1100928 - Assertion failure: depth == bce->stackDepth, at js/src/frontend/BytecodeEmitter.cpp:4438

Status: RESOLVED DUPLICATE of bug 1100511

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

The following testcase crashes on mozilla-central revision 134d1cfc5c9c (build with --enable-debug --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --target=i686-pc-linux-gnu, run with --fuzzing-safe):

try {
    var x = new String("1");
} catch (e) {}
try {
    var x = new String("1");
    const x = [];
} catch (e) {}


Backtrace:

Program received signal SIGSEGV, Segmentation fault.
0x081f7e40 in EmitTry (cx=cx@entry=0x95de230, bce=bce@entry=0xffffbb78, pn=pn@entry=0x95e4e00) at js/src/frontend/BytecodeEmitter.cpp:4438
4438        MOZ_ASSERT(depth == bce->stackDepth);
(gdb) bt
#0  0x081f7e40 in EmitTry (cx=cx@entry=0x95de230, bce=bce@entry=0xffffbb78, pn=pn@entry=0x95e4e00) at js/src/frontend/BytecodeEmitter.cpp:4438
#1  0x081ef970 in js::frontend::EmitTree (cx=0x95de230, bce=0xffffbb78, pn=0x95e4e00) at js/src/frontend/BytecodeEmitter.cpp:6877
#2  0x081f263e in js::frontend::CompileScript (cx=cx@entry=0x95de230, alloc=0x95c1a90, scopeChain=..., evalCaller=..., options=..., srcBuf=..., source_=source_@entry=0x0, staticLevel=staticLevel@entry=0, 
    extraSct=extraSct@entry=0x0) at js/src/frontend/BytecodeCompiler.cpp:397
#3  0x084fbaec in JS::Compile (cx=cx@entry=0x95de230, obj=obj@entry=..., options=..., srcBuf=..., script=script@entry=...) at js/src/jsapi.cpp:4384
#4  0x084fbb8d in JS::Compile (cx=0x95de230, obj=..., options=..., 
    chars=chars@entry=0x96af288 u"try {\n    var x = new String(\"1\");\n} catch (e) {}\ntry {\n    var x = new String(\"1\");\n    const x =\n        [];\n} catch (e) {}\n", length=126, script=...)
    at js/src/jsapi.cpp:4393
#5  0x084fbc84 in JS::Compile (cx=cx@entry=0x95de230, obj=obj@entry=..., options=..., 
    bytes=0x96af200 "try {\n    var x = new String(\"1\");\n} catch (e) {}\ntry {\n    var x = new String(\"1\");\n    const x =\n        [];\n} catch (e) {}\n", length=126, script=script@entry=...)
    at js/src/jsapi.cpp:4408
#6  0x084fbd5c in JS::Compile (cx=cx@entry=0x95de230, obj=obj@entry=..., options=..., fp=fp@entry=0x96aec60, script=script@entry=...) at js/src/jsapi.cpp:4419
#7  0x0804ce32 in RunFile (compileOnly=false, file=0x96aec60, filename=0xffffd09f "min.js", obj=..., cx=0x95de230) at js/src/shell/js.cpp:444
#8  Process (cx=cx@entry=0x95de230, obj_=<optimized out>, filename=0xffffd09f "min.js", forceTTY=forceTTY@entry=false) at js/src/shell/js.cpp:586

Comment 1

[Jan de Mooij [:jandem]]

NI from efaust because this is probably caused by the "const x".

Comment 2

[Christian Holler (:decoder)]

JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/a9a7f16c817b
user:        Eric Faust
date:        Thu Oct 30 17:27:03 2014 -0700
summary:     Bug 611388 - |const| should be block scoped and require an initializer. (r=shu)

This iteration took 1.485 seconds to run.

Comment 3

[Christian Holler (:decoder)]

JSBugMon: The testcase found in this bug no longer reproduces (tried revision aa72ddfe9f93).

Comment 4

[Christian Holler (:decoder)]

JSBugMon: Fix Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first good revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/ef2967c20784
user:        Tom Schuster
date:        Wed Nov 19 01:44:02 2014 +0100
summary:     Bug 1095439 - Make assignments to a const variable a syntax error. r=efaust

This iteration took 527.248 seconds to run.

Comment 5

[Eric Faust [:efaust]]

Marking dupe, as it's the same failure mode "solved" the same way. See bug 1100511 for more details.