Closed Bug 203402 Opened 22 years ago Closed 22 years ago

java.lang.VerifyError: stack size too large error when compiling JavaScript containing embedded ternary operator

Categories

(Rhino Graveyard :: Compiler, defect)

Product:
Rhino Graveyard
Component:
Compiler
Platform:
x86
Windows 2000
Type:
defect
Priority:
Not set
Severity:
major

Tracking

(Not tracked)

Status:
VERIFIED FIXED

People

(Reporter: briang, Assigned: norrisboyd)

Details

Attachments

(1 file)

Fix for Codege: do not pass trueLabel, falseLabel to recursive generateCodeFromNode from ADD node
938 bytes, patch
Details | Diff | Splinter Review
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.0.2) Gecko/20021216 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.0.2) Gecko/20021216 The resultant class generated from the Rhino bytecode generator for the following JavaScript causes the JVM to throw a VerifyError. function testit() { a = "a" + (1==0) ? "b" : "c"; } The exception is: [java.lang.VerifyError: (class: org/mozilla/javascript/gen/c156, method: call signature: (Lorg/mozilla/javascript/Context;Lorg/mozilla/javascript/Scriptable;Lorg/mozilla/javascript/Scriptable;[Ljava/lang/Object;)Ljava/lang/Object;) Stack size too large] Reproducible: Always Steps to Reproduce: 1. Use the following Java source: import org.mozilla.javascript.*; import java.io.StringReader; public class RhinoTest { public static void failingCase() { Context context = Context.enter(); ImporterTopLevel global = new ImporterTopLevel(context); StringReader reader = new StringReader("function testit(){ a = \"a\" + (1==0) ? \"b\" : \"c\"; }"); try { Script script = context.compileReader(null, reader, "Example 1", 1, null); script.exec(context, global); } catch (Exception e) { e.printStackTrace(System.err); } context.exit(); } public static void main(String[] args) { failingCase(); } } Actual Results: Exception in thread "main" java.lang.VerifyError: (class: org/mozilla/javascript /gen/c1, method: call signature: (Lorg/mozilla/javascript/Context;Lorg/mozilla/j avascript/Scriptable;Lorg/mozilla/javascript/Scriptable;[Ljava/lang/Object;)Ljav a/lang/Object;) Stack size too large at org.mozilla.javascript.gen.c2.call(Example 1) at org.mozilla.javascript.gen.c2.exec(Example 1) at RhinoTest.failingCase(RhinoTest.java:14) at RhinoTest.main(RhinoTest.java:25) Expected Results: Shouldn't have gotten a JVM class verification error It looks like the placement of the ternary operator is important. The following example does not have a problem: function testit() { a =(1==0) ? "b" : "c" + "a"; }
cc'ing Igor -
A simpler test case would be one line script: "" + (1==0) ? "" : ""; which execution in Rhino shell gives: Exception in thread "main" java.lang.IllegalStateException: Stack underflow: -1 at org.mozilla.classfile.ClassFileWriter.badStack(ClassFileWriter.java:1154) at org.mozilla.classfile.ClassFileWriter.add(ClassFileWriter.java:401) at org.mozilla.javascript.optimizer.Codegen.addByteCode(Codegen.java:3569) at org.mozilla.javascript.optimizer.Codegen.visitGOTO(Codegen.java:1575) at org.mozilla.javascript.optimizer.Codegen.generateCodeFromNode(Codegen
Status: NEW → ASSIGNED
I committed the fix
Status: ASSIGNED → RESOLVED
Closed: 22 years ago
Resolution: --- → FIXED
Testcase added to JS testsuite: mozilla/js/tests/js1_5/Regress/regress-203402.js
Verified FIXED. Before the patch, the testcase passed in interpreted mode (-opt -1) but crashed in any optimized mode (e.g -opt 0, -opt 1, -opt 9): *-* Testcase js1_5/Regress/regress-203402.js failed: Expected exit code 0, got 1 Testcase terminated with signal 0 Complete testcase output was: java.lang.AbstractMethodError org.mozilla.javascript.ScriptableObject.getBase(ScriptableObject.java:1583) org.mozilla.javascript.ScriptableObject.putProperty(ScriptableObject.java:1473) org.mozilla.javascript.ScriptRuntime.setName(ScriptRuntime.java:1137) org.mozilla.javascript.gen.c14.call(D:\JS_trunk\mozilla\js\tests\js1_5\Regress\regress-203402.js:57) org.mozilla.javascript.gen.c14.exec(D:\JS_trunk\mozilla\js\tests\js1_5\Regress\regress-203402.js) org.mozilla.javascript.Context.evaluateReader(Context.java:806) org.mozilla.javascript.tools.shell.Main.evaluateReader(Main.java:363) org.mozilla.javascript.tools.shell.Main.processFileSecure(Main.java:354) org.mozilla.javascript.tools.shell.Main.processFile(Main.java:291) org.mozilla.javascript.tools.shell.Main.processSource(Main.java:283) org.mozilla.javascript.tools.shell.Main.exec(Main.java:103) org.mozilla.javascript.tools.shell.Main.main(Main.java:76) Exception in thread "main" After the patch, the testcase passes in every mode -
Status: RESOLVED → VERIFIED
Targeting as resolved against 1.5R5
Target Milestone: --- → 1.5R5
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: