Last Comment Bug 309852 - E4X - JS_ASSERT @ js_Interpret, line 5070
: E4X - JS_ASSERT @ js_Interpret, line 5070
Status: RESOLVED FIXED
: fixed1.8, js1.6, regression
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: All All
: P1 normal (vote)
: mozilla1.8beta5
Assigned To: Brendan Eich [:brendan]
:
Mentors:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2005-09-23 23:33 PDT by Bob Clary [:bc:]
Modified: 2005-10-08 21:00 PDT (History)
3 users (show)
brendan: blocking1.8b5+
bob: in‑testsuite-
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
proposed minimal fix (2.04 KB, patch)
2005-09-24 00:51 PDT, Brendan Eich [:brendan]
mrbkap: review+
shaver: superreview+
shaver: approval1.8b5+
Details | Diff | Splinter Review

Description Bob Clary [:bc:] 2005-09-23 23:33:51 PDT
This assert began appearing recently in debug builds in
e4x/Regress/regress-301596.js. Related to bug 309850 ?

+	fp->sp	0x0041d9ec
+	sp	0x0041d9f0

NTDLL! 7c901230()
js_Interpret(JSContext * 0x000371b8, unsigned char * 0x00424a84, long *
0x0013ee24) line 5070 + 36 bytes
js_Execute(JSContext * 0x000371b8, JSObject * 0x000387c8, JSScript * 0x004249f8,
JSStackFrame * 0x00000000, unsigned int 0x00000000, long * 0x0013fecc) line 1393
+ 19 bytes
JS_ExecuteScript(JSContext * 0x000371b8, JSObject * 0x000387c8, JSScript *
0x004249f8, long * 0x0013fecc) line 3842 + 25 bytes
Process(JSContext * 0x000371b8, JSObject * 0x000387c8, char * 0x00032d56) line
223 + 22 bytes
ProcessArgs(JSContext * 0x000371b8, JSObject * 0x000387c8, char * * 0x00032cc4,
int 0x00000006) line 426 + 23 bytes
main(int 0x00000006, char * * 0x00032cc4, char * * 0x00033188) line 2552 + 21 bytes
JS! mainCRTStartup + 227 bytes
KERNEL32! 7c816d4f()
Comment 1 Brendan Eich [:brendan] 2005-09-24 00:26:34 PDT
This one's not a bogus assertion, it's a nasty bug in how the JSOP_SETSP emitted
at the start of the catch and/or finally clauses mixes badly with E4X's
filtering predicate expression.  The code generator has to know that the
filtering predicate is executed by an inner interpreter activation that uses the
same operand stack as the outer interpreter activation (the one that executes
the script containing the filtering predicate).

/be
Comment 2 Brendan Eich [:brendan] 2005-09-24 00:51:42 PDT
Created attachment 197246 [details] [diff] [review]
proposed minimal fix

This is a bit ugly, but it works.  The !mark => XML filtering predicate
execution coupling is an XXX to reconsider later.  This fix should go into
1.8b5 shortly.

/be
Comment 3 Brendan Eich [:brendan] 2005-09-24 00:55:26 PDT
(In reply to comment #1)
> This one's not a bogus assertion, it's a nasty bug in how the JSOP_SETSP emitted
> at the start of the catch and/or finally clauses mixes badly with E4X's
> filtering predicate expression.

True so far.

> The code generator has to know that the
> filtering predicate is executed by an inner interpreter activation that uses the
> same operand stack as the outer interpreter activation (the one that executes
> the script containing the filtering predicate).

False diagnosis on my part -- the code generator can't help here, since only one
script is emitted for a function or top-level script that uses filtering
predicate expressions, and that script includes the expressions' bytecodes.  The
patch is based on the correct diagnosis: nesting an interpreter activation to
execute a filtering predicate means suppressing exception catching until we
unwind to the outer interpreter.

/be
Comment 4 Blake Kaplan (:mrbkap) 2005-09-24 01:02:39 PDT
Comment on attachment 197246 [details] [diff] [review]
proposed minimal fix

r=mrbkap
Comment 5 Brendan Eich [:brendan] 2005-09-24 10:45:03 PDT
Here is where I regret choosing to implement filtering predicates other than yb
generating bytecode in the containing script that does not require nesting an
interpreter activation that shares the top operand stack frame.  JSOP_FILTER
would change into a setup bytecode followed by an iterator update branch combo,
sort of like the for-in stuff.  JSOP_ENDFILTER would be a backward jump to the
iterator update test.

I may hack this up while traveling.

/be
Comment 6 Mike Shaver (:shaver -- probably not reading bugmail closely) 2005-09-24 10:56:02 PDT
Comment on attachment 197246 [details] [diff] [review]
proposed minimal fix

sr=shaver, want to file a bug on the XXX?
Comment 7 Brendan Eich [:brendan] 2005-09-24 11:57:59 PDT
Fixed on the trunk.  Let's see how the followup bug 309894 goes before trying
for the 1.8 branch, so we can choose between minimal hack-fix (this bug's patch)
and the right, forward-compatible bytecoded fix.

/be
Comment 8 Brendan Eich [:brendan] 2005-09-26 12:15:27 PDT
I just checked in fixes to JS_LIKELY abusage in jsinterp.c on the trunk:

revision 3.192
date: 2005/09/26 18:48:39;  author: brendan%mozilla.org;  state: Exp;  lines: +2 -2
Fix pointer testing via JS_LIKELY (rather fix a few callers than put cvs diff
jsinterp.c inside the macro...

/be
Comment 9 Mike Shaver (:shaver -- probably not reading bugmail closely) 2005-09-27 23:20:07 PDT
Brendan: we want to land this on the branch tomorrow morning (AM pacific, Sep
28), to take this assertion/crash off the radar for 1.5b2.  Do you have a
riskless patch up your sleeve for the bytecoded variant, or should we make that
change and the anyname-as-atom serialization change as part of the same XDR
version bump, on the trunk only?
Comment 10 Mike Shaver (:shaver -- probably not reading bugmail closely) 2005-09-28 08:35:57 PDT
Going to verify the delta between branch and trunk and land it on
MOZILLA_1_8_BRANCH in a little while.
Comment 11 Mike Shaver (:shaver -- probably not reading bugmail closely) 2005-09-28 13:05:49 PDT
Comment on attachment 197246 [details] [diff] [review]
proposed minimal fix

Approving on behalf of schrep and brendan and me.
Comment 12 Asa Dotzler [:asa] 2005-09-30 11:57:29 PDT
Need get this landed before time runs out. 
Comment 13 Blake Kaplan (:mrbkap) 2005-09-30 15:45:36 PDT
It looks like shaver checked this into the branch already:
3.181.2.10 <shaver@mozilla.org> 2005-09-28 13:08
309852: hack around XML filtering predicate expression design flaw, patch from
/be, r=mrbkap, sr=shaver, a=schrep/shaver/brendan.

Note You need to log in before you can comment on or make changes to this bug.