Closed Bug 1100511 Opened 10 years ago Closed 10 years ago

Assertion failure: frame.stackDepth() == 0, at jit/BaselineCompiler.cpp

Categories

(Core :: JavaScript Engine: JIT, defect)

Product:
Core
Component:
JavaScript Engine: JIT
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1095439
Tracking Flags:
Tracking Status
firefox36 --- affected

People

(Reporter: gkw, Unassigned)

References

Details

(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:])

Attachments

(1 file)

stack
5.57 KB, text/plain
Details 
(function() {
    {
        var g = h(),
            x = 0,
            x = [];
        const x = 7
    }
})()

asserts js debug shell on m-c changeset a52bf59965a0 with --ion-eager --no-threads at Assertion failure: frame.stackDepth() == 0, at jit/BaselineCompiler.cpp.

Debug configure options:

CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --enable-optimize --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/a9a7f16c817b
user:        Eric Faust
date:        Thu Oct 30 17:27:03 2014 -0700
summary:     Bug 611388 - |const| should be block scoped and require an initializer. (r=shu)

Eric, is bug 611388 a likely regressor?
Flags: needinfo?(efaustbmo)
Attached file stack 
(lldb) bt 5
* thread #1: tid = 0x582c6d, 0x00000001001fc31a js-dbg-opt-64-dm-nsprBuild-darwin-a52bf59965a0`js::jit::BaselineCompiler::emit_JSOP_RETRVAL(this=<unavailable>) + 506 at BaselineCompiler.cpp:3055, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
  * frame #0: 0x00000001001fc31a js-dbg-opt-64-dm-nsprBuild-darwin-a52bf59965a0`js::jit::BaselineCompiler::emit_JSOP_RETRVAL(this=<unavailable>) + 506 at BaselineCompiler.cpp:3055
    frame #1: 0x00000001001ea7c8 js-dbg-opt-64-dm-nsprBuild-darwin-a52bf59965a0`js::jit::BaselineCompiler::emitBody(this=0x00007fff5fbfd648) + 2856 at BaselineCompiler.cpp:869
    frame #2: 0x00000001001e89aa js-dbg-opt-64-dm-nsprBuild-darwin-a52bf59965a0`js::jit::BaselineCompiler::compile(this=0x00007fff5fbfd648) + 378 at BaselineCompiler.cpp:99
    frame #3: 0x000000010023f527 js-dbg-opt-64-dm-nsprBuild-darwin-a52bf59965a0`js::jit::BaselineCompile(cx=0x0000000101b14310, script=0x0000000101f60280, forceDebugInstrumentation=<unavailable>) + 471 at BaselineJIT.cpp:227
    frame #4: 0x000000010023fb1e js-dbg-opt-64-dm-nsprBuild-darwin-a52bf59965a0`CanEnterBaselineJIT(cx=0x0000000101b14310, osrFrame=<unavailable>, script=<unavailable>) + 478 at BaselineJIT.cpp:292
(lldb)
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
JSBugMon: The testcase found in this bug no longer reproduces (tried revision aa72ddfe9f93).
Whiteboard: [jsbugmon:update,ignore] → [jsbugmon:bisectfix]
Whiteboard: [jsbugmon:bisectfix] → [jsbugmon:]
JSBugMon: Fix Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first good revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/ef2967c20784
user:        Tom Schuster
date:        Wed Nov 19 01:44:02 2014 +0100
summary:     Bug 1095439 - Make assignments to a const variable a syntax error. r=efaust

This iteration took 338.365 seconds to run.
Tom, is bug 1095439 a likely fix?
Flags: needinfo?(efaustbmo) → needinfo?(evilpies)
Yes it would prevent this case, but I don't know if it could happen in some other way.
Flags: needinfo?(efaustbmo)
So the problem was that within a block, initialized var and const are not interacting cleanly. Tom's patch will make this an error, so we should be clean from the point of view of assertions of running poor code, but there are still relevant problems here with the way we are handling TDZ and these interactions.

Shu, do you think we should take on the fixes here, or split and file as we want to clean up those interactions, and consider this assertion "handled" for now? For the record, I vote for the latter. This will throw a "very strange looking" error, but it should be an error nonetheless.
Mid-air collision with dupe-marking.
Flags: needinfo?(shu)
Flags: needinfo?(evilpies)
Flags: needinfo?(efaustbmo)
(In reply to Eric Faust [:efaust] from comment #7)
> So the problem was that within a block, initialized var and const are not
> interacting cleanly. Tom's patch will make this an error, so we should be
> clean from the point of view of assertions of running poor code, but there
> are still relevant problems here with the way we are handling TDZ and these
> interactions.
> 
> Shu, do you think we should take on the fixes here, or split and file as we
> want to clean up those interactions, and consider this assertion "handled"
> for now? For the record, I vote for the latter. This will throw a "very
> strange looking" error, but it should be an error nonetheless.

Yes, let's file new bugs for ensuring the right kind of error is thrown for |function() { { var x = 42; const x = 43; } }|. According to spec, this is actually neither a TDZ nor an assign-to-const error, but an early redecl error due to 'x' appearing in both the var name list and the lexical name list in the same block.
Status: NEW → RESOLVED
Closed: 10 years ago
Flags: needinfo?(shu)
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: