Closed Bug 857580 Opened 10 years ago Closed 10 years ago

BaselineCompiler: Assertion failure: ICStub::CanMakeCalls(stub->kind()), at ion/IonFrames.cpp:702 with Debugger

Categories

(Core :: JavaScript Engine, defect)

x86
Linux
defect
Not set
major

Tracking

()

RESOLVED FIXED
mozilla23

People

(Reporter: decoder, Assigned: jandem)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, crash, testcase, Whiteboard: [jsbugmon:update,origRev=475dc5f51bdb])

Crash Data

Attachments

(1 file)

The following testcase asserts on baseline compiler branch revision 5fd27c1b3943 (run with --ion-eager):


gczeal(2);
var g = newGlobal('new-compartment');
var dbg = new Debugger(g);
dbg.onNewScript = function(script) {
  fscript = script.getChildScripts()[0];
}
g.eval("function f(x) { arguments[0] = 3; return x }");
fscript.setBreakpoint(0, {hit:function(frame) {
  assertEq(frame.eval('x').return, 1);
  return {return:42};
}});
assertEq(g.f(1), 42);
Attached patch PatchSplinter Review
Debug-mode only. The breakpoint trampoline reuses the stub frame machinery, but could store a bogus ICStub pointer in the stub frame. The patch just stores a NULL stub pointer. (The trampoline code is stored in IonRuntime so is never GC'ed).
Assignee: general → jdemooij
Status: NEW → ASSIGNED
Attachment #733245 - Flags: review?(kvijayan)
Switching this bug to trunk now :)
Crash Signature: [@ js::ion::IonCode::trace]
Keywords: crash
Whiteboard: [jsbugmon:update] → [jsbugmon:update,origRev=475dc5f51bdb]
Version: Other Branch → Trunk
Comment on attachment 733245 [details] [diff] [review]
Patch

Review of attachment 733245 [details] [diff] [review]:
-----------------------------------------------------------------

Nice catch.
Attachment #733245 - Flags: review?(kvijayan) → review+
Duplicate of this bug: 858085
https://hg.mozilla.org/mozilla-central/rev/97d4b08ee4af
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla23
Duplicate of this bug: 858549
You need to log in before you can comment on or make changes to this bug.