Closed Bug 857580 Opened 12 years ago Closed 12 years ago

BaselineCompiler: Assertion failure: ICStub::CanMakeCalls(stub->kind()), at ion/IonFrames.cpp:702 with Debugger

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla23

People

(Reporter: decoder, Assigned: jandem)

References

Details

(Keywords: assertion, crash, testcase, Whiteboard: [jsbugmon:update,origRev=475dc5f51bdb])

Crash Data

Attachments

(1 file)

Patch
5.99 KB, patch
djvj
: review+
Details | Diff | Splinter Review
The following testcase asserts on baseline compiler branch revision 5fd27c1b3943 (run with --ion-eager): gczeal(2); var g = newGlobal('new-compartment'); var dbg = new Debugger(g); dbg.onNewScript = function(script) { fscript = script.getChildScripts()[0]; } g.eval("function f(x) { arguments[0] = 3; return x }"); fscript.setBreakpoint(0, {hit:function(frame) { assertEq(frame.eval('x').return, 1); return {return:42}; }}); assertEq(g.f(1), 42);
Attached patch PatchSplinter Review
Debug-mode only. The breakpoint trampoline reuses the stub frame machinery, but could store a bogus ICStub pointer in the stub frame. The patch just stores a NULL stub pointer. (The trampoline code is stored in IonRuntime so is never GC'ed).
Assignee: general → jdemooij
Status: NEW → ASSIGNED
Attachment #733245 - Flags: review?(kvijayan)
Switching this bug to trunk now :)
Crash Signature: [@ js::ion::IonCode::trace]
Keywords: crash
Whiteboard: [jsbugmon:update] → [jsbugmon:update,origRev=475dc5f51bdb]
Version: Other Branch → Trunk
Comment on attachment 733245 [details] [diff] [review] Patch Review of attachment 733245 [details] [diff] [review]: ----------------------------------------------------------------- Nice catch.
Attachment #733245 - Flags: review?(kvijayan) → review+
https://hg.mozilla.org/mozilla-central/rev/97d4b08ee4af
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla23
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: