Closed Bug 471660 Opened 14 years ago Closed 14 years ago

TM: Crash [@ js_UnwindScope]

Categories

(Core :: JavaScript Engine, defect, P2)

x86
macOS
defect

Tracking

()

VERIFIED FIXED

People

(Reporter: gkw, Assigned: jimb)

References

Details

(4 keywords, Whiteboard: fixed-in-tracemonkey)

Crash Data

y = <x/>;

for (var w = 0; w < 5; ++w) {

  let (y) { do break ; while (true); }
  for each (let x in [{}, function(){}]) {y}

}


crashes opt tm builds near null at js_UnwindScope and asserts dbg at Assertion failure: !(fp->flags & JSFRAME_POP_BLOCKS), at ../jstracer.cpp:3690

Related to bug 470388 ?
Flags: blocking1.9.1?
Flags: blocking1.9.1? → blocking1.9.1+
Priority: -- → P2
After bug 470388 got fixed, this testcase still crashes near null at js_UnwindScope and now asserts at:

Assertion failure: blockDepth <= StackDepth(script), at ../jsinterp.cpp:6707
The code relevant to this bug is apparently all going to change in the upvar patch.
Depends on: upvar2
I can reproduce this on Linux with the Javascript shell in changeset 1dd1af3aec3e.
Assignee: general → jim
Status: NEW → ASSIGNED
(In reply to comment #2)
> The code relevant to this bug is apparently all going to change in the upvar
> patch.

This is referring to bug 452498, says Dave.
This still crashes, even with bug 452498's attachment 356637 [details] [diff] [review] applied.
(In reply to comment #5)
> This still crashes, even with bug 452498's attachment 356637 [details] [diff] [review] applied.

Yeah, that patch (no code gen change yet) won't fix this bug.

Suggest waiting for the complete proposed fix patch for that bug. If you want to go further, faster, consider optimizing closures that do not capture any upvars at all. But I'm close in bug 452498, so probably if you have other blockers to work on, focus on those. Thanks,

/be
WFM now on TM tip.

=====

$ ./js-dbg-tm-intelmac -j
js> y = <x/>;

js> 
js> for (var w = 0; w < 5; ++w) {

  let (y) { do break ; while (true); }
  for each (let x in [{}, function(){}]) {y}

}

js> 

=====

$ ./js-opt-tm-intelmac -j
js> y = <x/>;

js> 
js> for (var w = 0; w < 5; ++w) {

  let (y) { do break ; while (true); }
  for each (let x in [{}, function(){}]) {y}

}

js>
Flags: in-testsuite?
Whiteboard: fixed-in-tracemonkey
Any chance for a bisect?
Fixed in http://hg.mozilla.org/tracemonkey/rev/592836729d33

changeset:   25114:592836729d33
user:        Blake Kaplan <mrbkap@gmail.com>
date:        Wed Feb 11 15:16:20 2009 -0800
summary:     Bug 472450 - Don't record after js_GetScopeChain, since we can't successfully recover from a side exit. r=gal
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
http://hg.mozilla.org/tracemonkey/rev/0ebf5e0fde61

/cvsroot/mozilla/js/tests/js1_8/regress/regress-471660.js,v  <--  regress-471660.js
initial revision: 1.1
Flags: in-testsuite? → in-testsuite+
 Bug 472450 is fixed1.9.1, so this is too
Keywords: fixed1.9.1
v 1.9.1, 1.9.2
Status: RESOLVED → VERIFIED
Crash Signature: [@ js_UnwindScope]
You need to log in before you can comment on or make changes to this bug.