The following testcase asserts on ionmonkey revision 1fd6c40d3852 (run with --ion -n -m --ion-eager): var gTestcases = new Array; var gTc = gTestcases; function TestCase(n, d, e, a) { gTestcases[gTc++]=this } TestCase.prototype.dump=function () + toPrinted(this.description) + toPrinted(this.reason) + '\n'; function toPrinted(value) DESCRIPTION = "var return = true"; function jsTestDriverEnd() { for (var i = 0; i < gTestcases.length; i++) gTestcases[i].dump() } var SECTION = "dowhile-007"; new TestCase( SECTION, "''.match(new RegExp('.+'))", [], ''); jsTestDriverEnd(); jsTestDriverEnd();

The assertion reported here is called from RestoreOneFrame which verify if the number of pushed made on the interpreter stack is correct. The frame used to restore was not corresponding to the topmost frame of the snapshot. This bug can also be found with the assertion: exprStackSlots == js_ReconstructStackDepth(cx, fp->script(), regs.pc) The bug is coming from a bad entry resume point after the inlining. It did not show up before because we disabled the inlining of more than one level. Now we enabled the inlining of 2 functions, but the caller chain of the entry resume point (of the basic block following the inlined-call) was not updated. This caused the snapshot to only map the inlined-frame but not the caller-frame. This patch add the line to update the call chain of the entry resume point which fix the snapshot, and thus the restoreOneFrame data. In addition it provides some extra debug information for resume point., which highlighted the bug because the frame count was not matching the script pointer: Current resume point 0xcf9240 details: // before inlining frame count: 1 <== taken at block 4 entry pc: 0xcf7f8a (script: 0x7ffff0a073d0, offset: 26) <== slot0: phi36 Current resume point 0xcf98e0 details: // first inline frame count: 2 <== taken at block 5 entry pc: 0xcf47e8 (script: 0x7ffff0a072e0, offset: 0) <== slot0: constant0-vn1 slot1: constant0-vn1 Current resume point 0xcf9ea0 details: // second inline frame count: 3 taken at block 6 entry pc: 0xcf4670 (script: 0x7ffff0a071f0, offset: 0) slot0: constant0-vn1 slot1: constant0-vn1 Current resume point 0xcfa650 details: // resume first inline frame count: 1 <== taken at block 7 entry pc: 0xcf47f2 (script: 0x7ffff0a072e0, offset: 10) <== slot0: constant0-vn1 slot1: constant0-vn1 slot2: constant0-vn29

A testcase for this bug was automatically identified at js/src/jit-test/tests/ion/bug732858.js.