Closed Bug 752379 Opened 12 years ago Closed 12 years ago

Assertion failure: regs.fp()->prev() == regs_->fp(), at js/src/vm/Stack.cpp:339 or Crash [@ CrashIfInvalidSlot]

Categories

(Core :: JavaScript Engine, defect)

x86_64
Linux
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla15

People

(Reporter: decoder, Unassigned)

References

Details

(Keywords: assertion, crash, testcase, Whiteboard: [js:p1:fx15])

Crash Data

Attachments

(1 file)

The following test crashes on mozilla-central revision 032d43b1770f (options -m -n -a):


var lfcode = new Array();
lfcode.push("");
lfcode.push("test();");
while (true) {
        var file = lfcode.shift(); if (file == undefined) { break; }
        loadFile(file);
}
function loadFile(lfVarx) {
        evaluate(lfVarx);
}



The test is very similar to bug 728191 (same assertion, but doesn't reproduce anymore), so it's likely the same underlying issue.
Attached patch fix and testSplinter Review
ContextStack::pushExecuteFrame is sampling 'fp' before ensureOnTop flushes inlined frames which means that it doesn't get the most recent 'fp'.
Attachment #621625 - Flags: review?(bhackett1024)
Whiteboard: js-triage-needed → js-triage-done
Whiteboard: js-triage-done → [js:p1:fx15]
Whiteboard: [js:p1:fx15] → [js:p1:fx15][js:ni]
Attachment #621625 - Flags: review?(bhackett1024) → review+
https://hg.mozilla.org/mozilla-central/rev/b6ce79884966
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Whiteboard: [js:p1:fx15][js:ni] → [js:p1:fx15]
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/testBug752379.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: