Closed
Bug 1153458
Opened 9 years ago
Closed 9 years ago
Assertion failure: index >= size_t(parser.stackDepthAtPC(current)), at jsopcode.cpp
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla41
People
(Reporter: gkw, Assigned: jschulte)
References
Details
(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update,ignore])
Attachments
(2 files, 3 obsolete files)
2.52 KB,
text/plain
|
Details | |
5.10 KB,
patch
|
jschulte
:
review+
|
Details | Diff | Splinter Review |
try { __defineGetter__("x", Iterator)() } catch (e) {} f = function() { return (function() { this.x }) }() try { f() } catch (e) {} f() asserts js debug shell on m-c changeset eb3a1c0262e4 with --fuzzing-safe --no-threads --baseline-eager at Assertion failure: index >= size_t(parser.stackDepthAtPC(current)), at jsopcode.cpp. Configure options: CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --enable-nspr-build --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests python -u ~/fuzzing/js/compileShell.py -b "--enable-debug --enable-nspr-build" -r eb3a1c0262e4 === Treeherder Build Bisection Results by autoBisect === The "good" changeset has the timestamp "20150406061259" and the hash "d084a35e8d79". The "bad" changeset has the timestamp "20150406063758" and the hash "2ceecfb46d8c". Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=d084a35e8d79&tochange=2ceecfb46d8c Eric, is bug 1094491 a likely regressor? (guessing from the regression window)
Flags: needinfo?(efaustbmo)
Reporter | ||
Comment 1•9 years ago
|
||
(lldb) bt 5 * thread #1: tid = 0x174f3c, 0x0000000100794966 js-dbg-64-nsprBuild-darwin-eb3a1c0262e4`js::DecompileValueGenerator(JSContext*, int, JS::Handle<JS::Value>, JS::Handle<JSString*>, int) + 52 at jsopcode.cpp:1756, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0) * frame #0: 0x0000000100794966 js-dbg-64-nsprBuild-darwin-eb3a1c0262e4`js::DecompileValueGenerator(JSContext*, int, JS::Handle<JS::Value>, JS::Handle<JSString*>, int) + 52 at jsopcode.cpp:1756 frame #1: 0x0000000100794932 js-dbg-64-nsprBuild-darwin-eb3a1c0262e4`js::DecompileValueGenerator(JSContext*, int, JS::Handle<JS::Value>, JS::Handle<JSString*>, int) + 565 at jsopcode.cpp:1819 frame #2: 0x00000001007946fd js-dbg-64-nsprBuild-darwin-eb3a1c0262e4`js::DecompileValueGenerator(cx=<unavailable>, spindex=<unavailable>, v=<unavailable>, fallbackArg=<unavailable>, skipStackHits=0) + 2221 at jsopcode.cpp:1842 frame #3: 0x00000001006fd1dd js-dbg-64-nsprBuild-darwin-eb3a1c0262e4`js::ReportMissingArg(cx=0x0000000101ea5180, v=<unavailable>, arg=<unavailable>) + 221 at jscntxt.cpp:878 frame #4: 0x000000010078e2a7 js-dbg-64-nsprBuild-darwin-eb3a1c0262e4`js::IteratorConstructor(cx=0x0000000101ea5180, argc=<unavailable>, vp=0x00007fff5fbfd750) + 87 at jsiter.cpp:848 (lldb)
Assignee | ||
Comment 2•9 years ago
|
||
Well, I could only look into this briefly, but the problem seems to be, that the decompiler needs the Object on the stack. Still, I'm not really sure, how my patch caused this and whether the other calls to DoCallNativeGetter also need to keep the stack in sync for the decompiler, so I'll have to look into this a bit more.
Assignee | ||
Comment 3•9 years ago
|
||
Apparently, we can't use EmitStowICValues, as GET_GNAME also uses this stub and doesn't pass in a Value/R0. I wasn't able to reproduce the assertion-hit with the other two stubs calling DoCallNativeGetter, is it possible, that they are not affected?
Assignee: nobody → j_schulte
Attachment #8591161 -
Attachment is obsolete: true
Status: NEW → ASSIGNED
Attachment #8592466 -
Flags: review?(efaustbmo)
Updated•9 years ago
|
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
Comment 4•9 years ago
|
||
JSBugMon: The testcase found in this bug no longer reproduces (tried revision ec1351f9bc58).
Assignee | ||
Comment 5•9 years ago
|
||
That's due to bug 1147939 removing the assertion.
Comment 6•9 years ago
|
||
Comment on attachment 8592466 [details] [diff] [review] v1.patch Review of attachment 8592466 [details] [diff] [review]: ----------------------------------------------------------------- This is certainly right. It should land, and I'm sorry the review lag has been intolerably long.
Attachment #8592466 -
Flags: review?(efaustbmo) → review+
Assignee | ||
Comment 7•9 years ago
|
||
https://treeherder.mozilla.org/#/jobs?repo=try&revision=cb8de3041fc2
Assignee | ||
Comment 8•9 years ago
|
||
So, I think, the problem was, that the old patch reused the tailcallreg. Now, we can't simply take the tailcallreg, as we run out of registers on x86, so I decided to go with this solution, which passes jit-tests locally on both x86 and x64.
Attachment #8592466 -
Attachment is obsolete: true
Attachment #8621905 -
Flags: review?(efaustbmo)
Comment 9•9 years ago
|
||
Comment on attachment 8621905 [details] [diff] [review] v2.patch Review of attachment 8621905 [details] [diff] [review]: ----------------------------------------------------------------- Yep. Well hunted. Thanks for fixing this!
Attachment #8621905 -
Flags: review?(efaustbmo) → review+
Assignee | ||
Comment 10•9 years ago
|
||
https://treeherder.mozilla.org/#/jobs?repo=try&revision=f69b97742497
Assignee | ||
Comment 11•9 years ago
|
||
https://treeherder.mozilla.org/#/jobs?repo=try&revision=01c8dbbf05f7
Assignee | ||
Comment 12•9 years ago
|
||
https://treeherder.mozilla.org/#/jobs?repo=try&revision=9042dff1c42a
Assignee | ||
Comment 13•9 years ago
|
||
Had to correct one minor mistake, hopefully, try will be green this time. Will add checkin-needed if that's the case.
Attachment #8621905 -
Attachment is obsolete: true
Attachment #8625183 -
Flags: review+
Assignee | ||
Updated•9 years ago
|
Keywords: checkin-needed
Comment 14•9 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/5da7e1b2b6f7
Keywords: checkin-needed
Comment 15•9 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/5da7e1b2b6f7
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
status-firefox41:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla41
You need to log in
before you can comment on or make changes to this bug.
Description
•