Closed Bug 372563 Opened 17 years ago Closed 17 years ago

"Assertion failure: ss->top >= 2"

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: jruderman, Assigned: mrbkap)

References

Details

(4 keywords)

Attachments

(1 file)

Fix
1.07 KB, patch
igor
: review+
Details | Diff | Splinter Review 
:~/trunk/mozilla/js/src/Darwin_DBG.OBJ jruderman$ ./js
js> function() { *() }
Assertion failure: ss->top >= 2, at jsopcode.c:3074

0   js 	0x000c6cc3 JS_Assert + 70 (jsutil.c:60)
1   js 	0x0008ecb9 Decompile + 25262 (jsopcode.c:3074)
2   js 	0x00093463 js_DecompileCode + 492 (jsopcode.c:4218)
3   js 	0x00093e1c js_DecompileFunction + 1891 (jsopcode.c:4416)
4   js 	0x00019c22 JS_DecompileFunction + 104 (jsapi.c:4171)
5   js 	0x0004ef4b js_fun_toString + 494 (jsfun.c:1528)
6   js 	0x0004efaf fun_toString + 53 (jsfun.c:1539)
7   js 	0x000578ae js_Invoke + 2954 (jsinterp.c:1348)
8   js 	0x00057cd1 js_InternalInvoke + 309 (jsinterp.c:1442)
9   js 	0x00083f81 js_TryMethod + 346 (jsobj.c:4593)
10  js 	0x000829b7 js_DefaultValue + 143 (jsobj.c:3884)
11  js 	0x000c4c17 js_ValueToString + 98 (jsstr.c:2663)
12  js 	0x00008c7f JS_ValueToString + 24 (jsapi.c:536)
13  js 	0x00002637 Process + 949 (js.c:270)
14  js 	0x00002f94 ProcessArgs + 1910 (js.c:494)
15  js 	0x00007b3d main + 612 (js.c:3159)
16  js 	0x00002126 _start + 216
17  js 	0x0000204d start + 41
Flags: blocking1.9?
Attached patch FixSplinter Review 
The fix here is to do the JSOP_PUSHOBJ magic even if we didn't push another name (as for JSOP_CALLXMLNAME).
Assignee: general → mrbkap
Status: NEW → ASSIGNED
Attachment #258144 - Flags: review?(brendan)
(In reply to comment #1)
> Created an attachment (id=258144) [details]
> Fix
> 
> The fix here is to do the JSOP_PUSHOBJ magic even if we didn't push another
> name (as for JSOP_CALLXMLNAME).

Right, that push should always happen. Initially for the bug 363530 I tried to avoid that push and instead I tried to change the decompiler to expect only single  slot for call operations in its model of the operation stack. But it was too complex so I have written that minimalistic (and buggy) push-just-to-be-removed code.
Blocks: 363530
Comment on attachment 258144 [details] [diff] [review]
Fix

It sounds like Igor wants to review this patch.
Attachment #258144 - Flags: review?(brendan) → review?(igor)
Attachment #258144 - Flags: review?(igor) → review+
Fix checked into trunk.
Status: ASSIGNED → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
/cvsroot/mozilla/js/tests/e4x/Regress/regress-372563.js,v  <--  regress-372563.js
initial revision: 1.1
Flags: in-testsuite+
verified fixed 1.9.0 20070320 win/mac*/linux
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: