Closed Bug 1233343 Opened 9 years ago Closed 9 years ago

Crash [@ js::jit::JitFrameIterator::checkInvalidation] or Assertion failure: hasScript(), at js/src/jsfun.h:423

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla46
Tracking Flags:
Tracking Status
firefox46 --- fixed

People

(Reporter: gkw, Assigned: h4writer)

References

Details

(4 keywords, Whiteboard: [jsbugmon:])

Crash Data

Attachments

(4 files)

stack for assertion
17.80 KB, text/plain
Details
bisection window
274.81 KB, text/plain
Details
maxim assertion stack
141.13 KB, text/plain
Details
Patch
1.41 KB, patch
jandem
: review+
Details | Diff | Splinter Review
The following testcase crashes on mozilla-central revision 0babaa3edcf9 (build with --32 --enable-more-deterministic --enable-simulator=arm, run with --fuzzing-safe --no-threads --ion-eager --ion-shared-stubs=on): // Adapted from randomly chosen test: js/src/jit-test/tests/debug/Debugger-debuggees-28.js function addRemove() { dbg.addDebuggee(g); f = dbg.getNewestFrame().older; } function removeAdd() { dbg.addDebuggee(g); var f = dbg.getNewestFrame(); while (f) { f = f.older; } } function testInterrupt() { g = newGlobal(); dbg = new Debugger; g.eval("" + function f() { return g(); }); g.eval("" + function g() { return h(); }); g.eval("" + function h() { for (var i = 0; i < 100; i++) { interruptIf(5); } }); setInterruptCallback(function() { toggleSeq(); return true; }); g.f(); } toggleSeq = addRemove; testInterrupt(); toggleSeq = removeAdd; testInterrupt(); Backtrace: #0 0x08202ac5 in js::jit::JitFrameIterator::checkInvalidation (this=0xffbbd90c, ionScriptOut=0xffbbd4f8) at js/src/jit/JitFrames.cpp:156 #1 0x08203f80 in js::jit::JitFrameIterator::ionScript (this=0xffbbd90c) at js/src/jit/JitFrames.cpp:2347 #2 0x082049a9 in js::jit::JitFrameIterator::safepoint (this=0xffbbd90c) at js/src/jit/JitFrames.cpp:2365 #3 js::jit::JitFrameIterator::machineState (this=0xffbbd90c) at js/src/jit/JitFrames.cpp:359 #4 0x082060cd in js::jit::InlineFrameIterator::resetOn (iter=0xffbbd90c, this=0xffbbd93c) at js/src/jit/JitFrames.cpp:2429 #5 js::jit::InlineFrameIterator::InlineFrameIterator (this=0xffbbd93c, cx=0xf7173040, iter=0xffbbd90c) at js/src/jit/JitFrames.cpp:2391 #6 0x08626b49 in CollectJitStackScripts (entries=..., activation=..., obs=..., cx=0xf7173040) at js/src/jit/BaselineDebugModeOSR.cpp:243 #7 js::jit::RecompileOnStackBaselineScriptsForDebugMode (cx=0xf7173040, obs=..., observing=js::Debugger::Observing) at js/src/jit/BaselineDebugModeOSR.cpp:844 #8 0x084410ec in js::Debugger::updateExecutionObservabilityOfFrames (cx=cx@entry=0xf7173040, obs=..., observing=js::Debugger::Observing) at js/src/vm/Debugger.cpp:2021 #9 0x084429a9 in js::Debugger::ensureExecutionObservabilityOfFrame (cx=0xf7173040, frame=...) at js/src/vm/Debugger.cpp:2209 #10 0x084592ec in js::Debugger::getScriptFrameWithIter (this=0xf7189400, cx=0xf7173040, frame=..., maybeIter=0xffbbdedc, vp=...) at js/src/vm/Debugger.cpp:484 #11 0x0845a62a in js::Debugger::getScriptFrame (vp=..., iter=..., cx=0xf7173040, this=0xf7189400) at js/src/vm/Debugger.h:888 #12 DebuggerFrame_getOlder (cx=0xf7173040, argc=0, vp=0xffbbe168) at js/src/vm/Debugger.cpp:6377 #13 0x08295bad in js::jit::DoCallNativeGetter (cx=0xf7173040, callee=..., obj=..., result=...) at js/src/jit/SharedIC.cpp:3667 #14 0x083447dd in js::jit::Simulator::softwareInterrupt (this=0xf7172000, instr=0xf7107b54) at js/src/jit/arm/Simulator-arm.cpp:2321 #15 0x08344ea6 in js::jit::Simulator::decodeType7 (this=0xf7172000, instr=0xf7107b54) at js/src/jit/arm/Simulator-arm.cpp:3483 #16 0x0834620a in js::jit::Simulator::instructionDecode (this=0xf7172000, instr=0xf7107b54) at js/src/jit/arm/Simulator-arm.cpp:4405 #17 0x0834675a in js::jit::Simulator::execute<false> (this=0xf7172000) at js/src/jit/arm/Simulator-arm.cpp:4460 #18 js::jit::Simulator::callInternal (this=0xf7172000, entry=0xf77917a8 "\360O-\351\004\320M\342\020\212-\355\r\200\240\341h\220\235\345t\240\235", <incomplete sequence \345>) at js/src/jit/arm/Simulator-arm.cpp:4548 #19 0x08346a31 in js::jit::Simulator::call (this=0xf7172000, entry=0xf77917a8 "\360O-\351\004\320M\342\020\212-\355\r\200\240\341h\220\235\345t\240\235", <incomplete sequence \345>, argument_count=<optimized out>) at js/src/jit/arm/Simulator-arm.cpp:4631 #20 0x081e6c51 in EnterIon (data=..., cx=0xf7173040) at js/src/jit/Ion.cpp:2700 #21 js::jit::IonCannon (cx=0xf7173040, state=...) at js/src/jit/Ion.cpp:2804 #22 0x0849947a in js::RunScript (cx=0xf7173040, state=...) at js/src/vm/Interpreter.cpp:371 #23 0x08499602 in js::Invoke (cx=0xf7173040, args=..., construct=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:462 #24 0x0849a511 in js::Invoke (cx=0xf7173040, thisv=..., fval=..., argc=0, argv=0x0, rval=...) at js/src/vm/Interpreter.cpp:496 #25 0x0835a0c9 in JS_CallFunctionValue (cx=0xf7173040, obj=..., fval=..., args=..., rval=...) at js/src/jsapi.cpp:2790 #26 0x080798be in ShellInterruptCallback (cx=0xf7173040) at js/src/shell/js.cpp:432 #27 0x084d5112 in InvokeInterruptCallback (cx=0xf7173040) at js/src/vm/Runtime.cpp:573 #28 0x084d83cd in JSRuntime::handleInterrupt (this=<optimized out>, cx=<optimized out>) at js/src/vm/Runtime.cpp:664 #29 0x082c59aa in js::CheckForInterrupt (cx=0xf7173040) at js/src/jscntxt.h:666 #30 js::jit::InterruptCheck (cx=0xf7173040) at js/src/jit/VMFunctions.cpp:489 #31 0x083447dd in js::jit::Simulator::softwareInterrupt (this=0xf7172000, instr=0xf7107ac4) at js/src/jit/arm/Simulator-arm.cpp:2321 #32 0x08344ea6 in js::jit::Simulator::decodeType7 (this=0xf7172000, instr=0xf7107ac4) at js/src/jit/arm/Simulator-arm.cpp:3483 #33 0x0834620a in js::jit::Simulator::instructionDecode (this=0xf7172000, instr=0xf7107ac4) at js/src/jit/arm/Simulator-arm.cpp:4405 #34 0x0834675a in js::jit::Simulator::execute<false> (this=0xf7172000) at js/src/jit/arm/Simulator-arm.cpp:4460 #35 js::jit::Simulator::callInternal (this=0xf7172000, entry=0xf77917a8 "\360O-\351\004\320M\342\020\212-\355\r\200\240\341h\220\235\345t\240\235", <incomplete sequence \345>) at js/src/jit/arm/Simulator-arm.cpp:4548 #36 0x08346a31 in js::jit::Simulator::call (this=0xf7172000, entry=0xf77917a8 "\360O-\351\004\320M\342\020\212-\355\r\200\240\341h\220\235\345t\240\235", <incomplete sequence \345>, argument_count=<optimized out>) at js/src/jit/arm/Simulator-arm.cpp:4631 #37 0x081e6c51 in EnterIon (data=..., cx=0xf7173040) at js/src/jit/Ion.cpp:2700 #38 js::jit::IonCannon (cx=0xf7173040, state=...) at js/src/jit/Ion.cpp:2804 #39 0x0849947a in js::RunScript (cx=0xf7173040, state=...) at js/src/vm/Interpreter.cpp:371 #40 0x08499602 in js::Invoke (cx=0xf7173040, args=..., construct=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:462 #41 0x0849a511 in js::Invoke (cx=0xf7173040, thisv=..., fval=..., argc=0, argv=0xf5effb60, rval=...) at js/src/vm/Interpreter.cpp:496 #42 0x08177d53 in js::jit::DoCallFallback (cx=0xf7173040, frame=0xf5effb80, stub_=0xf7122088, argc=0, vp=0xf5effb50, res=...) at js/src/jit/BaselineIC.cpp:6164 #43 0x083449aa in js::jit::Simulator::softwareInterrupt (this=0xf7172000, instr=0xf5be7254) at js/src/jit/arm/Simulator-arm.cpp:2378 #44 0x08344ea6 in js::jit::Simulator::decodeType7 (this=0xf7172000, instr=0xf5be7254) at js/src/jit/arm/Simulator-arm.cpp:3483 #45 0x0834620a in js::jit::Simulator::instructionDecode (this=0xf7172000, instr=0xf5be7254) at js/src/jit/arm/Simulator-arm.cpp:4405 #46 0x0834675a in js::jit::Simulator::execute<false> (this=0xf7172000) at js/src/jit/arm/Simulator-arm.cpp:4460 #47 js::jit::Simulator::callInternal (this=0xf7172000, entry=0xf77917a8 "\360O-\351\004\320M\342\020\212-\355\r\200\240\341h\220\235\345t\240\235", <incomplete sequence \345>) at js/src/jit/arm/Simulator-arm.cpp:4548 #48 0x08346a31 in js::jit::Simulator::call (this=0xf7172000, entry=0xf77917a8 "\360O-\351\004\320M\342\020\212-\355\r\200\240\341h\220\235\345t\240\235", <incomplete sequence \345>, argument_count=<optimized out>) at js/src/jit/arm/Simulator-arm.cpp:4631 #49 0x081e6c51 in EnterIon (data=..., cx=0xf7173040) at js/src/jit/Ion.cpp:2700 #50 js::jit::IonCannon (cx=0xf7173040, state=...) at js/src/jit/Ion.cpp:2804 #51 0x0849947a in js::RunScript (cx=0xf7173040, state=...) at js/src/vm/Interpreter.cpp:371 #52 0x08499602 in js::Invoke (cx=0xf7173040, args=..., construct=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:462 #53 0x0849a511 in js::Invoke (cx=0xf7173040, thisv=..., fval=..., argc=0, argv=0xf5effc90, rval=...) at js/src/vm/Interpreter.cpp:496 #54 0x08177d53 in js::jit::DoCallFallback (cx=0xf7173040, frame=0xf5effcb0, stub_=0xf7121f88, argc=0, vp=0xf5effc80, res=...) at js/src/jit/BaselineIC.cpp:6164 #55 0x083449aa in js::jit::Simulator::softwareInterrupt (this=0xf7172000, instr=0xf5be7254) at js/src/jit/arm/Simulator-arm.cpp:2378 #56 0x08344ea6 in js::jit::Simulator::decodeType7 (this=0xf7172000, instr=0xf5be7254) at js/src/jit/arm/Simulator-arm.cpp:3483 #57 0x0834620a in js::jit::Simulator::instructionDecode (this=0xf7172000, instr=0xf5be7254) at js/src/jit/arm/Simulator-arm.cpp:4405 #58 0x0834675a in js::jit::Simulator::execute<false> (this=0xf7172000) at js/src/jit/arm/Simulator-arm.cpp:4460 #59 js::jit::Simulator::callInternal (this=0xf7172000, entry=0xf77917a8 "\360O-\351\004\320M\342\020\212-\355\r\200\240\341h\220\235\345t\240\235", <incomplete sequence \345>) at js/src/jit/arm/Simulator-arm.cpp:4548 #60 0x08346a31 in js::jit::Simulator::call (this=0xf7172000, entry=0xf77917a8 "\360O-\351\004\320M\342\020\212-\355\r\200\240\341h\220\235\345t\240\235", <incomplete sequence \345>, argument_count=<optimized out>) at js/src/jit/arm/Simulator-arm.cpp:4631 #61 0x081e6c51 in EnterIon (data=..., cx=0xf7173040) at js/src/jit/Ion.cpp:2700 #62 js::jit::IonCannon (cx=0xf7173040, state=...) at js/src/jit/Ion.cpp:2804 #63 0x0849947a in js::RunScript (cx=0xf7173040, state=...) at js/src/vm/Interpreter.cpp:371 #64 0x08499602 in js::Invoke (cx=0xf7173040, args=..., construct=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:462 #65 0x0849a511 in js::Invoke (cx=0xf7173040, thisv=..., fval=..., argc=0, argv=0xffbc00fc, rval=...) at js/src/vm/Interpreter.cpp:496 #66 0x08415a40 in js::DirectProxyHandler::call (this=0x95ca784 <js::CrossCompartmentWrapper::singleton>, cx=0xf7173040, proxy=..., args=...) at js/src/proxy/DirectProxyHandler.cpp:77 #67 0x0841b399 in js::CrossCompartmentWrapper::call (this=0x95ca784 <js::CrossCompartmentWrapper::singleton>, cx=0xf7173040, wrapper=..., args=...) at js/src/proxy/CrossCompartmentWrapper.cpp:289 #68 0x0842599c in js::Proxy::call (cx=0xf7173040, proxy=..., args=...) at js/src/proxy/Proxy.cpp:391 #69 0x08426311 in js::proxy_Call (cx=0xf7173040, argc=0, vp=0xffbc00ec) at js/src/proxy/Proxy.cpp:683 #70 0x08499a1f in js::CallJSNative (args=..., native=0x84262b0 <js::proxy_Call(JSContext*, unsigned int, JS::Value*)>, cx=0xf7173040) at js/src/jscntxtinlines.h:235 #71 js::Invoke (cx=0xf7173040, args=..., construct=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:432 #72 0x0849a511 in js::Invoke (cx=0xf7173040, thisv=..., fval=..., argc=0, argv=0xf5effdc0, rval=...) at js/src/vm/Interpreter.cpp:496 #73 0x08177d53 in js::jit::DoCallFallback (cx=0xf7173040, frame=0xf5effde0, stub_=0xf7120ad0, argc=0, vp=0xf5effdb0, res=...) at js/src/jit/BaselineIC.cpp:6164 #74 0x083449aa in js::jit::Simulator::softwareInterrupt (this=0xf7172000, instr=0xf5be7254) at js/src/jit/arm/Simulator-arm.cpp:2378 #75 0x08344ea6 in js::jit::Simulator::decodeType7 (this=0xf7172000, instr=0xf5be7254) at js/src/jit/arm/Simulator-arm.cpp:3483 #76 0x0834620a in js::jit::Simulator::instructionDecode (this=0xf7172000, instr=0xf5be7254) at js/src/jit/arm/Simulator-arm.cpp:4405 #77 0x0834675a in js::jit::Simulator::execute<false> (this=0xf7172000) at js/src/jit/arm/Simulator-arm.cpp:4460 #78 js::jit::Simulator::callInternal (this=0xf7172000, entry=0xf77917a8 "\360O-\351\004\320M\342\020\212-\355\r\200\240\341h\220\235\345t\240\235", <incomplete sequence \345>) at js/src/jit/arm/Simulator-arm.cpp:4548 #79 0x08346a31 in js::jit::Simulator::call (this=0xf7172000, entry=0xf77917a8 "\360O-\351\004\320M\342\020\212-\355\r\200\240\341h\220\235\345t\240\235", <incomplete sequence \345>, argument_count=<optimized out>) at js/src/jit/arm/Simulator-arm.cpp:4631 #80 0x081e6c51 in EnterIon (data=..., cx=0xf7173040) at js/src/jit/Ion.cpp:2700 #81 js::jit::IonCannon (cx=0xf7173040, state=...) at js/src/jit/Ion.cpp:2804 #82 0x0849947a in js::RunScript (cx=0xf7173040, state=...) at js/src/vm/Interpreter.cpp:371 #83 0x08499602 in js::Invoke (cx=0xf7173040, args=..., construct=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:462 #84 0x0849a511 in js::Invoke (cx=0xf7173040, thisv=..., fval=..., argc=0, argv=0xf5effee8, rval=...) at js/src/vm/Interpreter.cpp:496 #85 0x08177d53 in js::jit::DoCallFallback (cx=0xf7173040, frame=0xf5efff08, stub_=0xf71201e0, argc=0, vp=0xf5effed8, res=...) at js/src/jit/BaselineIC.cpp:6164 #86 0x083449aa in js::jit::Simulator::softwareInterrupt (this=0xf7172000, instr=0xf5be7254) at js/src/jit/arm/Simulator-arm.cpp:2378 #87 0x08344ea6 in js::jit::Simulator::decodeType7 (this=0xf7172000, instr=0xf5be7254) at js/src/jit/arm/Simulator-arm.cpp:3483 #88 0x0834620a in js::jit::Simulator::instructionDecode (this=0xf7172000, instr=0xf5be7254) at js/src/jit/arm/Simulator-arm.cpp:4405 #89 0x0834675a in js::jit::Simulator::execute<false> (this=0xf7172000) at js/src/jit/arm/Simulator-arm.cpp:4460 #90 js::jit::Simulator::callInternal (this=0xf7172000, entry=0xf77917a8 "\360O-\351\004\320M\342\020\212-\355\r\200\240\341h\220\235\345t\240\235", <incomplete sequence \345>) at js/src/jit/arm/Simulator-arm.cpp:4548 #91 0x08346a31 in js::jit::Simulator::call (this=0xf7172000, entry=0xf77917a8 "\360O-\351\004\320M\342\020\212-\355\r\200\240\341h\220\235\345t\240\235", <incomplete sequence \345>, argument_count=<optimized out>) at js/src/jit/arm/Simulator-arm.cpp:4631 #92 0x081e6c51 in EnterIon (data=..., cx=0xf7173040) at js/src/jit/Ion.cpp:2700 #93 js::jit::IonCannon (cx=0xf7173040, state=...) at js/src/jit/Ion.cpp:2804 #94 0x0849947a in js::RunScript (cx=0xf7173040, state=...) at js/src/vm/Interpreter.cpp:371 #95 0x0849af9b in js::ExecuteKernel (result=0x0, evalInFrame=..., type=<optimized out>, newTargetValue=..., scopeChainArg=..., script=..., cx=0xf7173040) at js/src/vm/Interpreter.cpp:650 #96 js::Execute (cx=0xf7173040, script=..., scopeChainArg=..., rval=0x0) at js/src/vm/Interpreter.cpp:685 #97 0x0835a3c2 in ExecuteScript (cx=cx@entry=0xf7173040, scope=..., scope@entry=..., script=script@entry=..., rval=0x0) at js/src/jsapi.cpp:4410 #98 0x0835a50e in JS_ExecuteScript (cx=0xf7173040, scriptArg=...) at js/src/jsapi.cpp:4443 #99 0x08069bff in RunFile (compileOnly=<optimized out>, file=<optimized out>, filename=<optimized out>, cx=0xf7173040) at js/src/shell/js.cpp:515 #100 Process (cx=cx@entry=0xf7173040, filename=0xffbc31fe "bb158181.js", forceTTY=forceTTY@entry=false, kind=FileScript) at js/src/shell/js.cpp:728 #101 0x08071373 in ProcessArgs (op=0xffbc12d0, cx=<optimized out>) at js/src/shell/js.cpp:6204 #102 Shell (envp=<optimized out>, op=0xffbc12d0, cx=<optimized out>) at js/src/shell/js.cpp:6516 #103 main (argc=6, argv=0xffbc1414, envp=0xffbc1430) at js/src/shell/js.cpp:6877 info reg eax 0x302 770 ecx 0x3 3 edx 0xffbbd90c -4466420 ebx 0xffbbd90c -4466420 esp 0xffbbd4d0 0xffbbd4d0 ebp 0x1080 0x1080 esi 0xffbbd90c -4466420 edi 0xb 11 eip 0x8202ac5 0x8202ac5 <js::jit::JitFrameIterator::checkInvalidation(js::jit::IonScript**) const+21> eflags 0x10293 [ CF AF SF IF RF ] cs 0x23 35 ss 0x2b 43 ds 0x2b 43 es 0x2b 43 fs 0x0 0 gs 0x63 99 x/8i $pc => 0x8202ac5 <js::jit::JitFrameIterator::checkInvalidation(js::jit::IonScript**) const+21>: mov 0x44(%eax),%eax 0x8202ac8 <js::jit::JitFrameIterator::checkInvalidation(js::jit::IonScript**) const+24>: mov 0x8(%ebx),%edx 0x8202acb <js::jit::JitFrameIterator::checkInvalidation(js::jit::IonScript**) const+27>: cmp $0x3,%eax 0x8202ace <js::jit::JitFrameIterator::checkInvalidation(js::jit::IonScript**) const+30>: ja 0x8202af0 <js::jit::JitFrameIterator::checkInvalidation(js::jit::IonScript**) const+64> 0x8202ad0 <js::jit::JitFrameIterator::checkInvalidation(js::jit::IonScript**) const+32>: add -0x4(%edx),%edx 0x8202ad3 <js::jit::JitFrameIterator::checkInvalidation(js::jit::IonScript**) const+35>: sub $0xc,%esp 0x8202ad6 <js::jit::JitFrameIterator::checkInvalidation(js::jit::IonScript**) const+38>: push %edx 0x8202ad7 <js::jit::JitFrameIterator::checkInvalidation(js::jit::IonScript**) const+39>: call 0x82cc910 <js::jit::Assembler::GetPointer(unsigned char*)>
Attached file stack for assertion
(gdb) bt 5 #0 JSFunction::hasUncompiledScript (this=0xf5eff878) at /home/ubuntu/trees/mozilla-central/js/src/jsfun.h:423 #1 JSFunction::nonLazyScript (this=0xf5eff878) at /home/ubuntu/trees/mozilla-central/js/src/jsfun.h:428 #2 0x082d38a9 in js::jit::ScriptFromCalleeToken (token=<optimized out>) at /home/ubuntu/trees/mozilla-central/js/src/jit/JitFrames.h:86 #3 0x082d8321 in js::jit::JitFrameIterator::script (this=0xffb8b350) at /home/ubuntu/trees/mozilla-central/js/src/jit/JitFrames.cpp:219 #4 0x082d83bc in js::jit::JitFrameIterator::checkInvalidation (this=0xffb8b350, ionScriptOut=0xffb8aed8) at /home/ubuntu/trees/mozilla-central/js/src/jit/JitFrames.cpp:155 (More stack frames follow...) (gdb)
Since this involves --ion-shared-stubs=on, setting needinfo? from Hannes as a start.
Flags: needinfo?(hv1989)
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:bisect]
JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.
Whiteboard: [jsbugmon:bisect] → [jsbugmon:]
Attached file bisection window
Bug 1214508 is in the bisection window, so yeah, guess this is related to shared stubs after all.
(In reply to Fuzzing Team from comment #3) > JSBugMon: Cannot process bug: Unable to automatically reproduce, please > track manually. JSBugMon does not yet support --ion-shared-stubs=on, I'd guess.
Attached file maxim assertion stack
bughunter reproduces this assertion on Beta/44, Aurora/45, Nightly/46 on Linux, OS X, Windows at http://www.maxim.com/
(In reply to Gary Kwong [:gkw] [:nth10sd] from comment #2) > Since this involves --ion-shared-stubs=on, setting needinfo? from Hannes as > a start. Awesome find!
Flags: needinfo?(hv1989)
Attached patch PatchSplinter Review
Bug due to the nature of ARM and using link registers. It pushes the ICTailCallReg (since it is needed when we go into cpp land to have correct jit stack layout). But it was pushed with adjusting the internal frame pushed state. Which is incorrect, because this is used to know what the size of the frame is, but this is actually part of the previous frame. As a result it should not get counted.
Assignee: nobody → hv1989
Attachment #8700322 - Flags: review?(jdemooij)
(In reply to Bob Clary [:bc:] from comment #6) > Created attachment 8700252 [details] > maxim assertion stack > > bughunter reproduces this assertion on Beta/44, Aurora/45, Nightly/46 on > Linux, OS X, Windows at http://www.maxim.com/ That is definitely another bug. This feature is not enabled by default yet and will only trigger on ARM devices
Blocks: 1161516
Attachment #8700322 - Flags: review?(jdemooij) → review+
https://hg.mozilla.org/mozilla-central/rev/c8e48d86e373
Status: NEW → RESOLVED
Closed: 9 years ago
status-firefox46: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla46
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: