Closed Bug 881461 Opened 11 years ago Closed 11 years ago

Assertion failure: index >= size_t(pcstack.depth()), at jsopcode.cpp

Categories

(Core :: JavaScript Engine, defect)

x86_64
macOS
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla24

People

(Reporter: gkw, Assigned: jandem)

References

Details

(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update])

Attachments

(3 files)

Attached file stack
for (var n = 0; n < 9;
({
    __proto__: z,
    set c(a) {}
}), ++n) {
    z = Proxy.create({}, (function(){}))
}

asserts js debug shell on m-c changeset 9115d8b717e1 with --baseline-eager --no-ion at Assertion failure: index >= size_t(pcstack.depth()), at jsopcode.cpp
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   http://hg.mozilla.org/mozilla-central/rev/005c4f452f1e
user:        Jan de Mooij
date:        Thu May 30 18:51:03 2013 +0200
summary:     Bug 876670 - Refactor object literal getter/setter bytecode and implement it in the baseline compiler. r=bhackett

This iteration took 333.675 seconds to run.
Blocks: 876670
Flags: needinfo?(jdemooij)
Attached patch PatchSplinter Review
Bleh, INITPROP_GETTER/SETTER and INITELEM_* have to leave the values on the stack for the decompiler.
Assignee: general → jdemooij
Status: NEW → ASSIGNED
Attachment #761347 - Flags: review?(bhackett1024)
Flags: needinfo?(jdemooij)
Attachment #761347 - Flags: review?(bhackett1024) → review+
https://hg.mozilla.org/mozilla-central/rev/f9e6eb0d5239
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla24
http://www.jetsetter.com/?globalnav_referrer=women shows this assert on windows, linux aurora. mozregression shows nightly was fixed in the time frame this landed on m-c.

crashed opt about 5-10% of the time with bad dumps.

bp-5b8976c4-9125-47db-a80e-0cbe72130719
bp-cb2c513d-9105-4feb-abaf-cec7f2130719

Is this really fixed on aurora?
> Is this really fixed on aurora?

Supposedly, yes:

http://hg.mozilla.org/releases/mozilla-aurora/rev/f9e6eb0d5239 shows the patch in comment 4 landed on aurora. Perhaps you're seeing a different bug?
Attached file jetsetter stack
I saw that. The stack is 'similar' and definitely doesn't involve proxy... A saved version of the page doesn't reproduce unfortunately, so reducing it will be problematic.
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: