Closed
Bug 987442
Opened 11 years ago
Closed 11 years ago
Assertion failure: frame->left == 0, at vm/SPSProfiler.h:402
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla31
| Tracking | Status | |
|---|---|---|
| firefox31 | --- | affected |
People
(Reporter: decoder, Assigned: djvj)
Details
(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update])
Attachments
(2 files)
The following testcase asserts on mozilla-central revision fa098f9fe89c (run with --fuzzing-safe --ion-eager --ion-compile-try-catch):
loadFile("for(var i = (0); i < 100; enableSPSProfilingAssertions(false), f0++) {}");
loadFile("");
function loadFile(lfVarx) {
try {
function newFunc(x) { new Function(x)(); }; newFunc(lfVarx);
} catch (lfVare) {}
}
|
Reporter | |
Comment 1•11 years ago
|
||
|
|
Reporter | |
Updated•11 years ago
|
status-firefox31:
--- → affected
Whiteboard: [jsbugmon:update,bisect]
|
||
Comment 2•11 years ago
|
||
=== Tinderbox Build Bisection Results by autoBisect ===
The "good" changeset has the timestamp "20140318150004" and the hash "c0e333b0f7dc".
The "bad" changeset has the timestamp "20140318151801" and the hash "023f5ed842c8".
Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=c0e333b0f7dc&tochange=023f5ed842c8
Kannan, bug 948229 might be the culprit, is it a likely regressor?
Flags: needinfo?(kvijayan)
Keywords: regression
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
|
|
Reporter | |
Comment 3•11 years ago
|
||
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: http://hg.mozilla.org/mozilla-central/rev/c8275c5686d5
user: Kannan Vijayan
date: Tue Mar 18 18:07:17 2014 -0400
summary: Bug 948229 - Stop ion from pushing pseudostack entries by default for inline frames. r=h4writer
This iteration took 424.545 seconds to run.
|
Assignee | |
Comment 4•11 years ago
|
||
I can't reproduce this locally on the given revision (building for x86-32 debug on linux), but I suspect there's a simple fix. Can you test the patch I'm about to attach?
Flags: needinfo?(kvijayan)
|
|
Assignee | |
Comment 5•11 years ago
|
||
Attempted fix. Decoder can you try this?
Attachment #8396532 -
Flags: feedback?(choller)
|
|
||
Comment 6•11 years ago
|
||
Comment on attachment 8396532 [details] [diff] [review]
test-fix-bug-987442.patch
enableSPSProfilingAssertions(false)
function f() {
g()
}
function g() {
return (function(x) {
if (x) {
return
}
throw []
})()
}
try {
f()
} catch (e) {}
f()
Assertion failure: frame->left == 0, at vm/SPSProfiler.h
Kannan, here's a testcase (causing the same assert) that I'm fairly sure you can use to reproduce on Mac 64-bit with --ion-eager --ion-parallel-compile=off, and thus can perhaps land as a testcase.
And I've tested that this patch does fix the issue.
Attachment #8396532 -
Flags: feedback+
|
|
Assignee | |
Comment 7•11 years ago
|
||
Comment on attachment 8396532 [details] [diff] [review]
test-fix-bug-987442.patch
We "reset" the compile-time frame tracking when generating OOL code. When doing this, I was forgetting to make sure that the "next" empty entry that would be used when the OOL code was left (to enter a call for example), was not properly cleared.
Attachment #8396532 -
Flags: review?(sstangl)
|
||
Updated•11 years ago
|
Attachment #8396532 -
Flags: review?(sstangl) → review+
|
|
Assignee | |
Comment 8•11 years ago
|
||
|
|
Reporter | |
Comment 9•11 years ago
|
||
Comment on attachment 8396532 [details] [diff] [review]
test-fix-bug-987442.patch
Canceling feedback since gkw already tested this. Thanks!
Attachment #8396532 -
Flags: feedback?(choller)
|
||
Comment 10•11 years ago
|
||
Assignee: nobody → kvijayan
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla31
You need to log in
before you can comment on or make changes to this bug.
Description
•