Last Comment Bug 648438 - TM: Assertion failure: !cx->regs->fp->hasImacropc(), at ./jscntxtinlines.h:424
: TM: Assertion failure: !cx->regs->fp->hasImacropc(), at ./jscntxtinlines.h:424
Status: RESOLVED FIXED
fixed-in-tracemonkey
: assertion, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: x86_64 Linux
: -- critical (vote)
: ---
Assigned To: Luke Wagner [:luke]
:
: Jason Orendorff [:jorendorff]
Mentors:
: 664668 (view as bug list)
Depends on:
Blocks: langfuzz
  Show dependency treegraph
 
Reported: 2011-04-07 18:12 PDT by Christian Holler (:decoder)
Modified: 2013-02-19 10:24 PST (History)
9 users (show)
choller: in‑testsuite+
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
fix assert (1.87 KB, patch)
2011-06-15 14:27 PDT, Luke Wagner [:luke]
no flags Details | Diff | Splinter Review
fix assert (1.88 KB, patch)
2011-06-15 17:06 PDT, Luke Wagner [:luke]
jwalden+bmo: review+
Details | Diff | Splinter Review

Description Christian Holler (:decoder) 2011-04-07 18:12:02 PDT
The following code asserts TM revision 5550f333d8c8 when run with -j -m (tested on 64 bit):

test();
function test()
{
  var code = "", obj = {};
  for(var i = 0; i < 0x10000; i++) {
      if(i == 10242) {
        return test.call(obj, obj);
      } else {
        code += "void 'x" + i + "';\n";
      }
  } 
}
Comment 1 Jan de Mooij [:jandem] 2011-06-15 13:23:00 PDT
I'm not sure but this assert seems to be more frequent now. Here's a simpler test case:
--
for (var i = 0; i < 20; i++) {
    (function () {
        try {
            JSON.parse();
        } catch (e) {}
    }).call();
}
--
Asserts with -j, 32-bit OS X. Top stack frames:

#1  0x0012387c in ReconstructImacroPCStack (cx=0x70b770, script=0x70de20, imacstart=0x38c2a0 "OQ@:", target=0x38c2a3 ":", pcstack=0x0) at jsopcode.cpp:5504
#2  0x00123939 in ReconstructPCStack (cx=0x70b770, script=0x70de20, target=0x38c2a3 ":", pcstack=0x0) at jsopcode.cpp:5529
#3  0x00123c54 in js_ReconstructStackDepth (cx=0x70b770, script=0x70de20, pc=0x38c2a3 ":") at jsopcode.cpp:5364
#4  0x001e350b in js::StackIter::settleOnNewState (this=0xbfffe238) at vm/Stack.cpp:941
#5  0x001e39c5 in js::StackIter::operator++ (this=0xbfffe238) at vm/Stack.cpp:1018
#6  0x0001220b in js::FrameRegsIter::operator++ (this=0xbfffe238) at Stack.h:1679
Comment 2 Luke Wagner [:luke] 2011-06-15 14:21:47 PDT
Oops, that js_ReconstructStack is in an assert that needs a:
  JS_ASSERT_IF(!fp->hasImacropc(), 
in front of it.
Comment 3 Luke Wagner [:luke] 2011-06-15 14:27:41 PDT
Created attachment 539658 [details] [diff] [review]
fix assert

hate imacros
Comment 4 Luke Wagner [:luke] 2011-06-15 17:06:27 PDT
Created attachment 539689 [details] [diff] [review]
fix assert

Oops, last patch inverted the new assert it added.
Comment 5 Jeff Walden [:Waldo] (remove +bmo to email) 2011-06-15 17:11:00 PDT
Comment on attachment 539689 [details] [diff] [review]
fix assert

Review of attachment 539689 [details] [diff] [review]:
-----------------------------------------------------------------

::: js/src/vm/Stack.cpp
@@ +947,5 @@
>                      args_ = CallArgsFromVp(argc, vp);
>                      return;
>                  }
>              } else if (op == JSOP_FUNAPPLY) {
> +                JS_ASSERT(!fp_->hasImacropc());

But but but I had an awesome idea for an optimization that used JSOP_FUNAPPLY from an imacro!!!1!
Comment 6 Luke Wagner [:luke] 2011-06-16 08:02:18 PDT
*** Bug 664668 has been marked as a duplicate of this bug. ***
Comment 7 Luke Wagner [:luke] 2011-06-16 08:17:01 PDT
(In reply to comment #5)
stab

http://hg.mozilla.org/tracemonkey/rev/b65724d6c326
Comment 8 Chris Leary [:cdleary] (not checking bugmail) 2011-06-20 17:15:10 PDT
cdleary-bot mozilla-central merge info:
http://hg.mozilla.org/mozilla-central/rev/b65724d6c326
Comment 9 Christian Holler (:decoder) 2013-01-14 07:48:59 PST
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/testBug648438.js.

Note You need to log in before you can comment on or make changes to this bug.