Closed
Bug 374589
Opened 19 years ago
Closed 19 years ago
"Assertion failure: pcdepth >= 0" with try .. catchguard .. catch .. finally
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
People
(Reporter: jruderman, Assigned: igor)
References
Details
(Keywords: crash, regression, testcase)
Attachments
(1 file, 3 obsolete files)
|
2.98 KB,
patch
|
igor
:
review+
|
Details | Diff | Splinter Review |
This is a recent regression.
js> try { } catch(x if true) { } catch(y) { } finally { this.a.b; }
Assertion failure: pcdepth >= 0, at jsopcode.c:4758
0 js 0x000c6e64 JS_Assert + 70 (jsutil.c:60)
1 js 0x0009456f js_DecompileValueGenerator + 2391 (jsopcode.c:4760)
2 js 0x00025959 js_ReportValueErrorFlags + 151 (jscntxt.c:1242)
3 js 0x00083a39 js_ValueToNonNullObject + 117 (jsobj.c:4543)
4 js 0x00066c3c js_Interpret + 54986 (jsinterp.c:3789)
5 js 0x00058702 js_Execute + 715 (jsinterp.c:1612)
6 js 0x0001a0a8 JS_ExecuteScript + 54 (jsapi.c:4212)
7 js 0x00002932 Process + 912 (js.c:268)
8 js 0x000032b4 ProcessArgs + 1910 (js.c:494)
9 js 0x00007e79 main + 612 (js.c:3159)
10 js 0x00002446 _start + 216
11 js 0x0000236d start + 41
|
Reporter | |
Comment 1•19 years ago
|
||
This shows up frequently when I use the fuzzer in bug 349611.
|
Assignee | |
Updated•19 years ago
|
Assignee: general → igor
|
|
Assignee | |
Comment 2•19 years ago
|
||
In the patch for bug 351102 I forgot to hide [trowing] from the decompiler. This patch fixes that and removes embarrassing "!" from
!js_Emit1(cx, cg, JSOP_THROWING) < 0
Attachment #259344 -
Flags: review?(brendan)
|
|
Assignee | |
Comment 3•19 years ago
|
||
This is the previous patch plus a fix for bug 374713 to have a single patch for both regressions. That bug is caused by a wrong assert about the dup bytecode.
Attachment #259344 -
Attachment is obsolete: true
Attachment #259346 -
Flags: review?(brendan)
Attachment #259344 -
Flags: review?(brendan)
|
|
Assignee | |
Updated•19 years ago
|
Attachment #259346 -
Attachment is patch: true
Attachment #259346 -
Attachment mime type: text/x-patch → text/plain
|
|
Assignee | |
Comment 4•19 years ago
|
||
Recording the patch dependency.
Blocks: 374713
Status: NEW → ASSIGNED
|
|
Assignee | |
Comment 5•19 years ago
|
||
Fixing English grammar in comments.
Attachment #259346 -
Attachment is obsolete: true
Attachment #259347 -
Flags: review?(brendan)
Attachment #259346 -
Flags: review?(brendan)
|
|
||
Comment 6•19 years ago
|
||
Comment on attachment 259347 [details] [diff] [review]
Fix v2b
>+ if (sn2 && SN_TYPE(sn2) == SRC_HIDDEN) {
> /*
>- * A dup that pushes the exception object to use
>- * after if the exception guard is false.
>+ * We got a hidden dup to save the exception for
s/We got/This is/
r=me with that.
/be
Attachment #259347 -
Flags: review?(brendan) → review+
|
|
Assignee | |
Comment 7•19 years ago
|
||
Patch to commit with the last nit addressed.
Attachment #259347 -
Attachment is obsolete: true
Attachment #259878 -
Flags: review+
|
|
Assignee | |
Comment 8•19 years ago
|
||
I committed the patch from comment 7 to the trunk:
Checking in jsemit.c;
/cvsroot/mozilla/js/src/jsemit.c,v <-- jsemit.c
new revision: 3.243; previous revision: 3.242
done
Checking in jsopcode.c;
/cvsroot/mozilla/js/src/jsopcode.c,v <-- jsopcode.c
new revision: 3.220; previous revision: 3.219
done
Status: ASSIGNED → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
|
||
Comment 9•19 years ago
|
||
/cvsroot/mozilla/js/tests/js1_5/extensions/regress-374589.js,v <-- regress-374589.js
initial revision: 1.1
Flags: in-testsuite+
|
|
||
Comment 10•19 years ago
|
||
verified fixed linux, windows, mac* shell 20070406
Status: RESOLVED → VERIFIED
You need to log in
before you can comment on or make changes to this bug.
Description
•