Last Comment Bug 678090 - Assertion failure: spoff == js_ReconstructStackDepth(cx_, fp_->script(), pc_), at vm/Stack.cpp:1012
: Assertion failure: spoff == js_ReconstructStackDepth(cx_, fp_->script(), pc_)...
Status: RESOLVED FIXED
[js-triage-done][inbound]
: assertion, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: x86_64 Linux
: -- critical (vote)
: mozilla9
Assigned To: Luke Wagner [:luke]
:
Mentors:
Depends on:
Blocks: langfuzz
  Show dependency treegraph
 
Reported: 2011-08-10 16:18 PDT by Christian Holler (:decoder)
Modified: 2013-01-19 14:02 PST (History)
5 users (show)
choller: in‑testsuite+
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
fix and test (1.74 KB, patch)
2011-08-11 17:03 PDT, Luke Wagner [:luke]
dvander: review+
Details | Diff | Review

Description Christian Holler (:decoder) 2011-08-10 16:18:07 PDT
The following code asserts on mozilla-inbound (revision 609f37c36bd7, options -j -m -a):


function toSource(arr) {
  for (i=0; i<len; i++) {}
}
test();
function test() {
  function gen() {
    var c = test;
    try {
      yield c;
    } finally {
      this.toSource();
    }
  }
  var iter = gen();
  for (i in iter) {
    500();
  }
}
Comment 1 Luke Wagner [:luke] 2011-08-11 17:03:49 PDT
Created attachment 552545 [details] [diff] [review]
fix and test

Looks like there is a bug where the mjit's exception handling doesn't update the current pc to match the updated sp when closing open iterators (which is observable since this can run finalizers).  I suspect this is debug-only failure; I can't think of how it would manifest a real problem.
Comment 3 Marco Bonardo [::mak] 2011-08-19 03:20:53 PDT
http://hg.mozilla.org/mozilla-central/rev/5bbc3615e387

the bug number in the changeset is wrong
Comment 4 Christian Holler (:decoder) 2013-01-19 14:02:07 PST
Automatically extracted testcase for this bug was committed:

https://hg.mozilla.org/mozilla-central/rev/efaf8960a929

Note You need to log in before you can comment on or make changes to this bug.