Closed Bug 678090 Opened 13 years ago Closed 13 years ago

Assertion failure: spoff == js_ReconstructStackDepth(cx_, fp_->script(), pc_), at vm/Stack.cpp:1012

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla9

People

(Reporter: decoder, Assigned: luke)

Details

(Keywords: assertion, testcase, Whiteboard: [js-triage-done][inbound])

Attachments

(1 file)

fix and test
1.74 KB, patch
dvander
: review+
Details | Diff | Splinter Review 
The following code asserts on mozilla-inbound (revision 609f37c36bd7, options -j -m -a):


function toSource(arr) {
  for (i=0; i<len; i++) {}
}
test();
function test() {
  function gen() {
    var c = test;
    try {
      yield c;
    } finally {
      this.toSource();
    }
  }
  var iter = gen();
  for (i in iter) {
    500();
  }
}
Assignee: general → luke
Whiteboard: js-triage-needed → js-triage-done
Attached patch fix and testSplinter Review 
Looks like there is a bug where the mjit's exception handling doesn't update the current pc to match the updated sp when closing open iterators (which is observable since this can run finalizers).  I suspect this is debug-only failure; I can't think of how it would manifest a real problem.
Attachment #552545 - Flags: review?(dvander)
Attachment #552545 - Flags: review?(dvander) → review+
http://hg.mozilla.org/integration/mozilla-inbound/rev/5bbc3615e387
Whiteboard: js-triage-done → [js-triage-done][inbound]
http://hg.mozilla.org/mozilla-central/rev/5bbc3615e387

the bug number in the changeset is wrong
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla9
Automatically extracted testcase for this bug was committed:

https://hg.mozilla.org/mozilla-central/rev/efaf8960a929
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: