As a security precaution, we have turned on the setting "Require API key authentication for API requests" for everyone. If this has broken something, please contact
Last Comment Bug 732858 - IonMonkey: Assertion failure: pc == target, at jsopcode.cpp:6008
: IonMonkey: Assertion failure: pc == target, at jsopcode.cpp:6008
: assertion, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Other Branch
: x86_64 Linux
: -- major (vote)
: mozilla13
Assigned To: Nicolas B. Pierron [:nbp]
: Jason Orendorff [:jorendorff]
Depends on:
Blocks: langfuzz IonFuzz
  Show dependency treegraph
Reported: 2012-03-04 18:04 PST by Christian Holler (:decoder)
Modified: 2013-01-14 08:41 PST (History)
6 users (show)
choller: in‑testsuite+
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---

Fix post inline-calls entry resume point call chain. (2.67 KB, patch)
2012-03-14 18:45 PDT, Nicolas B. Pierron [:nbp]
dvander: review+
Details | Diff | Splinter Review

Description User image Christian Holler (:decoder) 2012-03-04 18:04:42 PST
The following testcase asserts on ionmonkey revision 1fd6c40d3852 (run with --ion -n -m --ion-eager):

var gTestcases = new Array;
var gTc = gTestcases;
function TestCase(n, d, e, a) {
TestCase.prototype.dump=function () + toPrinted(this.description) + toPrinted(this.reason) + '\n';
function toPrinted(value) DESCRIPTION = "var return = true";
function jsTestDriverEnd() {
  for (var i = 0; i < gTestcases.length; i++)
var SECTION = "dowhile-007";
new TestCase( SECTION, "''.match(new RegExp('.+'))", [], '');
Comment 1 User image Nicolas B. Pierron [:nbp] 2012-03-14 18:45:33 PDT
Created attachment 606057 [details] [diff] [review]
Fix post inline-calls entry resume point call chain.

The assertion reported here is called from RestoreOneFrame which verify if the number of pushed made on the interpreter stack is correct.  The frame used to restore was not corresponding to the topmost frame of the snapshot.  This bug can also be found with the assertion:

exprStackSlots == js_ReconstructStackDepth(cx, fp->script(), regs.pc)

The bug is coming from a bad entry resume point after the inlining.  It did not show up before because we disabled the inlining of more than one level.  Now we enabled the inlining of 2 functions, but the caller chain of the entry resume point (of the basic block following the inlined-call) was not updated.  This caused the snapshot to only map the inlined-frame but not the caller-frame.

This patch add the line to update the call chain of the entry resume point which fix the snapshot, and thus the restoreOneFrame data.

In addition it provides some extra debug information for resume point., which highlighted the bug because the frame count was not matching the script pointer:

Current resume point 0xcf9240 details: // before inlining
    frame count: 1                                     <==
    taken at block 4 entry
    pc: 0xcf7f8a (script: 0x7ffff0a073d0, offset: 26)  <==
    slot0: phi36
Current resume point 0xcf98e0 details: // first inline
    frame count: 2                                     <==
    taken at block 5 entry
    pc: 0xcf47e8 (script: 0x7ffff0a072e0, offset: 0)   <==
    slot0: constant0-vn1
    slot1: constant0-vn1
Current resume point 0xcf9ea0 details: // second inline
    frame count: 3
    taken at block 6 entry
    pc: 0xcf4670 (script: 0x7ffff0a071f0, offset: 0)
    slot0: constant0-vn1
    slot1: constant0-vn1
Current resume point 0xcfa650 details: // resume first inline
    frame count: 1                                     <==
    taken at block 7 entry
    pc: 0xcf47f2 (script: 0x7ffff0a072e0, offset: 10)  <==
    slot0: constant0-vn1
    slot1: constant0-vn1
    slot2: constant0-vn29
Comment 3 User image Christian Holler (:decoder) 2013-01-14 08:41:10 PST
A testcase for this bug was automatically identified at js/src/jit-test/tests/ion/bug732858.js.

Note You need to log in before you can comment on or make changes to this bug.