Closed
Bug 695290
Opened 13 years ago
Closed 13 years ago
Assertion failure: frame.stackDepth() == opinfo->stackDepth, at methodjit/Compiler.cpp:1672
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla10
People
(Reporter: decoder, Assigned: bhackett1024)
Details
(Keywords: assertion, testcase, Whiteboard: js-triage-needed)
Attachments
(1 file)
854 bytes,
patch
|
dvander
:
review+
|
Details | Diff | Splinter Review |
The following test crashes on mozilla-central revision cf5da681d577 (options -n -m -a):
options("typeinfer");
gczeal(2);
var g = newGlobal('new-compartment');
gcparam("maxBytes", 22000);
let array = g.eval("new Array(1,2,3)");
I'm not sure if this testcase is perfectly valid because the options call disables certain options again (but you cannot directly start with -n only). The larger testcase ran inside a driver which deletes the option function entirely though so I suspect there is a way to trigger this without using options().
Assignee | ||
Comment 1•13 years ago
|
||
OOM triggered by inlineCallHelper was not being propagated.
Assignee: general → bhackett1024
Attachment #570023 -
Flags: review?(dvander)
Comment on attachment 570023 [details] [diff] [review]
patch
Review of attachment 570023 [details] [diff] [review]:
-----------------------------------------------------------------
::: js/src/methodjit/Compiler.cpp
@@ +3518,4 @@
> if (!cx->typeInferenceEnabled()) {
> CompileStatus status = callArrayBuiltin(callImmArgc, callingNew);
> if (status != Compile_InlineAbort)
> + return false;
Wouldn't this return false if status == Compile_Okay?
Attachment #570023 -
Flags: review?(dvander) → review+
Assignee | ||
Comment 3•13 years ago
|
||
Yes, that should be returning true on Compile_Okay, good catch.
https://hg.mozilla.org/integration/mozilla-inbound/rev/1814bb5292a4
Comment 4•13 years ago
|
||
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla10
Reporter | ||
Updated•12 years ago
|
Flags: in-testsuite?
Reporter | ||
Comment 5•12 years ago
|
||
Automatically extracted testcase for this bug was committed:
https://hg.mozilla.org/mozilla-central/rev/efaf8960a929
Flags: in-testsuite? → in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•