Closed
Bug 752379
Opened 13 years ago
Closed 13 years ago
Assertion failure: regs.fp()->prev() == regs_->fp(), at js/src/vm/Stack.cpp:339 or Crash [@ CrashIfInvalidSlot]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla15
People
(Reporter: decoder, Unassigned)
References
Details
(Keywords: assertion, crash, testcase, Whiteboard: [js:p1:fx15])
Crash Data
Attachments
(1 file)
|
2.19 KB,
patch
|
bhackett1024
:
review+
|
Details | Diff | Splinter Review |
The following test crashes on mozilla-central revision 032d43b1770f (options -m -n -a):
var lfcode = new Array();
lfcode.push("");
lfcode.push("test();");
while (true) {
var file = lfcode.shift(); if (file == undefined) { break; }
loadFile(file);
}
function loadFile(lfVarx) {
evaluate(lfVarx);
}
The test is very similar to bug 728191 (same assertion, but doesn't reproduce anymore), so it's likely the same underlying issue.
|
||
Comment 1•13 years ago
|
||
ContextStack::pushExecuteFrame is sampling 'fp' before ensureOnTop flushes inlined frames which means that it doesn't get the most recent 'fp'.
Attachment #621625 -
Flags: review?(bhackett1024)
|
|
||
Updated•13 years ago
|
Whiteboard: js-triage-needed → js-triage-done
|
|
||
Updated•13 years ago
|
Whiteboard: js-triage-done → [js:p1:fx15]
|
|
||
Updated•13 years ago
|
Whiteboard: [js:p1:fx15] → [js:p1:fx15][js:ni]
|
||
Updated•13 years ago
|
Attachment #621625 -
Flags: review?(bhackett1024) → review+
|
|
||
Comment 2•13 years ago
|
||
Target Milestone: --- → mozilla15
|
|
||
Comment 3•13 years ago
|
||
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
|
|
||
Updated•13 years ago
|
Whiteboard: [js:p1:fx15][js:ni] → [js:p1:fx15]
|
Reporter | |
Comment 5•12 years ago
|
||
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/testBug752379.js.
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•