Closed
Bug 588362
Opened 14 years ago
Closed 14 years ago
JM: "Assertion failure: stack().contains(fp) && fp->isGenerator(),"
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: gkw, Assigned: dvander)
References
Details
(Keywords: assertion, regression, testcase)
Attachments
(1 file)
(deleted),
patch
|
Details | Diff | Splinter Review |
for (a = 0; a < 5; a++) {
(function e() {
yield eval()
}())
}
asserts js debug shell on JM changeset 43e1eedfc1cc with -m and -j at Assertion failure: stack().contains(fp) && fp->isGenerator(), at ../jscntxt.cpp:2078
Program received signal SIGABRT, Aborted.
0xf7fdf430 in __kernel_vsyscall ()
(gdb) bt
#0 0xf7fdf430 in __kernel_vsyscall ()
#1 0xf7fb7610 in raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/pt-raise.c:42
#2 0x0817b609 in JS_Assert (s=0x82babe8 "stack().contains(fp) && fp->isGenerator()", file=0x82b842d "../jscntxt.cpp", ln=2078) at ../jsutil.cpp:83
#3 0x08090925 in JSContext::generatorFor (this=0x8388b98, fp=0xf77ac110) at ../jscntxt.cpp:2078
#4 0x08297236 in js::Interpret (cx=0x8388b98, entryFrame=0xf77ac110, inlineCallCount=0) at ../jsinterp.cpp:6838
#5 0x0825757f in PartialInterpret (f=...) at ../methodjit/InvokeHelpers.cpp:741
#6 0x0825768f in RemoveExcessFrames (f=..., entryFrame=0xf77ac0a8) at ../methodjit/InvokeHelpers.cpp:781
#7 0x08257ade in RunTracer (f=..., mic=...) at ../methodjit/InvokeHelpers.cpp:906
#8 0x08257d9c in js::mjit::stubs::InvokeTracer (f=..., index=3) at ../methodjit/InvokeHelpers.cpp:966
#9 0xf76a433c in ?? ()
#10 0x0820e5d5 in js::mjit::JaegerShot (cx=0x8388b98) at ../methodjit/MethodJIT.cpp:664
#11 0x080de2f1 in js::RunScript (cx=0x8388b98, script=0x838e6c8, fun=0x0, scopeChain=0xf7502000) at ../jsinterp.cpp:465
#12 0x080df22a in js::Execute (cx=0x8388b98, chain=0xf7502000, script=0x838e6c8, down=0x0, flags=0, result=0xffffd200) at ../jsinterp.cpp:951
#13 0x08070a58 in JS_ExecuteScript (cx=0x8388b98, obj=0xf7502000, script=0x838e6c8, rval=0xffffd200) at ../jsapi.cpp:4754
#14 0x0804c34a in Process (cx=0x8388b98, obj=0xf7502000, filename=0x0, forceTTY=0) at ../../shell/js.cpp:534
#15 0x0804ced9 in ProcessArgs (cx=0x8388b98, obj=0xf7502000, argv=0xffffd408, argc=2) at ../../shell/js.cpp:861
#16 0x08055aae in shell (cx=0x8388b98, argc=2, argv=0xffffd408, envp=0xffffd414) at ../../shell/js.cpp:5133
#17 0x08055bca in main (argc=2, argv=0xffffd408, envp=0xffffd414) at ../../shell/js.cpp:5229
Assignee | ||
Comment 1•14 years ago
|
||
The problem is that we don't recognize GENERATOR as a return op, and either way the PC is advanced beyond the GENERATOR. This patch adds a frame flag, but I believe the current way the tracer integration works to be sort of fragile. Tomorrow I'll get a better patch that makes js_Interpret guarantee a decent state for RunTracer().
Assignee: general → dvander
Status: NEW → ASSIGNED
Assignee | ||
Comment 4•14 years ago
|
||
This was fixed with bug 593532, which guarantees that a "partial-interpret" will only leave under two conditions:
1. we reach a safe point where we can transition into the method JIT
2. the "exit" label is reached, either via an error or the last frame being
popped
This bug occurred when a partial-interpret left at JSOP_GENERATOR, which is now impossible in both cases.
(1) because JSOP_GENERATOR is never a safe point (it does not JIT)
(2) because the only way to initiate a generator is through an inline call
Assignee | ||
Comment 5•14 years ago
|
||
Comment 6•12 years ago
|
||
A testcase for this bug was automatically identified at js/src/jit-test/tests/jaeger/bug588362-1.js.
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•