Closed Bug 1064844 Opened 10 years ago Closed 10 years ago

Assertion failure: baselineFrame->hasReturnValue(), at jit/IonFrames.cpp:480

Tracking

()

Status:

RESOLVED FIXED

Milestone:

mozilla35

Tracking Flags:

Tracking

Status

firefox35

---

affected

People

(Reporter: decoder, Assigned: shu)

Details

(Keywords: assertion, testcase, Whiteboard: [jsbugmon:update,bisect])

Attachments

(2 files)

[crash-signature] Machine-readable crash signature 10 years ago Christian Holler (:decoder) 636 bytes, text/plain		Details
Only restore propagatingForcedReturn state in AutoSaveExceptionState if there isn't a new error. 10 years ago Shu-yu Guo [:shu] 1.19 KB, patch	jorendorff : review+	Details \| Diff \| Splinter Review

Christian Holler (:decoder)

Reporter

Description

•

10 years ago

The following testcase asserts on mozilla-central revision 6b8da5940f74 (run with --no-threads --fuzzing-safe):


var lfcode = new Array();
lfcode.push = loadFile;
lfcode.push("");
lfcode.push("");
lfcode.push("");
lfcode.push("");
lfcode.push("");
lfcode.push("");
lfcode.push("");
lfcode.push("");
lfcode.push("");
lfcode.push("");
lfcode.push("\
function testResumptionVal(resumptionVal, turnOffDebugMode) {\
  var g = newGlobal();\
  var dbg = new Debugger;\
  setInterruptCallback(function () {\
    dbg.addDebuggee(g);\
    var frame = dbg.getNewestFrame();\
    frame.onStep = function () {\
      return resumptionVal;\
    };\
    return true;\
  });\
    return g.eval(\"(\" + function f() {\
      invokeInterruptCallback(function (interruptRv) {\
        assertEq(interruptRv, TypedObject.newGlobal == undefined);\
      });\
    } + \")();\");\
}\
assertEq(testResumptionVal({ return: \"not 42\" }), \"not 42\");\
");
function loadFile(lfVarx) {
    try {
        eval("(function() { " + lfVarx + " })();"); 
    } catch (lfVare) { }
}

Christian Holler (:decoder)

Reporter

Comment 1

•

10 years ago

Attached file [crash-signature] Machine-readable crash signature — Details

Christian Holler (:decoder)

Reporter

Updated

•

10 years ago

status-firefox35: --- → affected

Whiteboard: [jsbugmon:update,bisect]

Shu-yu Guo [:shu]

Assignee

Comment 2

•

10 years ago

Attached patch Only restore propagatingForcedReturn state in AutoSaveExceptionState if there isn't a new error. — Details — Splinter Review

New errors shouldn't be swallowed and should trump existing propagating forced
return behavior.

Attachment #8486608 - Flags: review?(jorendorff)

Jason Orendorff [:jorendorff]

Comment 3

•

10 years ago

Comment on attachment 8486608 [details] [diff] [review]
Only restore propagatingForcedReturn state in AutoSaveExceptionState if there isn't a new error.

Review of attachment 8486608 [details] [diff] [review]:
-----------------------------------------------------------------

Yeah, that seems good.

Attachment #8486608 - Flags: review?(jorendorff) → review+

Shu-yu Guo [:shu]

Assignee

Comment 4

•

10 years ago

https://hg.mozilla.org/integration/mozilla-inbound/rev/8f515950193c

Assignee: nobody → shu

Status: NEW → ASSIGNED

Carsten Book [:Tomcat]

Comment 5

•

10 years ago

https://hg.mozilla.org/mozilla-central/rev/8f515950193c

Status: ASSIGNED → RESOLVED

Closed: 10 years ago

Resolution: --- → FIXED

Target Milestone: --- → mozilla35

You need to log in before you can comment on or make changes to this bug.

Bugzilla

Quick Search

Assertion failure: baselineFrame->hasReturnValue(), at jit/IonFrames.cpp:480

Categories

(Core :: JavaScript Engine: JIT, defect)

Tracking

()

People

(Reporter: decoder, Assigned: shu)

References

Details

(Keywords: assertion, testcase, Whiteboard: [jsbugmon:update,bisect])

Crash Data

Security

(public)

User Story

Attachments

(2 files)

Description

Comment 1

Updated

Comment 2

Comment 3

Comment 4

Comment 5

Attachment

General

Description

File Name

Content Type