Closed Bug 857580 Opened 11 years ago Closed 11 years ago

BaselineCompiler: Assertion failure: ICStub::CanMakeCalls(stub->kind()), at ion/IonFrames.cpp:702 with Debugger

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla23

People

(Reporter: decoder, Assigned: jandem)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, crash, testcase, Whiteboard: [jsbugmon:update,origRev=475dc5f51bdb])

Crash Data

Attachments

(1 file)

Patch
5.99 KB, patch
djvj
: review+
Details | Diff | Splinter Review 
The following testcase asserts on baseline compiler branch revision 5fd27c1b3943 (run with --ion-eager):


gczeal(2);
var g = newGlobal('new-compartment');
var dbg = new Debugger(g);
dbg.onNewScript = function(script) {
  fscript = script.getChildScripts()[0];
}
g.eval("function f(x) { arguments[0] = 3; return x }");
fscript.setBreakpoint(0, {hit:function(frame) {
  assertEq(frame.eval('x').return, 1);
  return {return:42};
}});
assertEq(g.f(1), 42);
Attached patch PatchSplinter Review 
Debug-mode only. The breakpoint trampoline reuses the stub frame machinery, but could store a bogus ICStub pointer in the stub frame. The patch just stores a NULL stub pointer. (The trampoline code is stored in IonRuntime so is never GC'ed).
Assignee: general → jdemooij
Status: NEW → ASSIGNED
Attachment #733245 - Flags: review?(kvijayan)
Switching this bug to trunk now :)
Crash Signature: [@ js::ion::IonCode::trace]
Keywords: crash
Whiteboard: [jsbugmon:update] → [jsbugmon:update,origRev=475dc5f51bdb]
Version: Other Branch → Trunk
Comment on attachment 733245 [details] [diff] [review]
Patch

Review of attachment 733245 [details] [diff] [review]:
-----------------------------------------------------------------

Nice catch.
Attachment #733245 - Flags: review?(kvijayan) → review+
https://hg.mozilla.org/mozilla-central/rev/97d4b08ee4af
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla23
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: