Closed
Bug 382355
Opened 18 years ago
Closed 18 years ago
js1_5/Regress/regress-356693.js - Assertion failure: cg->stackDepth >=0
Categories
(Core :: JavaScript Engine, defect, P1)
Core
JavaScript Engine
Tracking
()
VERIFIED
FIXED
mozilla1.9alpha5
People
(Reporter: bc, Assigned: brendan)
References
()
Details
(Keywords: crash, regression, testcase)
Attachments
(1 file)
|
1.20 KB,
patch
|
mrbkap
:
review+
|
Details | Diff | Splinter Review |
Crashes shell and browser opt and asserts debug. Regressed around 5/22 (maybe), but I'll narrow it down later. Marking sensitive due to assert.
shell warns stack underflow
debug assert on windows:
ntdll.dll!_DbgBreakPoint@0()
> js3250.dll!JS_Assert(const char * s=0x00554620, const char * file=0x005545e8, int ln=174) Line 59 C
js3250.dll!UpdateDepth(JSContext * cx=0x04956ea8, JSCodeGenerator * cg=0x051d64d0, int target=47) Line 174 + 0x22 bytes C
js3250.dll!js_Emit1(JSContext * cx=0x04956ea8, JSCodeGenerator * cg=0x051d64d0, JSOp op=JSOP_DELELEM) Line 196 + 0x11 bytes C
js3250.dll!js_EmitTree(JSContext * cx=0x04956ea8, JSCodeGenerator * cg=0x051d64d0, JSParseNode * pn=0x051d4488) Line 5858 + 0xf bytes C
js3250.dll!js_EmitTree(JSContext * cx=0x04956ea8, JSCodeGenerator * cg=0x051d64d0, JSParseNode * pn=0x051d6100) Line 5305 + 0x11 bytes C
js3250.dll!js_EmitTree(JSContext * cx=0x04956ea8, JSCodeGenerator * cg=0x051d64d0, JSParseNode * pn=0x051d4460) Line 5237 + 0x11 bytes C
js3250.dll!js_EmitTree(JSContext * cx=0x04956ea8, JSCodeGenerator * cg=0x051d64d0, JSParseNode * pn=0x051d4438) Line 4839 + 0x14 bytes C
js3250.dll!js_EmitTree(JSContext * cx=0x04956ea8, JSCodeGenerator * cg=0x051d64d0, JSParseNode * pn=0x051d5190) Line 5237 + 0x11 bytes C
js3250.dll!js_EmitFunctionBytecode(JSContext * cx=0x04956ea8, JSCodeGenerator * cg=0x051d64d0, JSParseNode * body=0x051d5190) Line 3237 + 0x11 bytes C
js3250.dll!js_EmitFunctionBody(JSContext * cx=0x04956ea8, JSCodeGenerator * cg=0x051d64d0, JSParseNode * body=0x051d5190, JSFunction * fun=0x051f9028) Line 3260 + 0x11 bytes C
js3250.dll!js_EmitTree(JSContext * cx=0x04956ea8, JSCodeGenerator * cg=0x0012f66c, JSParseNode * pn=0x051d40d8) Line 4069 + 0x18 bytes C
js3250.dll!Statements(JSContext * cx=0x04956ea8, JSTokenStream * ts=0x051d4dd8, JSTreeContext * tc=0x0012f66c) Line 1513 + 0x3d bytes C
js3250.dll!js_CompileTokenStream(JSContext * cx=0x04956ea8, JSObject * chain=0x051970c0, JSTokenStream * ts=0x051d4dd8, JSCodeGenerator * cg=0x0012f66c) Line 504 + 0x11 bytes C
js3250.dll!CompileTokenStream(JSContext * cx=0x04956ea8, JSObject * obj=0x051970c0, JSTokenStream * ts=0x051d4dd8, void * tempMark=0x04956f08, int * eofp=0x00000000) Line 4278 + 0x18 bytes C
js3250.dll!JS_CompileUCScriptForPrincipals(JSContext * cx=0x04956ea8, JSObject * obj=0x051970c0, JSPrincipals * principals=0x05151264, const unsigned short * chars=0x05202988, unsigned int length=2498, const char * filename=0x051da368, unsigned int lineno=1) Line 4373 + 0x17 bytes C
js3250.dll!JS_EvaluateUCScriptForPrincipals(JSContext * cx=0x04956ea8, JSObject * obj=0x051970c0, JSPrincipals * principals=0x05151264, const unsigned short * chars=0x05202988, unsigned int length=2498, const char * filename=0x051da368, unsigned int lineno=1, long * rval=0x0012f848) Line 4796 + 0x21 bytes C
gklayout.dll!nsJSContext::EvaluateString(const nsAString_internal & aScript={...}, void * aScopeObject=0x051970c0, nsIPrincipal * aPrincipal=0x05151260, const char * aURL=0x051da368, unsigned int aLineNo=1, unsigned int aVersion=0, nsAString_internal * aRetValue=0x00000000, int * aIsUndefined=0x0012f930) Line 1380 + 0x42 bytes C++
gklayout.dll!nsScriptLoader::EvaluateScript(nsScriptLoadRequest * aRequest=0x051bd608, const nsString & aScript={...}) Line 607 + 0x63 bytes C++
|
Reporter | |
Updated•18 years ago
|
Summary: http://test.bclary.com/tests/mozilla.org/js/js-test-driver-standards.html?test=js1_5/Regress/regress-356693.js - Assertion failure: cg->stackDepth >=0 → js1_5/Regress/regress-356693.js - Assertion failure: cg->stackDepth >=0
|
||
Comment 2•18 years ago
|
||
(In reply to comment #1)
> This is not related to bug 379758.
>
To be precise: the assertion happens with or without patch from bug 379758 comment 12.
|
Assignee | |
Comment 3•18 years ago
|
||
Not s-s. My regression, due to patch for bug 380237.
/be
|
|
Assignee | |
Updated•18 years ago
|
Status: NEW → ASSIGNED
Priority: -- → P1
Hardware: PC → All
Target Milestone: --- → mozilla1.9alpha5
|
|
Assignee | |
Comment 4•18 years ago
|
||
Generally we fold after parsing, to maximize constant folding. We don't want exponential folding, but delete is not that common and it seems best to fold in the parser before the MakeSetCall, rather than duplicating the MakeSetCall in the emitter. Comments?
/be
Attachment #266543 -
Flags: review?(mrbkap)
|
||
Comment 5•18 years ago
|
||
Comment on attachment 266543 [details] [diff] [review]
fix
This seems fine. If this ever does bite us, then I suppose the constant folder could do the MakeSetCall.
Attachment #266543 -
Flags: review?(mrbkap) → review+
|
|
Assignee | |
Comment 6•18 years ago
|
||
Fixed on trunk:
js/src/jsparse.c 3.284
/be
Status: ASSIGNED → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
|
|
Reporter | |
Updated•18 years ago
|
Flags: in-testsuite+
|
|
Reporter | |
Comment 7•18 years ago
|
||
verified fixed 1.9.0 linux/mac*/windows.
Status: RESOLVED → VERIFIED
You need to log in
before you can comment on or make changes to this bug.
Description
•