Assertion failure: frame.stackDepth() == opinfo->stackDepth, at methodjit/Compiler.cpp:1672

RESOLVED FIXED in mozilla10

Status

()

Core
JavaScript Engine
--
critical
RESOLVED FIXED
6 years ago
4 years ago

People

(Reporter: decoder, Assigned: bhackett)

Tracking

(Blocks: 1 bug, {assertion, testcase})

Trunk
mozilla10
x86_64
Linux
assertion, testcase
Points:
---
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: js-triage-needed)

Attachments

(1 attachment)

(Reporter)

Description

6 years ago
The following test crashes on mozilla-central revision cf5da681d577 (options -n -m -a):


options("typeinfer");
gczeal(2);
var g = newGlobal('new-compartment');
gcparam("maxBytes", 22000);
let array = g.eval("new Array(1,2,3)");


I'm not sure if this testcase is perfectly valid because the options call disables certain options again (but you cannot directly start with -n only). The larger testcase ran inside a driver which deletes the option function entirely though so I suspect there is a way to trigger this without using options().
(Assignee)

Comment 1

6 years ago
Created attachment 570023 [details] [diff] [review]
patch

OOM triggered by inlineCallHelper was not being propagated.
Assignee: general → bhackett1024
Attachment #570023 - Flags: review?(dvander)
Comment on attachment 570023 [details] [diff] [review]
patch

Review of attachment 570023 [details] [diff] [review]:
-----------------------------------------------------------------

::: js/src/methodjit/Compiler.cpp
@@ +3518,4 @@
>      if (!cx->typeInferenceEnabled()) {
>          CompileStatus status = callArrayBuiltin(callImmArgc, callingNew);
>          if (status != Compile_InlineAbort)
> +            return false;

Wouldn't this return false if status == Compile_Okay?
Attachment #570023 - Flags: review?(dvander) → review+
(Assignee)

Comment 3

6 years ago
Yes, that should be returning true on Compile_Okay, good catch.

https://hg.mozilla.org/integration/mozilla-inbound/rev/1814bb5292a4
https://hg.mozilla.org/mozilla-central/rev/1814bb5292a4
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla10
(Reporter)

Updated

4 years ago
Flags: in-testsuite?
(Reporter)

Comment 5

4 years ago
Automatically extracted testcase for this bug was committed:

https://hg.mozilla.org/mozilla-central/rev/efaf8960a929
Flags: in-testsuite? → in-testsuite+
You need to log in before you can comment on or make changes to this bug.