Assertion failure: index >= size_t(pcstack.depth()), at jsopcode.cpp

RESOLVED FIXED in mozilla24

Status

()

Core
JavaScript Engine
--
critical
RESOLVED FIXED
5 years ago
5 years ago

People

(Reporter: gkw, Assigned: jandem)

Tracking

(Blocks: 3 bugs, {assertion, regression, testcase})

Trunk
mozilla24
x86_64
Mac OS X
assertion, regression, testcase
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [jsbugmon:update])

Attachments

(3 attachments)

(Reporter)

Description

5 years ago
Created attachment 760568 [details]
stack

for (var n = 0; n < 9;
({
    __proto__: z,
    set c(a) {}
}), ++n) {
    z = Proxy.create({}, (function(){}))
}

asserts js debug shell on m-c changeset 9115d8b717e1 with --baseline-eager --no-ion at Assertion failure: index >= size_t(pcstack.depth()), at jsopcode.cpp
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   http://hg.mozilla.org/mozilla-central/rev/005c4f452f1e
user:        Jan de Mooij
date:        Thu May 30 18:51:03 2013 +0200
summary:     Bug 876670 - Refactor object literal getter/setter bytecode and implement it in the baseline compiler. r=bhackett

This iteration took 333.675 seconds to run.
(Reporter)

Updated

5 years ago
Blocks: 876670
Flags: needinfo?(jdemooij)
(Assignee)

Comment 2

5 years ago
Created attachment 761347 [details] [diff] [review]
Patch

Bleh, INITPROP_GETTER/SETTER and INITELEM_* have to leave the values on the stack for the decompiler.
Assignee: general → jdemooij
Status: NEW → ASSIGNED
Attachment #761347 - Flags: review?(bhackett1024)
Flags: needinfo?(jdemooij)
Attachment #761347 - Flags: review?(bhackett1024) → review+
https://hg.mozilla.org/mozilla-central/rev/f9e6eb0d5239
Status: ASSIGNED → RESOLVED
Last Resolved: 5 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla24
http://www.jetsetter.com/?globalnav_referrer=women shows this assert on windows, linux aurora. mozregression shows nightly was fixed in the time frame this landed on m-c.

crashed opt about 5-10% of the time with bad dumps.

bp-5b8976c4-9125-47db-a80e-0cbe72130719
bp-cb2c513d-9105-4feb-abaf-cec7f2130719

Is this really fixed on aurora?
Blocks: 532972
(Reporter)

Comment 6

5 years ago
> Is this really fixed on aurora?

Supposedly, yes:

http://hg.mozilla.org/releases/mozilla-aurora/rev/f9e6eb0d5239 shows the patch in comment 4 landed on aurora. Perhaps you're seeing a different bug?
Created attachment 778787 [details]
jetsetter stack

I saw that. The stack is 'similar' and definitely doesn't involve proxy... A saved version of the page doesn't reproduce unfortunately, so reducing it will be problematic.
You need to log in before you can comment on or make changes to this bug.