Closed Bug 648586 Opened 9 years ago Closed 9 years ago

TI: Crash [@ JSStackFrame::pc] or "Assertion failure: frame not in stack space,"

Categories

(Core :: JavaScript Engine, defect, critical)

x86
macOS
defect
Not set
critical

Tracking

()

RESOLVED FIXED

People

(Reporter: gkw, Unassigned)

References

(Blocks 2 open bugs)

Details

(Keywords: assertion, crash, testcase, Whiteboard: [ccbr])

Crash Data

Attachments

(1 file)

Attached file more information
eval("\
    function a(y){y.x}\
    for each(let d in[\
        ({}),({}),({}),({}),({}),({}),({}),({}),({}),({})\
    ]){\
        try{\
            a(d)\
        }catch(e){}\
    }\
    n\
")

crashes js opt shell on JM changeset a9f916668b29 with -m, -a and -j at JSStackFrame::pc and asserts js debug shell at Assertion failure: frame not in stack space

(not sure if the regressing changeset below is correct)

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   64250:0b1dd5e20bb9
user:        Brian Hackett
date:        Thu Mar 31 18:11:41 2011 -0700
summary:     [INFER] Restore stock JM behavior with inference off, bug 647048.
This bug is pretty tricky.  When invoking the tracer, it can write on cx->regs->fp (aka f.regs.fp) when bailing, to synthesize any new frames.  It then calls the interpreter with the original entry fp and active deeper fp.  If the interpreter pops that frame it will not be reflected in f.regs.fp, as the interpreter makes a local copy of the regs, and if the interpreter does something that triggers recompilation we will look at the garbage f.regs.fp.

It would be good to maintain the invariant that for all VMFrames f, f.regs.fp is on the stack.  This saves f.regs while the tracer is running in the same way as the interpreter, restoring it once the tracer finishes.

http://hg.mozilla.org/projects/jaegermonkey/rev/a4355f027716
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Crash Signature: [@ JSStackFrame::pc]
A testcase for this bug was automatically identified at js/src/jit-test/tests/jaeger/bug648586.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.