64-bit only)
Summary: JM: "Assertion failure: what do i do, at ../methodjit/Stubs.cpp" → JM: Crash [@ js_CloseIterator] or (64-bit) Crash [@ js_Invoke] or (64-bit) Crash [@ js_PutBlockObject] or "Assertion failure: what do i do, at ../methodjit/Stubs.cpp"
(function() {
  (function g(m, n) {
    if (m = n) {
      return eval("x=this")
    }
    g(m, 1)[[]]
  })()
})()
Function("\
  for (let b in [0]) {\
    for (var k = 0; k < 6; ++k) {\
      if (k == 1) {\
        print(x)\
      }\
    }\
  }\
")()

crashes js opt shell with -m and -j on JM tip at js::jsl_LeaveBlock (64-bit)
OS: Linux → All
Hardware: x86 → All
Summary: JM: Crash [@ js_CloseIterator] or (64-bit) Crash [@ js_Invoke] or (64-bit) Crash [@ js_PutBlockObject] or "Assertion failure: what do i do, at ../methodjit/Stubs.cpp" → JM: Crash [@ js_CloseIterator] or (64-bit) Crash [@ js_Invoke] or (64-bit) Crash [@ js_PutBlockObject] or (64-bit) Crash [@ js::jsl_LeaveBlock] or "Assertion failure: what do i do, at ../methodjit/Stubs.cpp"
Awesome test cases. I think this patch covers everything, and closes the last major TODO of tracer integration.

http://hg.mozilla.org/users/danderson_mozilla.com/jaegermonkey/rev/d8ed909484f2

Test cases pushed with follow-up commits.
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
A testcase for this bug was automatically identified at js/src/jit-test/tests/jaeger/bug554580-4.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.