Closed Bug 372563 Opened 18 years ago Closed 18 years ago

"Assertion failure: ss->top >= 2"

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: jruderman, Assigned: mrbkap)

References

Details

(4 keywords)

Attachments

(1 file)

Fix
1.07 KB, patch
igor
: review+
Details | Diff | Splinter Review
:~/trunk/mozilla/js/src/Darwin_DBG.OBJ jruderman$ ./js js> function() { *() } Assertion failure: ss->top >= 2, at jsopcode.c:3074 0 js 0x000c6cc3 JS_Assert + 70 (jsutil.c:60) 1 js 0x0008ecb9 Decompile + 25262 (jsopcode.c:3074) 2 js 0x00093463 js_DecompileCode + 492 (jsopcode.c:4218) 3 js 0x00093e1c js_DecompileFunction + 1891 (jsopcode.c:4416) 4 js 0x00019c22 JS_DecompileFunction + 104 (jsapi.c:4171) 5 js 0x0004ef4b js_fun_toString + 494 (jsfun.c:1528) 6 js 0x0004efaf fun_toString + 53 (jsfun.c:1539) 7 js 0x000578ae js_Invoke + 2954 (jsinterp.c:1348) 8 js 0x00057cd1 js_InternalInvoke + 309 (jsinterp.c:1442) 9 js 0x00083f81 js_TryMethod + 346 (jsobj.c:4593) 10 js 0x000829b7 js_DefaultValue + 143 (jsobj.c:3884) 11 js 0x000c4c17 js_ValueToString + 98 (jsstr.c:2663) 12 js 0x00008c7f JS_ValueToString + 24 (jsapi.c:536) 13 js 0x00002637 Process + 949 (js.c:270) 14 js 0x00002f94 ProcessArgs + 1910 (js.c:494) 15 js 0x00007b3d main + 612 (js.c:3159) 16 js 0x00002126 _start + 216 17 js 0x0000204d start + 41
Flags: blocking1.9?
Attached patch FixSplinter Review
The fix here is to do the JSOP_PUSHOBJ magic even if we didn't push another name (as for JSOP_CALLXMLNAME).
Assignee: general → mrbkap
Status: NEW → ASSIGNED
Attachment #258144 - Flags: review?(brendan)
(In reply to comment #1) > Created an attachment (id=258144) [details] > Fix > > The fix here is to do the JSOP_PUSHOBJ magic even if we didn't push another > name (as for JSOP_CALLXMLNAME). Right, that push should always happen. Initially for the bug 363530 I tried to avoid that push and instead I tried to change the decompiler to expect only single slot for call operations in its model of the operation stack. But it was too complex so I have written that minimalistic (and buggy) push-just-to-be-removed code.
Blocks: 363530
Comment on attachment 258144 [details] [diff] [review] Fix It sounds like Igor wants to review this patch.
Attachment #258144 - Flags: review?(brendan) → review?(igor)
Attachment #258144 - Flags: review?(igor) → review+
Fix checked into trunk.
Status: ASSIGNED → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
/cvsroot/mozilla/js/tests/e4x/Regress/regress-372563.js,v <-- regress-372563.js initial revision: 1.1
Flags: in-testsuite+
verified fixed 1.9.0 20070320 win/mac*/linux
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: