Closed
Bug 691598
Opened 13 years ago
Closed 13 years ago
IM: Assertion failure: sp_ >= fp_->base() && sp_ <= fp_->slots() + fp_->script()->nslots, at vm/Stack.cpp:1103
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 743071
People
(Reporter: decoder, Assigned: dvander)
References
Details
(Keywords: assertion, testcase, Whiteboard: [jsbugmon:update])
The following testcase asserts on ionmonkey revision acf3c1fb7c94 (run with --ion-eager), tested on 64 bit:
function g(a) {
a();
}
function f(y) {
g(('abc1'.unwatch(/.\d/)));
}
for (var i = 0; i < 5; ++i) {
f(i);
}
|
||
Comment 1•13 years ago
|
||
This is the StackIter bug -- error reporting doesn't yet know how to traverse Ion frames.
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → DUPLICATE
|
Assignee | |
Comment 2•13 years ago
|
||
Treating this as a separate bug from on-stack invalidation.
Assignee: general → dvander
Status: RESOLVED → REOPENED
Resolution: DUPLICATE → ---
|
Reporter | |
Comment 3•13 years ago
|
||
This bug doesn't reproduce for me with the standard flag sets. Using --ion -m --ion-eager causes a crash though:
Program received signal SIGSEGV, Segmentation fault.
0x00000000004d8272 in js::types::TypeSet::baseFlags (this=0x0) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/jsinfer.h:375
375 TypeFlags baseFlags() const { return flags & TYPE_FLAG_BASE_MASK; }
Missing separate debuginfos, use: debuginfo-install libgcc-4.4.6-3.el6.x86_64 libstdc++-4.4.6-3.el6.x86_64
(gdb) bt 8
#0 0x00000000004d8272 in js::types::TypeSet::baseFlags (this=0x0) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/jsinfer.h:375
#1 0x00000000004e0278 in js::types::TypeSet::getSingleton (this=0x0, cx=0xd14d40, freeze=false) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/jsinfer.cpp:1835
#2 0x000000000078c9e1 in js::ion::IonBuilder::getSingleCallTarget (this=0x7fffffffcd00, argc=1, pc=0xd25029 ":") at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/ion/IonBuilder.cpp:132
#3 0x0000000000793cde in js::ion::IonBuilder::jsop_call (this=0x7fffffffcd00, argc=1, constructing=false) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/ion/IonBuilder.cpp:2610
#4 0x000000000078e677 in js::ion::IonBuilder::inspectOpcode (this=0x7fffffffcd00, op=JSOP_CALL) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/ion/IonBuilder.cpp:744
#5 0x000000000078dc6a in js::ion::IonBuilder::traverseBytecode (this=0x7fffffffcd00) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/ion/IonBuilder.cpp:516
#6 0x000000000078d077 in js::ion::IonBuilder::build (this=0x7fffffffcd00) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/ion/IonBuilder.cpp:271
#7 0x000000000077520e in TestCompiler (builder=..., graph=...) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/ion/Ion.cpp:638
(More stack frames follow...)
Dup of bug 743071?
|
|
Reporter | |
Updated•13 years ago
|
Whiteboard: [jsbugmon:update]
|
|
||
Comment 4•13 years ago
|
||
(In reply to Christian Holler (:decoder) from comment #3)
> Dup of bug 743071?
Yes.
Status: REOPENED → RESOLVED
Closed: 13 years ago → 13 years ago
Resolution: --- → DUPLICATE
|
|
Reporter | |
Comment 5•12 years ago
|
||
A testcase for this bug was already added in the original bug (bug 743071).
Flags: in-testsuite-
You need to log in
before you can comment on or make changes to this bug.
Description
•