Closed Bug 353454 Opened 19 years ago Closed 19 years ago

"Assertion failure: (uintN)top == pcdepth" with regexp iterator, "let"

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
PowerPC
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla1.8.1

People

(Reporter: jruderman, Assigned: brendan)

Details

(Keywords: crash, testcase, verified1.8.1)

Attachments

(1 file)

fix
1.07 KB, patch
mrbkap
: review+
mtschrep
: approval1.8.1+
Details | Diff | Splinter Review
js> obj = {a: 5}; obj.__iterator__ = /x/g; for(x in y = let (z) obj) { } Debug - Assertion failure: (uintN)top == pcdepth, at jsopcode.c:3614 Opt - recurses to death: ... 486 js_DecompileValueGenerator + 1464 487 GetOff + 128 488 PopOff + 64 489 Decompile + 456 490 js_DecompileCode + 448 491 js_DecompileValueGenerator + 1464 ...
Attached patch fixSplinter Review
Have to be more conservative in trying to fix up generating pcs below current model stack depth. /be
Assignee: general → brendan
Status: NEW → ASSIGNED
Attachment #239309 - Flags: review?(mrbkap)
Comment on attachment 239309 [details] [diff] [review] fix Will this leave ss.offsets[0..pcdepth] uninitialized when code (like GetLocal) expects there to be useful data there?
Comment on attachment 239309 [details] [diff] [review] fix >Index: jsopcode.c >=================================================================== >RCS file: /cvsroot/mozilla/js/src/jsopcode.c,v >retrieving revision 3.184 >diff -p -u -8 -r3.184 jsopcode.c >--- jsopcode.c 18 Sep 2006 11:04:30 -0000 3.184 >+++ jsopcode.c 20 Sep 2006 05:26:05 -0000 >@@ -3605,18 +3605,17 @@ js_DecompileCode(JSPrinter *jp, JSScript > > for (fp = cx->fp; fp && !fp->script; fp = fp->down) > continue; > top = fp ? fp->sp - fp->spbase : 0; > for (i = 0; i < pcdepth; i++) { > ss.offsets[i] = -1; > ss.opcodes[i] = JSOP_NOP; > } This loop unconditionally initializes ss.offsets and ss.opcodes. >- if (fp && fp->pc == pc) { >- JS_ASSERT((uintN)top == pcdepth); >+ if (fp && fp->pc == pc && (uintN)top == pcdepth) { This condition is being made more conservative, but it does not alter the initialization logic. /be
Comment on attachment 239309 [details] [diff] [review] fix I must be vertically dyslexic. I could have sworn those two blocks were reversed.
Attachment #239309 - Flags: review?(mrbkap) → review+
Fixed on trunk. /be
Status: ASSIGNED → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
Attachment #239309 - Flags: approval1.8.1?
Checking in regress-353454.js; /cvsroot/mozilla/js/tests/js1_7/iterable/regress-353454.js,v <-- regress-353454.js initial revision: 1.1 done
Flags: in-testsuite+
Flags: blocking1.8.1+
Whiteboard: [rc ridealong]
verified fixed 1.9 20060921 windows/mac*/linux
Status: RESOLVED → VERIFIED
Comment on attachment 239309 [details] [diff] [review] fix Approved for RC2.
Attachment #239309 - Flags: approval1.8.1? → approval1.8.1+
Whiteboard: [rc ridealong] → [rc ridealong][checkin needed (1.8 branch)]
Target Milestone: --- → mozilla1.8.1
Whiteboard: [rc ridealong][checkin needed (1.8 branch)] → [checkin needed (1.8 branch)]
Fixed on the 1.8 branch: Checking in jsopcode.c; /cvsroot/mozilla/js/src/jsopcode.c,v <-- jsopcode.c new revision: 3.89.2.61; previous revision: 3.89.2.60 done /be
Keywords: fixed1.8.1
Whiteboard: [checkin needed (1.8 branch)]
verified fixed 1.8 20060926 windows/mac*/linux
Keywords: fixed1.8.1verified1.8.1
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: