Closed
Bug 987442
Opened 7 years ago
Closed 7 years ago
Assertion failure: frame->left == 0, at vm/SPSProfiler.h:402
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla31
| Tracking | Status | |
|---|---|---|
| firefox31 | --- | affected |
People
(Reporter: decoder, Assigned: djvj)
Details
(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update])
Attachments
(2 files)
The following testcase asserts on mozilla-central revision fa098f9fe89c (run with --fuzzing-safe --ion-eager --ion-compile-try-catch):
loadFile("for(var i = (0); i < 100; enableSPSProfilingAssertions(false), f0++) {}");
loadFile("");
function loadFile(lfVarx) {
try {
function newFunc(x) { new Function(x)(); }; newFunc(lfVarx);
} catch (lfVare) {}
}
|
Reporter | |
Comment 1•7 years ago
|
||
|
|
Reporter | |
Updated•7 years ago
|
status-firefox31:
--- → affected
Whiteboard: [jsbugmon:update,bisect]
=== Tinderbox Build Bisection Results by autoBisect === The "good" changeset has the timestamp "20140318150004" and the hash "c0e333b0f7dc". The "bad" changeset has the timestamp "20140318151801" and the hash "023f5ed842c8". Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=c0e333b0f7dc&tochange=023f5ed842c8 Kannan, bug 948229 might be the culprit, is it a likely regressor?
Flags: needinfo?(kvijayan)
Keywords: regression
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
|
|
Reporter | |
Comment 3•7 years ago
|
||
JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: http://hg.mozilla.org/mozilla-central/rev/c8275c5686d5 user: Kannan Vijayan date: Tue Mar 18 18:07:17 2014 -0400 summary: Bug 948229 - Stop ion from pushing pseudostack entries by default for inline frames. r=h4writer This iteration took 424.545 seconds to run.
|
Assignee | |
Comment 4•7 years ago
|
||
I can't reproduce this locally on the given revision (building for x86-32 debug on linux), but I suspect there's a simple fix. Can you test the patch I'm about to attach?
Flags: needinfo?(kvijayan)
|
|
Assignee | |
Comment 5•7 years ago
|
||
Attempted fix. Decoder can you try this?
Attachment #8396532 -
Flags: feedback?(choller)
Comment on attachment 8396532 [details] [diff] [review] test-fix-bug-987442.patch enableSPSProfilingAssertions(false) function f() { g() } function g() { return (function(x) { if (x) { return } throw [] })() } try { f() } catch (e) {} f() Assertion failure: frame->left == 0, at vm/SPSProfiler.h Kannan, here's a testcase (causing the same assert) that I'm fairly sure you can use to reproduce on Mac 64-bit with --ion-eager --ion-parallel-compile=off, and thus can perhaps land as a testcase. And I've tested that this patch does fix the issue.
Attachment #8396532 -
Flags: feedback+
|
|
Assignee | |
Comment 7•7 years ago
|
||
Comment on attachment 8396532 [details] [diff] [review] test-fix-bug-987442.patch We "reset" the compile-time frame tracking when generating OOL code. When doing this, I was forgetting to make sure that the "next" empty entry that would be used when the OOL code was left (to enter a call for example), was not properly cleared.
Attachment #8396532 -
Flags: review?(sstangl)
|
||
Updated•7 years ago
|
Attachment #8396532 -
Flags: review?(sstangl) → review+
|
|
Assignee | |
Comment 8•7 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/e2e511a35e67
|
|
Reporter | |
Comment 9•7 years ago
|
||
Comment on attachment 8396532 [details] [diff] [review] test-fix-bug-987442.patch Canceling feedback since gkw already tested this. Thanks!
Attachment #8396532 -
Flags: feedback?(choller)
|
||
Comment 10•7 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/e2e511a35e67
Assignee: nobody → kvijayan
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla31
You need to log in
before you can comment on or make changes to this bug.
Description
•