Closed
Bug 732853
Opened 12 years ago
Closed 12 years ago
IonMonkey: Assertion failure: spoff == js_ReconstructStackDepth(cx_, fp_->script(), pc_), at vm/Stack.cpp:1213
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: decoder, Assigned: nbp)
References
Details
(Keywords: assertion, testcase)
Attachments
(2 files)
1.25 KB,
patch
|
dvander
:
review+
|
Details | Diff | Splinter Review |
4.40 KB,
patch
|
dvander
:
review+
|
Details | Diff | Splinter Review |
The following testcase asserts on ionmonkey revision 1fd6c40d3852 (run with --ion -n -m --ion-eager): var appendToActual = function(s) { actual += s + ','; } actual = ''; function test() { var arr = [0, 0, 0, 0, 1]; for (var i = 0; i < arr.length; i++) arr[i] = new (function ( ) function length(i, arr, i) {} )("f", arr[i]); appendToActual(arr); } Function.prototype.toString = function () f(this, true); function f() { f.caller.p } test();
Assignee | ||
Updated•12 years ago
|
Assignee: general → nicolas.b.pierron
Status: NEW → ASSIGNED
Assignee | ||
Comment 1•12 years ago
|
||
This bug has 2 sources of errors: 1/ f.caller is null when called under ionmonkey. 2/ The overflow of arguments is not restored which cause a problem while iterating the stackFrames when it produces the exception raised by the first error.
Assignee | ||
Comment 2•12 years ago
|
||
Fix the second problem first as it would be masked by the fix of the first error.
Attachment #607643 -
Flags: review?(dvander)
Assignee | ||
Comment 3•12 years ago
|
||
Attachment #607809 -
Flags: review?(dvander)
Comment on attachment 607643 [details] [diff] [review] Fix recovery of actual args. Review of attachment 607643 [details] [diff] [review]: ----------------------------------------------------------------- ::: js/src/ion/Bailouts.cpp @@ +265,5 @@ > const Value &calleeVal = regs.sp[-callerArgc - 2]; > > JSFunction *fun = calleeVal.toObject().toFunction(); > JSScript *script = fun->script(); > + CallArgs inlineArgs = CallArgsFromSp(callerArgc, regs.sp); Okay, this will work for inline frames, I think we're still hosed for non-inline frames but we can worry about that later. (Fun fact, I verified this patch by looking at the old jstracer.cpp bailout code)
Attachment #607643 -
Flags: review?(dvander) → review+
Assignee | ||
Comment 5•12 years ago
|
||
(In reply to David Anderson [:dvander] from comment #4) > ::: js/src/ion/Bailouts.cpp > @@ +265,5 @@ > > const Value &calleeVal = regs.sp[-callerArgc - 2]; > > > > JSFunction *fun = calleeVal.toObject().toFunction(); > > JSScript *script = fun->script(); > > + CallArgs inlineArgs = CallArgsFromSp(callerArgc, regs.sp); > > Okay, this will work for inline frames, I think we're still hosed for > non-inline frames but we can worry about that later. True, the first frame case is not handled with the same mechanism, but I will try to get a test case before fixing it.
Comment on attachment 607809 [details] [diff] [review] [2/2] Update fun_getProperty to use StackIter. Review of attachment 607809 [details] [diff] [review]: ----------------------------------------------------------------- Nice.
Attachment #607809 -
Flags: review?(dvander) → review+
Assignee | ||
Comment 7•12 years ago
|
||
part 1: https://hg.mozilla.org/projects/ionmonkey/rev/c65c9f9dfe70 part 2 is still failing some JM tests.
Assignee | ||
Comment 8•12 years ago
|
||
part 2: https://hg.mozilla.org/projects/ionmonkey/rev/2386dfe53a85
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•