Closed Bug 657984 Opened 13 years ago Closed 13 years ago

TI: "Assertion failure: JSOp(*iterpc) == JSOP_ITER," or "Assertion failure: nop == JSOP_TRACE || nop == JSOP_NOTRACE," with trap

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: gkw, Unassigned)

References

Details

(Keywords: assertion, testcase)

Attachments

(1 file)

dis() information, and stack
(deleted), text/plain
Details
Attached file dis() information, and stack (deleted) —
function f(){ for(y in x); } dis(f) trap(f, 5, '') f() asserts js debug shell on JM changeset 5d1cbc94bc42 with -d, -a and -n at Assertion failure: JSOp(*iterpc) == JSOP_ITER,
Setting the third line to: trap(f, 10, '') results in a different assert: Assertion failure: nop == JSOP_TRACE || nop == JSOP_NOTRACE, (gdb) bt #0 0xf7fdf430 in __kernel_vsyscall () #1 0xf7fb5ba0 in raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/pt-raise.c:42 #2 0x081ff2a9 in JS_Assert (s=0x8461f04 "nop == JSOP_TRACE || nop == JSOP_NOTRACE", file=0x8461c50 "/home/fuzz1/Desktop/jsfunfuzz-dbg-32-jm-69789-5d1cbc94bc42/compilePath/js/src/jsanalyze.cpp", ln=914) at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-jm-69789-5d1cbc94bc42/compilePath/js/src/jsutil.cpp:89 #3 0x0837d2e9 in js::analyze::ScriptAnalysis::analyzeLifetimes (this=0x85298f8, cx=0x84eb1b8) at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-jm-69789-5d1cbc94bc42/compilePath/js/src/jsanalyze.cpp:914 #4 0x0837d760 in js::analyze::ScriptAnalysis::analyzeSSA (this=0x85298f8, cx=0x84eb1b8) at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-jm-69789-5d1cbc94bc42/compilePath/js/src/jsanalyze.cpp:1175 #5 0x0811770a in js::analyze::ScriptAnalysis::analyzeTypes (this=0x85298f8, cx=0x84eb1b8) at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-jm-69789-5d1cbc94bc42/compilePath/js/src/jsinfer.cpp:3699 #6 0x0811cf50 in JSScript::typeSetThis (this=0x852aa88, cx=0x84eb1b8, type=1) at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-jm-69789-5d1cbc94bc42/compilePath/js/src/jsinferinlines.h:704 #7 0x0811225a in js::types::TypeCompartment::dynamicCall (this=0x84ebb58, cx=0x84eb1b8, callee=0xf750d1e0, args=..., constructing=false) at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-jm-69789-5d1cbc94bc42/compilePath/js/src/jsinfer.cpp:1780 #8 0x0812cb17 in JSContext::typeMonitorCall (this=0x84eb1b8, args=..., constructing=false) at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-jm-69789-5d1cbc94bc42/compilePath/js/src/jsinferinlines.h:483 #9 0x0839f302 in js::Interpret (cx=0x84eb1b8, entryFrame=0xf76e4030, inlineCallCount=0, interpMode=js::JSINTERP_NORMAL) at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-jm-69789-5d1cbc94bc42/compilePath/js/src/jsinterp.cpp:4682 /snip
Summary: TI: "Assertion failure: JSOp(*iterpc) == JSOP_ITER," with trap → TI: "Assertion failure: JSOp(*iterpc) == JSOP_ITER," or "Assertion failure: nop == JSOP_TRACE || nop == JSOP_NOTRACE," with trap
Fixed as part of bug 657975, both of these asserts are bogus. http://hg.mozilla.org/projects/jaegermonkey/rev/176ee6b37ad0
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: