Last Comment Bug 350238 - <x/>.@*++ causes "Assertion failure: JS_UPTRDIFF(fp->sp, fp->spbase) <= depthdiff" at jsinterp.c:392
: <x/>.@*++ causes "Assertion failure: JS_UPTRDIFF(fp->sp, fp->spbase) <= depth...
: crash, testcase, verified1.8.0.8, verified1.8.1
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: All All
P1 critical (vote)
: mozilla1.8.1
Assigned To: Brendan Eich [:brendan]
: Jason Orendorff [:jorendorff]
Depends on:
Blocks: jsfunfuzz js1.7 352079 352272
  Show dependency treegraph
Reported: 2006-08-25 15:48 PDT by Jesse Ruderman
Modified: 2006-11-10 11:27 PST (History)
8 users (show)
dveditz: blocking1.7.14?
dveditz: blocking‑aviary1.0.9?
mbeltzner: blocking1.8.1+
dveditz: blocking1.8.0.8+
bob: in‑testsuite+
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---

fix (2.58 KB, patch)
2006-09-06 18:00 PDT, Brendan Eich [:brendan]
mrbkap: review+
dveditz: approval1.8.0.8+
Details | Diff | Splinter Review
e4x/Regress/regress-350238.js (2.05 KB, text/plain)
2006-09-07 06:35 PDT, Bob Clary [:bc:]
no flags Details

Description User image Jesse Ruderman 2006-08-25 15:48:28 PDT
Steps to reproduce:
  In a debug build,

  Assertion failure: JS_UPTRDIFF(fp->sp, fp->spbase) <= depthdiff,
  at jsinterp.c:392
Comment 1 User image Brendan Eich [:brendan] 2006-09-06 17:31:47 PDT
WFM -- someone with time feel free to binary search and find the dup.

Comment 2 User image Brendan Eich [:brendan] 2006-09-06 17:32:54 PDT
No, I'm on crack.

Comment 3 User image Brendan Eich [:brendan] 2006-09-06 17:56:55 PDT
Bug not fixed by patch for bug 316885.
Comment 4 User image Brendan Eich [:brendan] 2006-09-06 18:00:24 PDT
Created attachment 237038 [details] [diff] [review]

The fix for bug 316885 was just not good enough.  The maximum model stack depth is reached in the midst of code generation for the JOF_PROP and JOF_ELEM cases, so testing cg->stackDepth before or after the whole (or equivalent) will not find a deep enough stack to seem to need adding one to cg->maxStackDepth.  This patch simply bumps cg->stackDepth before code generation, and drops it after, for the post-increment, non-JOF_NAME cases.

Comment 5 User image Brendan Eich [:brendan] 2006-09-06 21:47:56 PDT
Comment on attachment 237038 [details] [diff] [review]

Fixed on trunk.

Comment 6 User image Bob Clary [:bc:] 2006-09-07 06:35:13 PDT
Created attachment 237117 [details]
Comment 7 User image Brendan Eich [:brendan] 2006-09-07 10:14:34 PDT
Fixed on the 1.8 branch.

Comment 8 User image Bob Clary [:bc:] 2006-09-07 18:18:08 PDT
verified fixed 1.9a1_2006090707 windows/mac*/linux
note to self: need to deal with time out in browser due to use of document.location
Comment 9 User image Bob Clary [:bc:] 2006-09-09 16:52:31 PDT
verified fixed 1.8 1.9 20060909 windows/mac*/linux
Comment 10 User image Brendan Eich [:brendan] 2006-09-11 23:36:59 PDT
Note bug 352272, whose patch should follow this bug's into any branches for which it gets approved.

Comment 11 User image Daniel Veditz [:dveditz] 2006-09-19 15:53:57 PDT
Restoring lost blocking flag
Comment 12 User image Brendan Eich [:brendan] 2006-09-25 17:19:58 PDT
This bug is in 1.8.0 branch code too.

Comment 13 User image Brendan Eich [:brendan] 2006-09-25 17:22:11 PDT
Dveditz: this bug's testcase uses E4X, which was in 1.8/Firefox1.5.  There is no js1.7 feature involved.

Comment 14 User image Daniel Veditz [:dveditz] 2006-09-26 14:15:50 PDT
Comment on attachment 237038 [details] [diff] [review]

approved for 1.8.0 branch, a=dveditz for drivers
Comment 15 User image Brendan Eich [:brendan] 2006-09-26 14:39:47 PDT
Fixed on the 1.8.0 branch:

Checking in jsemit.c;
/cvsroot/mozilla/js/src/jsemit.c,v  <--  jsemit.c
new revision:; previous revision:

Comment 16 User image Bob Clary [:bc:] 2006-10-04 05:53:23 PDT
verified 20061003 windows/mac*/linux
Comment 17 User image Bob Clary [:bc:] 2006-11-10 11:27:15 PST
Checking in regress-350238.js;
/cvsroot/mozilla/js/tests/e4x/Regress/regress-350238.js,v  <--  regress-350238.js
initial revision: 1.1

Note You need to log in before you can comment on or make changes to this bug.