Closed Bug 695290 Opened 8 years ago Closed 8 years ago

Assertion failure: frame.stackDepth() == opinfo->stackDepth, at methodjit/Compiler.cpp:1672

Categories

(Core :: JavaScript Engine, defect, critical)

x86_64
Linux
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla10

People

(Reporter: decoder, Assigned: bhackett1024)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, testcase, Whiteboard: js-triage-needed)

Attachments

(1 file)

The following test crashes on mozilla-central revision cf5da681d577 (options -n -m -a):


options("typeinfer");
gczeal(2);
var g = newGlobal('new-compartment');
gcparam("maxBytes", 22000);
let array = g.eval("new Array(1,2,3)");


I'm not sure if this testcase is perfectly valid because the options call disables certain options again (but you cannot directly start with -n only). The larger testcase ran inside a driver which deletes the option function entirely though so I suspect there is a way to trigger this without using options().
Attached patch patchSplinter Review
OOM triggered by inlineCallHelper was not being propagated.
Assignee: general → bhackett1024
Attachment #570023 - Flags: review?(dvander)
Comment on attachment 570023 [details] [diff] [review]
patch

Review of attachment 570023 [details] [diff] [review]:
-----------------------------------------------------------------

::: js/src/methodjit/Compiler.cpp
@@ +3518,4 @@
>      if (!cx->typeInferenceEnabled()) {
>          CompileStatus status = callArrayBuiltin(callImmArgc, callingNew);
>          if (status != Compile_InlineAbort)
> +            return false;

Wouldn't this return false if status == Compile_Okay?
Attachment #570023 - Flags: review?(dvander) → review+
Yes, that should be returning true on Compile_Okay, good catch.

https://hg.mozilla.org/integration/mozilla-inbound/rev/1814bb5292a4
https://hg.mozilla.org/mozilla-central/rev/1814bb5292a4
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla10
Flags: in-testsuite?
Automatically extracted testcase for this bug was committed:

https://hg.mozilla.org/mozilla-central/rev/efaf8960a929
Flags: in-testsuite? → in-testsuite+
You need to log in before you can comment on or make changes to this bug.