Closed Bug 387951 Opened 18 years ago Closed 18 years ago

"Assertion failure: cg->stackDepth >= 0" [@ SprintEnsureBuffer]

Categories

(Core :: JavaScript Engine, defect, P1)

Product:
Core
Component:
JavaScript Engine
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla1.9

People

(Reporter: jruderman, Assigned: brendan)

References

Details

(4 keywords)

Crash Data

Attachments

(1 file)

fix
1.40 KB, patch
mrbkap
: review+
damons
: approval1.9+
Details | Diff | Splinter Review
js> if (delete (0 ? 3 : {})); Assertion failure: cg->stackDepth >= 0, at jsemit.c:180
Same thing in opt triggers some console output (!) js> if (delete (0 ? 3 : {})); warning: internal error compiling typein: stack underflow at pc 1 warning: internal error compiling typein: stack underflow at pc 2 warning: internal error compiling typein: stack underflow at pc 4 warning: internal error compiling typein: stack underflow at pc 7 InternalError: stack overflow in script
(In reply to comment #1) > Same thing in opt triggers some console output (!) > > js> if (delete (0 ? 3 : {})); > warning: internal error compiling typein: stack underflow at pc 1 > warning: internal error compiling typein: stack underflow at pc 2 > warning: internal error compiling typein: stack underflow at pc 4 > warning: internal error compiling typein: stack underflow at pc 7 > InternalError: stack overflow in script Testing on the latest CVS trunk js shell, the InternalError I get now is "InternalError: script stack space quota is exhausted". With another testcase: js> with(delete let (functional) null ? 1 : {}){} warning: internal error compiling typein: stack underflow at pc 11 warning: internal error compiling typein: stack underflow at pc 12 warning: internal error compiling typein: stack underflow at pc 14 warning: internal error compiling typein: stack underflow at pc 15 warning: internal error compiling typein: stack underflow at pc 16 InternalError: script stack space quota is exhausted I get "Assertion failure: cg->stackDepth >= 0, at jsemit.c:183" when using a debug js shell as well. Might this be related as well? (Differs by different "pc" locations)
js> "" + (function() { if(delete(null?0:{})){[]} }) A similar function definitely crashes js shell with a "bus error", and asserts the same message. A crash log: Process: js-opt [14324] Path: ./js-opt Identifier: js-opt Version: ??? (???) Code Type: X86 (Native) Parent Process: bash [13573] Date/Time: 2008-03-23 15:28:58.839 -0700 OS Version: Mac OS X 10.5.2 (9C31) Report Version: 6 Exception Type: EXC_BAD_ACCESS (SIGBUS) Exception Codes: KERN_PROTECTION_FAILURE at 0x000000000000000f Crashed Thread: 0 Thread 0 Crashed: 0 js-opt 0x0004921c SprintEnsureBuffer + 151 1 js-opt 0x000492c5 SprintPut + 26 2 js-opt 0x00049374 Sprint + 69 3 js-opt 0x00049a79 SprintDoubleValue + 271 4 js-opt 0x0004fc81 Decompile + 23244 5 js-opt 0x00052189 DecompileCode + 157 6 js-opt 0x00053663 js_DecompileFunction + 738 7 js-opt 0x00008822 JS_DecompileFunction + 74 8 js-opt 0x0002c89e fun_toStringHelper + 313 9 js-opt 0x0003c54f js_Invoke + 1293 10 js-opt 0x0003bfd2 js_InternalInvoke + 124 11 js-opt 0x0004400b js_TryMethod + 231 12 js-opt 0x0004419a js_DefaultValue + 301 13 js-opt 0x000345ae js_Interpret + 11836 14 js-opt 0x0003db6f js_Execute + 569 15 js-opt 0x00008916 JS_ExecuteScript + 60 16 js-opt 0x0000243c Process + 449 17 js-opt 0x00005c87 main + 2336 18 js-opt 0x0000211a start + 54 Thread 0 crashed with X86 Thread State (32-bit): eax: 0x00809218 ebx: 0x00049988 ecx: 0x00809210 edx: 0x00000007 edi: 0x00000003 esi: 0xbfffe0c4 ebp: 0xbfffdd68 esp: 0xbfffdd20 ss: 0x0000001f efl: 0x00010206 eip: 0x0004921c cs: 0x00000017 ds: 0x0000001f es: 0x0000001f fs: 0x00000000 gs: 0x00000037 cr2: 0x0000000f Binary Images: 0x1000 - 0x92ff7 +js-opt ??? (???) /Users/gkwong/Desktop/lithium/js-opt 0x8fe00000 - 0x8fe2da53 dyld 96.2 (???) <7af47d3b00b2268947563c7fa8c59a07> /usr/lib/dyld 0x90196000 - 0x902f5ff3 libSystem.B.dylib ??? (???) <4899376234e55593b22fc370935f8cdf> /usr/lib/libSystem.B.dylib 0x9372f000 - 0x93733fff libmathCommon.A.dylib ??? (???) /usr/lib/system/libmathCommon.A.dylib 0x94b84000 - 0x94b8bfe9 libgcc_s.1.dylib ??? (???) <f53c808e87d1184c0f9df63aef53ce0b> /usr/lib/libgcc_s.1.dylib 0xffff0000 - 0xffff1780 libSystem.B.dylib ??? (???) /usr/lib/libSystem.B.dylib
(In reply to comment #3) > js> "" + (function() { if(delete(null?0:{})){[]} }) Entering javascript:("" + (function() { if(delete(null?0:{})){[]} })) into URL bar in latest Minefield ( Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9b5pre) Gecko/2008032304 Minefield/3.0b5pre ) causes it to crash. http://crash-stats.mozilla.com/report/index/7b52f8b0-f92c-11dc-82ca-001a4bd43ef6
Keywords: crash
Summary: "Assertion failure: cg->stackDepth >= 0" → "Assertion failure: cg->stackDepth >= 0" [@ SprintEnsureBuffer]
js> switch(delete[null?0:{}]){default:} Debug builds show an assertion "Assertion failure: pn->pn_arity == PN_UNARY, at jsemit.c:5653". Optimized builds crash [@ js_EmitTree] with a null deref (thanks Jesse). Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9pre) Gecko/2008033104 Minefield/3.0pre Latest Minefield crashes as well. http://crash-stats.mozilla.com/report/index/a7934066-ff70-11dc-9450-001a4bd43e5c
Regression from patch for bug 346902. /be
Blocks: 346902
Flags: blocking1.9?
Keywords: regression
OS: Mac OS X → All
Hardware: PC → All
Attached patch fixSplinter Review
Assignee: general → brendan
Status: NEW → ASSIGNED
Attachment #312833 - Flags: review?(mrbkap)
Priority: -- → P1
Target Milestone: --- → mozilla1.9
Attachment #312833 - Flags: review?(mrbkap) → review+
+'ing. Do we need tests here?
Flags: blocking1.9? → blocking1.9+
(In reply to comment #8) > +'ing. Do we need tests here? > you'll get one when the bug is fixed.
Comment on attachment 312833 [details] [diff] [review] fix a1.9+=damons
Attachment #312833 - Flags: approval1.9+
Fixed: js/src/jsparse.c 3.343 /be
Status: ASSIGNED → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
Checking in js1_5/Regress/regress-387951-01.js; /cvsroot/mozilla/js/tests/js1_5/Regress/regress-387951-01.js,v <-- regress-387951-01.js initial revision: 1.1 Checking in js1_5/Regress/regress-387951-02.js; /cvsroot/mozilla/js/tests/js1_5/Regress/regress-387951-02.js,v <-- regress-387951-02.js initial revision: 1.1 /cvsroot/mozilla/js/tests/js1_5/Regress/regress-387951-03.js,v <-- regress-387951-03.js initial revision: 1.1 /cvsroot/mozilla/js/tests/js1_7/regress/regress-387951.js,v <-- regress-387951.js initial revision: 1.1
Flags: in-testsuite+
Flags: in-litmus-
v 1.9.0
Status: RESOLVED → VERIFIED
Crash Signature: [@ SprintEnsureBuffer]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: