Closed Bug 309852 Opened 19 years ago Closed 19 years ago

E4X - JS_ASSERT @ js_Interpret, line 5070

Categories

(Core :: JavaScript Engine, defect, P1)

Product:
Core
Component:
JavaScript Engine
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla1.8beta5

People

(Reporter: bc, Assigned: brendan)

Details

(Keywords: fixed1.8, js1.6, regression)

Attachments

(1 file)

proposed minimal fix
2.04 KB, patch
mrbkap
: review+
shaver
: superreview+
shaver
: approval1.8b5+
Details | Diff | Splinter Review 
This assert began appearing recently in debug builds in
e4x/Regress/regress-301596.js. Related to bug 309850 ?

+	fp->sp	0x0041d9ec
+	sp	0x0041d9f0

NTDLL! 7c901230()
js_Interpret(JSContext * 0x000371b8, unsigned char * 0x00424a84, long *
0x0013ee24) line 5070 + 36 bytes
js_Execute(JSContext * 0x000371b8, JSObject * 0x000387c8, JSScript * 0x004249f8,
JSStackFrame * 0x00000000, unsigned int 0x00000000, long * 0x0013fecc) line 1393
+ 19 bytes
JS_ExecuteScript(JSContext * 0x000371b8, JSObject * 0x000387c8, JSScript *
0x004249f8, long * 0x0013fecc) line 3842 + 25 bytes
Process(JSContext * 0x000371b8, JSObject * 0x000387c8, char * 0x00032d56) line
223 + 22 bytes
ProcessArgs(JSContext * 0x000371b8, JSObject * 0x000387c8, char * * 0x00032cc4,
int 0x00000006) line 426 + 23 bytes
main(int 0x00000006, char * * 0x00032cc4, char * * 0x00033188) line 2552 + 21 bytes
JS! mainCRTStartup + 227 bytes
KERNEL32! 7c816d4f()
Keywords: regression
Summary: E4X - JS_ASSERT @ js_Interpret, line 5070 → E4X - JS_ASSERT @ js_Interpret, line 5070
This one's not a bogus assertion, it's a nasty bug in how the JSOP_SETSP emitted
at the start of the catch and/or finally clauses mixes badly with E4X's
filtering predicate expression.  The code generator has to know that the
filtering predicate is executed by an inner interpreter activation that uses the
same operand stack as the outer interpreter activation (the one that executes
the script containing the filtering predicate).

/be
Assignee: general → brendan
Flags: blocking1.8b5+
Keywords: js1.6
OS: Windows XP → All
Priority: -- → P1
Hardware: PC → All
Target Milestone: --- → mozilla1.8beta5
This is a bit ugly, but it works.  The !mark => XML filtering predicate
execution coupling is an XXX to reconsider later.  This fix should go into
1.8b5 shortly.

/be
Attachment #197246 - Flags: superreview?(shaver)
Attachment #197246 - Flags: review?(mrbkap)
(In reply to comment #1)
> This one's not a bogus assertion, it's a nasty bug in how the JSOP_SETSP emitted
> at the start of the catch and/or finally clauses mixes badly with E4X's
> filtering predicate expression.

True so far.

> The code generator has to know that the
> filtering predicate is executed by an inner interpreter activation that uses the
> same operand stack as the outer interpreter activation (the one that executes
> the script containing the filtering predicate).

False diagnosis on my part -- the code generator can't help here, since only one
script is emitted for a function or top-level script that uses filtering
predicate expressions, and that script includes the expressions' bytecodes.  The
patch is based on the correct diagnosis: nesting an interpreter activation to
execute a filtering predicate means suppressing exception catching until we
unwind to the outer interpreter.

/be
Status: NEW → ASSIGNED
Comment on attachment 197246 [details] [diff] [review]
proposed minimal fix

r=mrbkap
Attachment #197246 - Flags: review?(mrbkap) → review+
Here is where I regret choosing to implement filtering predicates other than yb
generating bytecode in the containing script that does not require nesting an
interpreter activation that shares the top operand stack frame.  JSOP_FILTER
would change into a setup bytecode followed by an iterator update branch combo,
sort of like the for-in stuff.  JSOP_ENDFILTER would be a backward jump to the
iterator update test.

I may hack this up while traveling.

/be
Comment on attachment 197246 [details] [diff] [review]
proposed minimal fix

sr=shaver, want to file a bug on the XXX?
Attachment #197246 - Flags: superreview?(shaver) → superreview+
Fixed on the trunk.  Let's see how the followup bug 309894 goes before trying
for the 1.8 branch, so we can choose between minimal hack-fix (this bug's patch)
and the right, forward-compatible bytecoded fix.

/be
Status: ASSIGNED → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
I just checked in fixes to JS_LIKELY abusage in jsinterp.c on the trunk:

revision 3.192
date: 2005/09/26 18:48:39;  author: brendan%mozilla.org;  state: Exp;  lines: +2 -2
Fix pointer testing via JS_LIKELY (rather fix a few callers than put cvs diff
jsinterp.c inside the macro...

/be
Brendan: we want to land this on the branch tomorrow morning (AM pacific, Sep
28), to take this assertion/crash off the radar for 1.5b2.  Do you have a
riskless patch up your sleeve for the bytecoded variant, or should we make that
change and the anyname-as-atom serialization change as part of the same XDR
version bump, on the trunk only?
Going to verify the delta between branch and trunk and land it on
MOZILLA_1_8_BRANCH in a little while.
Comment on attachment 197246 [details] [diff] [review]
proposed minimal fix

Approving on behalf of schrep and brendan and me.
Attachment #197246 - Flags: approval1.8b5+
Need get this landed before time runs out. 
It looks like shaver checked this into the branch already:
3.181.2.10 <shaver@mozilla.org> 2005-09-28 13:08
309852: hack around XML filtering predicate expression design flaw, patch from
/be, r=mrbkap, sr=shaver, a=schrep/shaver/brendan.
Keywords: fixed1.8
Flags: testcase-
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: