701764 - Assertion failure: nesting->activeFrames != 0, at jsinfer.cpp:5392

Status: RESOLVED WORKSFORME

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

Attachment: shell testcase, unpack, chdir and read README

The attached test asserts on mozilla-central revision 50c1bcb49c76 (options -m -n -a, see README for running instructions).

Comment 1

[Brian Hackett [Laid off!]]

Attachment: patch

OOM bug during function frame prologues.  If we OOM while allocating a call object for the frame, the nesting prologue does not run, and we have an imbalanced active frame count after running the function epilogue to pop the frame (an incorrect count can manifest in incorrect behavior later, but not a crash).  The fix bumps the active frame count on the failure path, similar to markFunctionEpilogueDone.

Comment 2

[Luke Wagner [:luke]]

Comment on attachment 576059 [details] [diff] [review]
patch

I'm thinking this is the wrong fix: functionEpilogue should be able to gracefully handle the case where functionPrologue hasn't been called, not just for this case, but because otherwise we have this subtle requirement: if you pushInlineFrame (from C++ or mjit), you had better call functionPrologue before you do anything else that can fail (causing popInlineFrame).  We previously had this sort of constraint with activation object code and it caused all sorts of problems.  Surely there is some way that NestingPrologue can determine that it shouldn't do anything?

Comment 3

[Jan de Mooij [:jandem]]

All this code was removed a long time ago.