Closed Bug 1540786 Opened 7 years ago Closed 7 years ago

Assertion failure: bce_->stackDepth == depth_ + 1, at js/src/frontend/ExpressionStatementEmitter.cpp:40

Categories

(Core :: JavaScript Engine, defect, P1)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
firefox-esr60 --- unaffected
firefox66 --- unaffected
firefox67 --- unaffected
firefox68 --- fixed

People

(Reporter: decoder, Unassigned)

References

Details

(4 keywords)

The following testcase crashes on mozilla-central revision c06dfc552c64 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe --ion-offthread-compile=off --enable-experimental-fields):

new class Y extends this { 
  [X]; 
}();

Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  js::frontend::ExpressionStatementEmitter::emitEnd (this=this@entry=0x7fffffffbb80) at js/src/frontend/ExpressionStatementEmitter.cpp:40
#1  0x0000555555f080af in js::frontend::BytecodeEmitter::emitExpressionStatement (this=this@entry=0x7fffffffc030, exprStmt=<optimized out>) at js/src/frontend/BytecodeEmitter.cpp:6669
#2  0x0000555555f07493 in js::frontend::BytecodeEmitter::emitTree (this=this@entry=0x7fffffffc030, pn=pn@entry=0x7ffff4eb38e0, valueUsage=valueUsage@entry=js::frontend::ValueUsage::WantValue, emitLineNote=emitLineNote@entry=js::frontend::BytecodeEmitter::EMIT_LINENOTE) at js/src/frontend/BytecodeEmitter.cpp:8803
#3  0x0000555555f08373 in js::frontend::BytecodeEmitter::emitTree (this=this@entry=0x7fffffffc030, pn=pn@entry=0x7ffff4eb38e0, valueUsage=js::frontend::ValueUsage::WantValue, emitLineNote=emitLineNote@entry=js::frontend::BytecodeEmitter::EMIT_LINENOTE, valueUsage=js::frontend::ValueUsage::WantValue) at js/src/frontend/BytecodeEmitter.cpp:9192
#4  0x0000555555f13010 in js::frontend::BytecodeEmitter::emitStatementList (this=this@entry=0x7fffffffc030, stmtList=<optimized out>) at js/src/frontend/BytecodeEmitter.cpp:6609
#5  0x0000555555f074f3 in js::frontend::BytecodeEmitter::emitTree (this=this@entry=0x7fffffffc030, pn=pn@entry=0x7ffff4eb3020, valueUsage=valueUsage@entry=js::frontend::ValueUsage::WantValue, emitLineNote=emitLineNote@entry=js::frontend::BytecodeEmitter::EMIT_LINENOTE) at js/src/frontend/BytecodeEmitter.cpp:8794
#6  0x0000555555f08373 in js::frontend::BytecodeEmitter::emitTree (this=this@entry=0x7fffffffc030, pn=pn@entry=0x7ffff4eb3020, valueUsage=js::frontend::ValueUsage::WantValue, emitLineNote=emitLineNote@entry=js::frontend::BytecodeEmitter::EMIT_LINENOTE, valueUsage=js::frontend::ValueUsage::WantValue) at js/src/frontend/BytecodeEmitter.cpp:9192
#7  0x0000555555f164c4 in js::frontend::BytecodeEmitter::emitScript (this=0x7fffffffc030, body=body@entry=0x7ffff4eb3020) at js/src/frontend/BytecodeEmitter.cpp:2423
#8  0x0000555555f24032 in js::frontend::ScriptCompiler<char16_t>::compileScript (this=this@entry=0x7fffffffc440, info=..., environment=..., environment@entry=..., sc=sc@entry=0x7fffffffcf80) at js/src/frontend/BytecodeCompiler.cpp:553
#9  0x0000555555f16a94 in CreateGlobalScript<char16_t> (info=..., srcBuf=..., sourceObjectOut=sourceObjectOut@entry=0x0) at js/src/frontend/BytecodeCompiler.cpp:207
#10 0x0000555555f16c3a in js::frontend::CompileGlobalScript (info=..., srcBuf=..., sourceObjectOut=sourceObjectOut@entry=0x0) at js/src/frontend/BytecodeCompiler.cpp:219
#11 0x0000555555a033c5 in CompileSourceBuffer<char16_t> (cx=cx@entry=0x7ffff5f17000, options=..., srcBuf=..., script=...) at js/src/vm/CompilationAndEvaluation.cpp:70
#12 0x0000555555a03600 in CompileUtf8 (cx=cx@entry=0x7ffff5f17000, options=..., bytes=0x7ffff4dfd4c0 "new class Y extends this { \n  [X]; \n}();\n", '\344' <repeats 23 times>, "\002", length=<optimized out>, script=...) at js/src/vm/CompilationAndEvaluation.cpp:88
#13 0x0000555555a0372e in JS::CompileUtf8File (cx=0x7ffff5f17000, options=..., file=<optimized out>, script=...) at js/src/vm/CompilationAndEvaluation.cpp:137
[...]
#18 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:11276
rax	0x555557c22240	93825032921664
rbx	0x7fffffffbb80	140737488337792
rcx	0x7ffff6c1c2dd	140737333281501
rdx	0x555556b9b268	93825015591528
rsi	0x7ffff6eeb770	140737336227696
rdi	0x7ffff6eea540	140737336223040
rbp	0x7fffffffbb50	140737488337744
rsp	0x7fffffffbb40	140737488337728
r8	0x7ffff6eeb770	140737336227696
r9	0x7ffff7fe6cc0	140737354034368
r10	0x58	88
r11	0x7ffff6b927a0	140737332717472
r12	0x7fffffffbba0	140737488337824
r13	0x7ffff4eb38a0	140737302444192
r14	0x7fffffffc030	140737488338992
r15	0x7fffffffbb80	140737488337792
rip	0x555555f270c9 <js::frontend::ExpressionStatementEmitter::emitEnd()+185>
=> 0x555555f270c9 <js::frontend::ExpressionStatementEmitter::emitEnd()+185>:	movl   $0x0,0x0
   0x555555f270d4 <js::frontend::ExpressionStatementEmitter::emitEnd()+196>:	ud2
This is an automated crash issue comment: Summary: Assertion failure: stackDepth() == depth, at js/src/jit/BaselineFrameInfo.h:256 Build version: mozilla-central revision c06dfc552c64 Build flags: --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --enable-debug --enable-optimize Runtime options: --fuzzing-safe --ion-offthread-compile=off --enable-experimental-fields Testcase: for (y in this) {} class X extends this { actual; }("foo"); Backtrace: received signal SIGSEGV, Segmentation fault. #0 js::jit::CompilerFrameInfo::assertStackDepth (depth=0, this=<optimized out>) at js/src/jit/BaselineFrameInfo.h:256 #1 js::jit::BaselineCodeGen<js::jit::BaselineCompilerHandler>::emit_JSOP_RETRVAL (this=this@entry=0x7fffffffba20) at js/src/jit/BaselineCompiler.cpp:4615 #2 0x0000555556083438 in js::jit::BaselineCompiler::emitBody (this=this@entry=0x7fffffffba20) at js/src/jit/BaselineCompiler.cpp:6064 #3 0x0000555556091588 in js::jit::BaselineCompiler::compile (this=this@entry=0x7fffffffba20) at js/src/jit/BaselineCompiler.cpp:188 #4 0x0000555556184598 in js::jit::BaselineCompile (cx=cx@entry=0x7ffff5f17000, script=0xf9e4eb0a60, forceDebugInstrumentation=<optimized out>) at js/src/jit/BaselineJIT.cpp:221 #5 0x00005555561872a4 in CanEnterBaselineJIT (cx=cx@entry=0x7ffff5f17000, script=..., script@entry=..., osrFrame=osrFrame@entry=0x7ffff4d0f028) at js/src/jit/BaselineJIT.cpp:272 #6 0x000055555618739b in js::jit::CanEnterBaselineAtBranch (cx=0x7ffff5f17000, fp=0x7ffff4d0f028) at js/src/jit/BaselineJIT.cpp:307 #7 0x00005555558dcc03 in Interpret (cx=0x7ffff5f17000, state=...) at js/src/vm/Interpreter.cpp:1972 [...] #17 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:11276 rax 0x555557c22240 93825032921664 rbx 0xf9e4eb0a60 1073287465568 rcx 0x555556bc0c18 93825015745560 rdx 0x0 0 rsi 0x7ffff6eeb770 140737336227696 rdi 0x7ffff6eea540 140737336223040 rbp 0x7fffffffb460 140737488335968 rsp 0x7fffffffb420 140737488335904 r8 0x7ffff6eeb770 140737336227696 r9 0x7ffff7fe6cc0 140737354034368 r10 0x58 88 r11 0x7ffff6b927a0 140737332717472 r12 0x99 153 r13 0x7ffff5fdabd8 140737320430552 r14 0x99 153 r15 0x7fffffffba20 140737488337440 rip 0x5555560b39f9 <js::jit::BaselineCodeGen<js::jit::BaselineCompilerHandler>::emit_JSOP_RETRVAL()+297> => 0x5555560b39f9 <js::jit::BaselineCodeGen<js::jit::BaselineCompilerHandler>::emit_JSOP_RETRVAL()+297>: movl $0x0,0x0 0x5555560b3a04 <js::jit::BaselineCodeGen<js::jit::BaselineCompilerHandler>::emit_JSOP_RETRVAL()+308>: ud2 And some various other assertions from tests all looking very similar to the one in comment 0. Assuming these are dups for now.
Priority: -- → P1

This is fixed in master. Likely fixed by bug 1534721.

Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.