Closed
Bug 495843
Opened 15 years ago
Closed 15 years ago
Crash [@ js_Interpret] or "Assertion failure: cg->stackDepth == stackDepth, at ../jsemit.cpp"
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
VERIFIED
FIXED
mozilla1.9.2a1
People
(Reporter: gkw, Assigned: mrbkap)
References
Details
(5 keywords, Whiteboard: fixed-in-tracemonkey)
Crash Data
Attachments
(1 file)
|
910 bytes,
patch
|
brendan
:
review+
|
Details | Diff | Splinter Review |
const x;[x]='';for(;[];){}
crashes TM opt without -j at js_Interpret and asserts TM dbg at Assertion failure: cg->stackDepth == stackDepth, at ../jsemit.cpp:3796
===
$ ./js-opt-tm-intelmac
js> const x;[x]='';for(;[];){}
warning: internal error compiling typein: stack underflow at pc 14
warning: internal error compiling typein: stack underflow at pc 15
warning: internal error compiling typein: stack underflow at pc 16
warning: internal error compiling typein: stack underflow at pc 19
warning: internal error compiling typein: stack underflow at pc 20
warning: internal error compiling typein: stack underflow at pc 23
warning: internal error compiling typein: stack underflow at pc 26
Bus error
$ ./js-dbg-tm-intelmac
js> const x;[x]='';for(;[];){}
Assertion failure: cg->stackDepth == stackDepth, at ../jsemit.cpp:3796
Trace/BPT trap
|
Reporter | |
Comment 1•15 years ago
|
||
autoBisect shows this is probably related to bug 493760 : The first bad revision is: changeset: 28520:241dad2cc2e3 user: Brendan Eich date: Tue May 19 18:40:55 2009 -0700 summary: Bug 493760: the real fix for problem left in wake of patch for bug 493466 (r=mrbkap).
|
||
Updated•15 years ago
|
Flags: blocking1.9.1? → blocking1.9.1+
|
|
Reporter | |
Comment 2•15 years ago
|
||
Another testcase:
"" + new Function("const x;(g)({4:x}=[])")
$ ./js-opt-tm-intelmac
js> "" + new Function("const x;(g)({4:x}=[])")
typein:1: warning: internal error compiling typein: stack underflow at pc 18
typein:1: warning: internal error compiling typein: stack underflow at pc 21
typein:1: warning: internal error compiling typein: stack underflow at pc 22
Segmentation fault
$ ./js-dbg-tm-intelmac
js> "" + new Function("const x;(g)({4:x}=[])")
Assertion failure: cg->stackDepth == stackDepth, at ../jsemit.cpp:3796
Trace/breakpoint trapOS: Mac OS X → All
Hardware: x86 → All
|
||
Updated•15 years ago
|
Whiteboard: [needs assignee]
|
Assignee | |
Comment 4•15 years ago
|
||
I don't know if this is right, but it seems to fix the assertion. The decompiler is still confused though:
js> (function() {const x;[x]='';})
function () {
const x;
[, ] = "";
Attachment #381219 -
Flags: review?(brendan)
|
||
Comment 5•15 years ago
|
||
The decompiler issue might bug 492010.
|
|
||
Updated•15 years ago
|
Whiteboard: [needs assignee] → [has patch]
|
||
Comment 6•15 years ago
|
||
(In reply to comment #4) > Created an attachment (id=381219) [details] > Shot in the dark > > I don't know if this is right, but it seems to fix the assertion. The > decompiler is still confused though: > > js> (function() {const x;[x]='';}) > function () { > const x; > [, ] = ""; You cut off the closing brace line, right? This is a valid decompilation and it is stable when round-tripped through eval. Patch is good, thanks. Will stamp now. /be
|
|
||
Updated•15 years ago
|
Attachment #381219 -
Flags: review?(brendan) → review+
|
|
||
Comment 7•15 years ago
|
||
(In reply to comment #6) > You cut off the closing brace line, right? Yes, he did. http://hg.mozilla.org/tracemonkey/rev/619278dc6389
Whiteboard: [has patch] → fixed-in-tracemonkey
|
||
Comment 8•15 years ago
|
||
Per request of damons: http://hg.mozilla.org/releases/mozilla-1.9.1/rev/ee0c5ec5d68d I'm assuming this also needs landing on mozilla-central...
|
|
||
Updated•15 years ago
|
Keywords: fixed1.9.1
|
|
||
Comment 9•15 years ago
|
||
(In reply to comment #8) > I'm assuming this also needs landing on mozilla-central... Per my assumption: http://hg.mozilla.org/mozilla-central/rev/0c053dca8ea6
|
|
||
Updated•15 years ago
|
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
|
|
||
Comment 10•15 years ago
|
||
Apologies to mrbkap for accidentally crediting myself for this patch!
|
||
Comment 12•15 years ago
|
||
Verified fixed on trunk and 1.9.1 with testcase in comment 0 and debug builds like: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.2a1pre) Gecko/20090604 Minefield/3.6a1pre ID:20090604215922 Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1pre) Gecko/20090604 Shiretoko/3.5pre ID:20090604202448
Status: RESOLVED → VERIFIED
Flags: in-testsuite?
Keywords: fixed1.9.1 → verified1.9.1
Target Milestone: --- → mozilla1.9.2a1
|
||
Updated•13 years ago
|
Crash Signature: [@ js_Interpret]
|
||
Comment 13•11 years ago
|
||
Automatically extracted testcase for this bug was committed: https://hg.mozilla.org/mozilla-central/rev/efaf8960a929
Flags: in-testsuite? → in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•