Closed Bug 881461 Opened 7 years ago Closed 7 years ago

Assertion failure: index >= size_t(pcstack.depth()), at jsopcode.cpp

Categories

(Core :: JavaScript Engine, defect, critical)

x86_64
macOS
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla24

People

(Reporter: gkw, Assigned: jandem)

References

(Blocks 3 open bugs)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update])

Attachments

(3 files)

Attached file stack
for (var n = 0; n < 9;
({
    __proto__: z,
    set c(a) {}
}), ++n) {
    z = Proxy.create({}, (function(){}))
}

asserts js debug shell on m-c changeset 9115d8b717e1 with --baseline-eager --no-ion at Assertion failure: index >= size_t(pcstack.depth()), at jsopcode.cpp
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   http://hg.mozilla.org/mozilla-central/rev/005c4f452f1e
user:        Jan de Mooij
date:        Thu May 30 18:51:03 2013 +0200
summary:     Bug 876670 - Refactor object literal getter/setter bytecode and implement it in the baseline compiler. r=bhackett

This iteration took 333.675 seconds to run.
Blocks: 876670
Flags: needinfo?(jdemooij)
Attached patch PatchSplinter Review
Bleh, INITPROP_GETTER/SETTER and INITELEM_* have to leave the values on the stack for the decompiler.
Assignee: general → jdemooij
Status: NEW → ASSIGNED
Attachment #761347 - Flags: review?(bhackett1024)
Flags: needinfo?(jdemooij)
Attachment #761347 - Flags: review?(bhackett1024) → review+
https://hg.mozilla.org/mozilla-central/rev/f9e6eb0d5239
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla24
http://www.jetsetter.com/?globalnav_referrer=women shows this assert on windows, linux aurora. mozregression shows nightly was fixed in the time frame this landed on m-c.

crashed opt about 5-10% of the time with bad dumps.

bp-5b8976c4-9125-47db-a80e-0cbe72130719
bp-cb2c513d-9105-4feb-abaf-cec7f2130719

Is this really fixed on aurora?
Blocks: 532972
> Is this really fixed on aurora?

Supposedly, yes:

http://hg.mozilla.org/releases/mozilla-aurora/rev/f9e6eb0d5239 shows the patch in comment 4 landed on aurora. Perhaps you're seeing a different bug?
Attached file jetsetter stack
I saw that. The stack is 'similar' and definitely doesn't involve proxy... A saved version of the page doesn't reproduce unfortunately, so reducing it will be problematic.
You need to log in before you can comment on or make changes to this bug.