Closed Bug 852174 Opened 8 years ago Closed 8 years ago

IonMonkey: Assertion failure: JSOp(*regs.pc) == JSOP_CALL || JSOp(*regs.pc) == JSOP_NEW || JSOp(*regs.pc) == JSOP_FUNAPPLY, at ion/Bailouts.cpp:196

Categories

(Core :: JavaScript Engine, defect)

x86_64
Linux
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla22

People

(Reporter: decoder, Assigned: bhackett1024)

References

Details

(Keywords: assertion, testcase, Whiteboard: [jsbugmon:update])

Attachments

(1 file)

The following testcase asserts on mozilla-central revision b03bb3ce8cee (run with --ion-eager):


function eval()
  isPrototypeOf[Iterator.length] 
function DoWhile_3()
  eval();
DoWhile_3();
function f()
  DoWhile_3(f - 0);
for (var i in f());
Blocks: IonFuzz
Summary: Assertion failure: JSOp(*regs.pc) == JSOP_CALL || JSOp(*regs.pc) == JSOP_NEW || JSOp(*regs.pc) == JSOP_FUNAPPLY, at ion/Bailouts.cpp:196 → IonMonkey: Assertion failure: JSOp(*regs.pc) == JSOP_CALL || JSOp(*regs.pc) == JSOP_NEW || JSOp(*regs.pc) == JSOP_FUNAPPLY, at ion/Bailouts.cpp:196
Whiteboard: [jsbugmon:update,bisect]
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   122539:dc30947a2d26
user:        Brian Hackett
date:        Thu Feb 21 05:38:44 2013 -0700
summary:     Bug 842305 - Watch for null payloads flowing into Ion, r=jandem.

This iteration took 2.058 seconds to run.
Needinfo on Brian based on comment 1.
Flags: needinfo?(bhackett1024)
This sound like an assertion issue, since Ion was not originally supposed to use eval at all.
Attached patch patchSplinter Review
Yeah, this is a bogus assert.  Ion treats eval(...) as a normal call if it is not actually invoking the builtin eval, which these asserts weren't expecting.
Assignee: general → bhackett1024
Attachment #726648 - Flags: review?(jdemooij)
Flags: needinfo?(bhackett1024)
Attachment #726648 - Flags: review?(jdemooij) → review+
https://hg.mozilla.org/mozilla-central/rev/85eca178a678
Status: NEW → RESOLVED
Closed: 8 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla22
You need to log in before you can comment on or make changes to this bug.