Closed Bug 731826 Opened 13 years ago Closed 13 years ago

IonMonkey: Assertion failure: tag <= CalleeToken_Script, at ../../ion/IonFrames.h:70

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: h4writer, Unassigned)

Details

Attachments

(2 files)

crypto.js.reduced
703 bytes, text/plain
Details
crypto.js.extra.reduced
284 bytes, application/javascript
Details
Attached file crypto.js.reduced
This happens on a reduced and modified version of v8/crypto.js. See attachment for testcase. Running on "--ion -n -m" Assertion failure: tag <= CalleeToken_Script, at /home/h4writer/Build/ionmonkey/js/src/ion/IonFrames.h:70 Program received signal SIGABRT, Aborted. 0xf7fdd430 in __kernel_vsyscall () (gdb) bt #0 0xf7fdd430 in __kernel_vsyscall () #1 0xf7fa8ebe in raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/pt-raise.c:42 #2 0x08442856 in MOZ_Crash () at /home/h4writer/Build/ionmonkey/mfbt/Assertions.cpp:79 #3 0x084428b2 in MOZ_Assert (s=0x8502072 "tag <= CalleeToken_Script", file=0x850203c "/home/h4writer/Build/ionmonkey/js/src/ion/IonFrames.h", ln=70) at /home/h4writer/Build/ionmonkey/mfbt/Assertions.cpp:88 #4 0x083b64e2 in js::ion::GetCalleeTokenTag (token=0x6ede28f7) at /home/h4writer/Build/ionmonkey/js/src/ion/IonFrames.h:70 #5 0x083b66be in js::ion::MaybeScriptFromCalleeToken (token=0x6ede28f7) at /home/h4writer/Build/ionmonkey/js/src/ion/IonFrames.cpp:60 #6 0x083b6be2 in js::ion::IonFrameIterator::script (this=0xffffc378) at /home/h4writer/Build/ionmonkey/js/src/ion/IonFrames.cpp:212 #7 0x0838526c in InvalidateActivation (cx=0x86dbe08, ionTop=0xffffc5e0 "8", invalidateAll=false) at /home/h4writer/Build/ionmonkey/js/src/ion/Ion.cpp:1018 #8 0x083856fd in js::ion::Invalidate (cx=0x86dbe08, invalid=..., resetUses=true) at /home/h4writer/Build/ionmonkey/js/src/ion/Ion.cpp:1122 #9 0x08119f16 in js::types::TypeCompartment::processPendingRecompiles (this=0x86dc6b8, cx=0x86dbe08) at /home/h4writer/Build/ionmonkey/js/src/jsinfer.cpp:2148 #10 0x080a4aaf in js::types::AutoEnterTypeInference::~AutoEnterTypeInference (this=0xffffc4c0, __in_chrg=<optimized out>) at ../jsinferinlines.h:235 #11 0x08123130 in js::types::TypeMonitorResult (cx=0x86dbe08, script=0xf7306258, pc=0x86e4dbc "5", rval=...) at /home/h4writer/Build/ionmonkey/js/src/jsinfer.cpp:5160 #12 0x08152ef5 in js::types::TypeScript::Monitor (cx=0x86dbe08, script=0xf7306258, pc=0x86e4dbc "5", rval=...) at ../jsinferinlines.h:575 #13 0x0845cefe in js::ion::InvalidationBailout (sp=0xffffc598, frameSizeOut=0xffffc594) at /home/h4writer/Build/ionmonkey/js/src/ion/Bailouts.cpp:451
I could reduce this .js file even more. The crash signature is now switching between the backtrace listed here and the one in bug #731820. (Under gdb it is only possible to get the backtrace listed in this file) configure: debug enabled, 32bit args: "--ion -n -m" revision: 89040:7d6da2d65595
Doesn't fail on tip anymore. As testcase is very similar to bug #731820, I assume it was fixed on the same revision. That's also the reason I'm not adding this testcase. If somebody thinks differently, let me know and I'll add the testcase.
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: