Closed Bug 374589 Opened 15 years ago Closed 15 years ago

"Assertion failure: pcdepth >= 0" with try .. catchguard .. catch .. finally

Categories

(Core :: JavaScript Engine, defect)

x86
macOS
defect
Not set
critical

Tracking

()

VERIFIED FIXED

People

(Reporter: jruderman, Assigned: igor)

References

Details

(Keywords: crash, regression, testcase)

Attachments

(1 file, 3 obsolete files)

This is a recent regression.

js> try { } catch(x if true) { } catch(y) { } finally { this.a.b; }
Assertion failure: pcdepth >= 0, at jsopcode.c:4758

0   js 	0x000c6e64 JS_Assert + 70 (jsutil.c:60)
1   js 	0x0009456f js_DecompileValueGenerator + 2391 (jsopcode.c:4760)
2   js 	0x00025959 js_ReportValueErrorFlags + 151 (jscntxt.c:1242)
3   js 	0x00083a39 js_ValueToNonNullObject + 117 (jsobj.c:4543)
4   js 	0x00066c3c js_Interpret + 54986 (jsinterp.c:3789)
5   js 	0x00058702 js_Execute + 715 (jsinterp.c:1612)
6   js 	0x0001a0a8 JS_ExecuteScript + 54 (jsapi.c:4212)
7   js 	0x00002932 Process + 912 (js.c:268)
8   js 	0x000032b4 ProcessArgs + 1910 (js.c:494)
9   js 	0x00007e79 main + 612 (js.c:3159)
10  js 	0x00002446 _start + 216
11  js 	0x0000236d start + 41
This shows up frequently when I use the fuzzer in bug 349611.
Assignee: general → igor
Attached patch Fix v1 (obsolete) — Splinter Review
In the patch for bug 351102 I forgot to hide [trowing] from the decompiler. This patch fixes that and removes embarrassing "!" from

!js_Emit1(cx, cg, JSOP_THROWING) < 0
Attachment #259344 - Flags: review?(brendan)
Blocks: 351102
Attached patch Fix v2 (obsolete) — Splinter Review
This is the previous patch plus a fix for bug 374713 to have a single patch for both regressions. That bug is caused by a wrong assert about the dup bytecode.
Attachment #259344 - Attachment is obsolete: true
Attachment #259346 - Flags: review?(brendan)
Attachment #259344 - Flags: review?(brendan)
Attachment #259346 - Attachment is patch: true
Attachment #259346 - Attachment mime type: text/x-patch → text/plain
Recording the patch dependency.
Blocks: 374713
Status: NEW → ASSIGNED
Attached patch Fix v2b (obsolete) — Splinter Review
Fixing English grammar in comments.
Attachment #259346 - Attachment is obsolete: true
Attachment #259347 - Flags: review?(brendan)
Attachment #259346 - Flags: review?(brendan)
Comment on attachment 259347 [details] [diff] [review]
Fix v2b

>+                        if (sn2 && SN_TYPE(sn2) == SRC_HIDDEN) {
>                             /*
>-                             * A dup that pushes the exception object to use
>-                             * after if the exception guard is false.
>+                             * We got a hidden dup to save the exception for

s/We got/This is/

r=me with that.

/be
Attachment #259347 - Flags: review?(brendan) → review+
Attached patch Fix v2cSplinter Review
Patch to commit with the last nit addressed.
Attachment #259347 - Attachment is obsolete: true
Attachment #259878 - Flags: review+
I committed the patch from comment 7 to the trunk:

Checking in jsemit.c;
/cvsroot/mozilla/js/src/jsemit.c,v  <--  jsemit.c
new revision: 3.243; previous revision: 3.242
done
Checking in jsopcode.c;
/cvsroot/mozilla/js/src/jsopcode.c,v  <--  jsopcode.c
new revision: 3.220; previous revision: 3.219
done
Status: ASSIGNED → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
/cvsroot/mozilla/js/tests/js1_5/extensions/regress-374589.js,v  <--  regress-374589.js
initial revision: 1.1
Flags: in-testsuite+
verified fixed linux, windows, mac* shell 20070406
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.