Closed
Bug 749048
Opened 12 years ago
Closed 12 years ago
IonMonkey: CloseLiveIterator read a wrong slot: Assertion failure: isObject(), at ./jsapi.h:507
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: nbp, Assigned: nbp)
References
Details
Attachments
(1 file)
2.45 KB,
patch
|
dvander
:
review+
|
Details | Diff | Splinter Review |
The following test case fails ./js --ion-eager ./jit-test/tests/for-of/throw.js with Assertion failure: isObject(), at ./jsapi.h:507 The problem is that stackDepth is inverted with stackSlot. This test case implies use a throw and iterators.
Assignee | ||
Comment 1•12 years ago
|
||
My first assumption about the inverted order appeared to be wrong when looking at another test failure. I got the it working by looking at the interpreter, which is doing "fp()->base() + tn->stackDepth" which can be translated to "args + nfixed + stackDepth" and "-1" to know the number which have to be skipped before reading. I added a case which check for the creation of the iterator because the slot may not exists yet in the snapshot or may not be readable yet, such as the case where the failure happens during the VM call to GetIteratorObject (CallIteratorStart) in which case the output register is not yet available, and should not be read out of the snapshot because the function reported a failure.
Attachment #618874 -
Flags: review?(dvander)
Assignee | ||
Comment 2•12 years ago
|
||
Comment on attachment 618874 [details] [diff] [review] Fix iterator index in snapshots. Review of attachment 618874 [details] [diff] [review]: ----------------------------------------------------------------- Fixed locally. (wish we had some-kind of pull requests …) ::: js/src/ion/IonFrames.cpp @@ +277,2 @@ > // Skip stack slots until we reach the iterator object. > + uint32 base = CountArgSlots(frame.maybeCallee()) + script->nfixed; script ---> frame.script()
Comment on attachment 618874 [details] [diff] [review] Fix iterator index in snapshots. Review of attachment 618874 [details] [diff] [review]: ----------------------------------------------------------------- ::: js/src/ion/IonFrames.cpp @@ +277,4 @@ > // Skip stack slots until we reach the iterator object. > + uint32 base = CountArgSlots(frame.maybeCallee()) + script->nfixed; > + uint32 skipSlots = base + localSlot - 1; > + JS_ASSERT(skipSlots + 1 < si.slots()); This assert isn't needed since si.skip() will assert if it reads out-of-bounds. @@ +302,5 @@ > JSTryNote *tn = script->trynotes()->vector; > JSTryNote *tnEnd = tn + script->trynotes()->length; > > for (; tn != tnEnd; ++tn) { > + if (uint32(pc - script->code) < tn->start) Nit: extraneous space after <
Attachment #618874 -
Flags: review?(dvander) → review+
Assignee | ||
Comment 4•12 years ago
|
||
https://hg.mozilla.org/projects/ionmonkey/rev/5fcc03122569
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•