Closed Bug 387951 Opened 17 years ago Closed 16 years ago

"Assertion failure: cg->stackDepth >= 0" [@ SprintEnsureBuffer]

Categories

(Core :: JavaScript Engine, defect, P1)

Product:
Core
Component:
JavaScript Engine
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla1.9

People

(Reporter: jruderman, Assigned: brendan)

References

Details

(4 keywords)

Crash Data

Attachments

(1 file)

fix
1.40 KB, patch
mrbkap
: review+
damons
: approval1.9+
Details | Diff | Splinter Review 
js> if (delete (0 ? 3 : {}));
Assertion failure: cg->stackDepth >= 0, at jsemit.c:180
Same thing in opt triggers some console output (!)

js> if (delete (0 ? 3 : {}));
warning: internal error compiling typein: stack underflow at pc 1
warning: internal error compiling typein: stack underflow at pc 2
warning: internal error compiling typein: stack underflow at pc 4
warning: internal error compiling typein: stack underflow at pc 7
InternalError: stack overflow in script

(In reply to comment #1)
> Same thing in opt triggers some console output (!)
> 
> js> if (delete (0 ? 3 : {}));
> warning: internal error compiling typein: stack underflow at pc 1
> warning: internal error compiling typein: stack underflow at pc 2
> warning: internal error compiling typein: stack underflow at pc 4
> warning: internal error compiling typein: stack underflow at pc 7
> InternalError: stack overflow in script

Testing on the latest CVS trunk js shell, the InternalError I get now is "InternalError: script stack space quota is exhausted".

With another testcase:

js> with(delete let (functional) null ? 1 : {}){}

warning: internal error compiling typein: stack underflow at pc 11
warning: internal error compiling typein: stack underflow at pc 12
warning: internal error compiling typein: stack underflow at pc 14
warning: internal error compiling typein: stack underflow at pc 15
warning: internal error compiling typein: stack underflow at pc 16
InternalError: script stack space quota is exhausted

I get "Assertion failure: cg->stackDepth >= 0, at jsemit.c:183" when using a debug js shell as well.

Might this be related as well? (Differs by different "pc" locations)
js> "" + (function() { if(delete(null?0:{})){[]} })

A similar function definitely crashes js shell with a "bus error", and asserts the same message.

A crash log:

Process:         js-opt [14324]
Path:            ./js-opt
Identifier:      js-opt
Version:         ??? (???)
Code Type:       X86 (Native)
Parent Process:  bash [13573]

Date/Time:       2008-03-23 15:28:58.839 -0700
OS Version:      Mac OS X 10.5.2 (9C31)
Report Version:  6

Exception Type:  EXC_BAD_ACCESS (SIGBUS)
Exception Codes: KERN_PROTECTION_FAILURE at 0x000000000000000f
Crashed Thread:  0

Thread 0 Crashed:
0   js-opt                        	0x0004921c SprintEnsureBuffer + 151
1   js-opt                        	0x000492c5 SprintPut + 26
2   js-opt                        	0x00049374 Sprint + 69
3   js-opt                        	0x00049a79 SprintDoubleValue + 271
4   js-opt                        	0x0004fc81 Decompile + 23244
5   js-opt                        	0x00052189 DecompileCode + 157
6   js-opt                        	0x00053663 js_DecompileFunction + 738
7   js-opt                        	0x00008822 JS_DecompileFunction + 74
8   js-opt                        	0x0002c89e fun_toStringHelper + 313
9   js-opt                        	0x0003c54f js_Invoke + 1293
10  js-opt                        	0x0003bfd2 js_InternalInvoke + 124
11  js-opt                        	0x0004400b js_TryMethod + 231
12  js-opt                        	0x0004419a js_DefaultValue + 301
13  js-opt                        	0x000345ae js_Interpret + 11836
14  js-opt                        	0x0003db6f js_Execute + 569
15  js-opt                        	0x00008916 JS_ExecuteScript + 60
16  js-opt                        	0x0000243c Process + 449
17  js-opt                        	0x00005c87 main + 2336
18  js-opt                        	0x0000211a start + 54

Thread 0 crashed with X86 Thread State (32-bit):
  eax: 0x00809218  ebx: 0x00049988  ecx: 0x00809210  edx: 0x00000007
  edi: 0x00000003  esi: 0xbfffe0c4  ebp: 0xbfffdd68  esp: 0xbfffdd20
   ss: 0x0000001f  efl: 0x00010206  eip: 0x0004921c   cs: 0x00000017
   ds: 0x0000001f   es: 0x0000001f   fs: 0x00000000   gs: 0x00000037
  cr2: 0x0000000f

Binary Images:
    0x1000 -    0x92ff7 +js-opt ??? (???) /Users/gkwong/Desktop/lithium/js-opt
0x8fe00000 - 0x8fe2da53  dyld 96.2 (???) <7af47d3b00b2268947563c7fa8c59a07> /usr/lib/dyld
0x90196000 - 0x902f5ff3  libSystem.B.dylib ??? (???) <4899376234e55593b22fc370935f8cdf> /usr/lib/libSystem.B.dylib
0x9372f000 - 0x93733fff  libmathCommon.A.dylib ??? (???) /usr/lib/system/libmathCommon.A.dylib
0x94b84000 - 0x94b8bfe9  libgcc_s.1.dylib ??? (???) <f53c808e87d1184c0f9df63aef53ce0b> /usr/lib/libgcc_s.1.dylib
0xffff0000 - 0xffff1780  libSystem.B.dylib ??? (???) /usr/lib/libSystem.B.dylib
(In reply to comment #3)
> js> "" + (function() { if(delete(null?0:{})){[]} })

Entering 

javascript:("" + (function() { if(delete(null?0:{})){[]} }))

into URL bar in latest Minefield ( Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9b5pre) Gecko/2008032304 Minefield/3.0b5pre ) causes it to crash.

http://crash-stats.mozilla.com/report/index/7b52f8b0-f92c-11dc-82ca-001a4bd43ef6
Keywords: crash
Summary: "Assertion failure: cg->stackDepth >= 0" → "Assertion failure: cg->stackDepth >= 0" [@ SprintEnsureBuffer]
js> switch(delete[null?0:{}]){default:}

Debug builds show an assertion "Assertion failure: pn->pn_arity == PN_UNARY, at jsemit.c:5653".

Optimized builds crash [@ js_EmitTree] with a null deref (thanks Jesse).

Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9pre) Gecko/2008033104 Minefield/3.0pre

Latest Minefield crashes as well.

http://crash-stats.mozilla.com/report/index/a7934066-ff70-11dc-9450-001a4bd43e5c
Regression from patch for bug 346902.

/be
Blocks: 346902
Flags: blocking1.9?
Keywords: regression
OS: Mac OS X → All
Hardware: PC → All
Attached patch fixSplinter Review 
Assignee: general → brendan
Status: NEW → ASSIGNED

        Attachment #312833 -
        Flags: review?(mrbkap)

    
  
Priority: -- → P1
Target Milestone: --- → mozilla1.9

        Attachment #312833 -
        Flags: review?(mrbkap) → review+

    
    

    
  
+'ing.  Do we need tests here?
Flags: blocking1.9? → blocking1.9+

    
    

    
  
(In reply to comment #8)
> +'ing.  Do we need tests here?
> 

you'll get one when the bug is fixed.

    
    

    
  
Comment on attachment 312833 [details] [diff] [review]
fix

a1.9+=damons

        Attachment #312833 -
        Flags: approval1.9+

    
    

    
  
Fixed:

js/src/jsparse.c 3.343

/be
Status: ASSIGNED → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED

    
    

    
  
Checking in js1_5/Regress/regress-387951-01.js;
/cvsroot/mozilla/js/tests/js1_5/Regress/regress-387951-01.js,v  <--  regress-387951-01.js
initial revision: 1.1

Checking in js1_5/Regress/regress-387951-02.js;
/cvsroot/mozilla/js/tests/js1_5/Regress/regress-387951-02.js,v  <--  regress-387951-02.js
initial revision: 1.1

/cvsroot/mozilla/js/tests/js1_5/Regress/regress-387951-03.js,v  <--  regress-387951-03.js
initial revision: 1.1

/cvsroot/mozilla/js/tests/js1_7/regress/regress-387951.js,v  <--  regress-387951.js
initial revision: 1.1

Flags: in-testsuite+
Flags: in-litmus-

    
    

    
  
v 1.9.0
Status: RESOLVED → VERIFIED
Crash Signature: [@ SprintEnsureBuffer]

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: