Closed
Bug 387951
Opened 17 years ago
Closed 16 years ago
"Assertion failure: cg->stackDepth >= 0" [@ SprintEnsureBuffer]
Categories
(Core :: JavaScript Engine, defect, P1)
Core
JavaScript Engine
Tracking
()
VERIFIED
FIXED
mozilla1.9
People
(Reporter: jruderman, Assigned: brendan)
References
Details
(4 keywords)
Crash Data
Attachments
(1 file)
1.40 KB,
patch
|
mrbkap
:
review+
damons
:
approval1.9+
|
Details | Diff | Splinter Review |
js> if (delete (0 ? 3 : {})); Assertion failure: cg->stackDepth >= 0, at jsemit.c:180
Reporter | ||
Comment 1•17 years ago
|
||
Same thing in opt triggers some console output (!) js> if (delete (0 ? 3 : {})); warning: internal error compiling typein: stack underflow at pc 1 warning: internal error compiling typein: stack underflow at pc 2 warning: internal error compiling typein: stack underflow at pc 4 warning: internal error compiling typein: stack underflow at pc 7 InternalError: stack overflow in script
Comment 2•16 years ago
|
||
(In reply to comment #1) > Same thing in opt triggers some console output (!) > > js> if (delete (0 ? 3 : {})); > warning: internal error compiling typein: stack underflow at pc 1 > warning: internal error compiling typein: stack underflow at pc 2 > warning: internal error compiling typein: stack underflow at pc 4 > warning: internal error compiling typein: stack underflow at pc 7 > InternalError: stack overflow in script Testing on the latest CVS trunk js shell, the InternalError I get now is "InternalError: script stack space quota is exhausted". With another testcase: js> with(delete let (functional) null ? 1 : {}){} warning: internal error compiling typein: stack underflow at pc 11 warning: internal error compiling typein: stack underflow at pc 12 warning: internal error compiling typein: stack underflow at pc 14 warning: internal error compiling typein: stack underflow at pc 15 warning: internal error compiling typein: stack underflow at pc 16 InternalError: script stack space quota is exhausted I get "Assertion failure: cg->stackDepth >= 0, at jsemit.c:183" when using a debug js shell as well. Might this be related as well? (Differs by different "pc" locations)
Comment 3•16 years ago
|
||
js> "" + (function() { if(delete(null?0:{})){[]} }) A similar function definitely crashes js shell with a "bus error", and asserts the same message. A crash log: Process: js-opt [14324] Path: ./js-opt Identifier: js-opt Version: ??? (???) Code Type: X86 (Native) Parent Process: bash [13573] Date/Time: 2008-03-23 15:28:58.839 -0700 OS Version: Mac OS X 10.5.2 (9C31) Report Version: 6 Exception Type: EXC_BAD_ACCESS (SIGBUS) Exception Codes: KERN_PROTECTION_FAILURE at 0x000000000000000f Crashed Thread: 0 Thread 0 Crashed: 0 js-opt 0x0004921c SprintEnsureBuffer + 151 1 js-opt 0x000492c5 SprintPut + 26 2 js-opt 0x00049374 Sprint + 69 3 js-opt 0x00049a79 SprintDoubleValue + 271 4 js-opt 0x0004fc81 Decompile + 23244 5 js-opt 0x00052189 DecompileCode + 157 6 js-opt 0x00053663 js_DecompileFunction + 738 7 js-opt 0x00008822 JS_DecompileFunction + 74 8 js-opt 0x0002c89e fun_toStringHelper + 313 9 js-opt 0x0003c54f js_Invoke + 1293 10 js-opt 0x0003bfd2 js_InternalInvoke + 124 11 js-opt 0x0004400b js_TryMethod + 231 12 js-opt 0x0004419a js_DefaultValue + 301 13 js-opt 0x000345ae js_Interpret + 11836 14 js-opt 0x0003db6f js_Execute + 569 15 js-opt 0x00008916 JS_ExecuteScript + 60 16 js-opt 0x0000243c Process + 449 17 js-opt 0x00005c87 main + 2336 18 js-opt 0x0000211a start + 54 Thread 0 crashed with X86 Thread State (32-bit): eax: 0x00809218 ebx: 0x00049988 ecx: 0x00809210 edx: 0x00000007 edi: 0x00000003 esi: 0xbfffe0c4 ebp: 0xbfffdd68 esp: 0xbfffdd20 ss: 0x0000001f efl: 0x00010206 eip: 0x0004921c cs: 0x00000017 ds: 0x0000001f es: 0x0000001f fs: 0x00000000 gs: 0x00000037 cr2: 0x0000000f Binary Images: 0x1000 - 0x92ff7 +js-opt ??? (???) /Users/gkwong/Desktop/lithium/js-opt 0x8fe00000 - 0x8fe2da53 dyld 96.2 (???) <7af47d3b00b2268947563c7fa8c59a07> /usr/lib/dyld 0x90196000 - 0x902f5ff3 libSystem.B.dylib ??? (???) <4899376234e55593b22fc370935f8cdf> /usr/lib/libSystem.B.dylib 0x9372f000 - 0x93733fff libmathCommon.A.dylib ??? (???) /usr/lib/system/libmathCommon.A.dylib 0x94b84000 - 0x94b8bfe9 libgcc_s.1.dylib ??? (???) <f53c808e87d1184c0f9df63aef53ce0b> /usr/lib/libgcc_s.1.dylib 0xffff0000 - 0xffff1780 libSystem.B.dylib ??? (???) /usr/lib/libSystem.B.dylib
Comment 4•16 years ago
|
||
(In reply to comment #3) > js> "" + (function() { if(delete(null?0:{})){[]} }) Entering javascript:("" + (function() { if(delete(null?0:{})){[]} })) into URL bar in latest Minefield ( Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9b5pre) Gecko/2008032304 Minefield/3.0b5pre ) causes it to crash. http://crash-stats.mozilla.com/report/index/7b52f8b0-f92c-11dc-82ca-001a4bd43ef6
Keywords: crash
Summary: "Assertion failure: cg->stackDepth >= 0" → "Assertion failure: cg->stackDepth >= 0" [@ SprintEnsureBuffer]
Comment 5•16 years ago
|
||
js> switch(delete[null?0:{}]){default:} Debug builds show an assertion "Assertion failure: pn->pn_arity == PN_UNARY, at jsemit.c:5653". Optimized builds crash [@ js_EmitTree] with a null deref (thanks Jesse). Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9pre) Gecko/2008033104 Minefield/3.0pre Latest Minefield crashes as well. http://crash-stats.mozilla.com/report/index/a7934066-ff70-11dc-9450-001a4bd43e5c
Assignee | ||
Comment 6•16 years ago
|
||
Regression from patch for bug 346902. /be
Assignee | ||
Comment 7•16 years ago
|
||
Assignee | ||
Updated•16 years ago
|
Priority: -- → P1
Target Milestone: --- → mozilla1.9
Updated•16 years ago
|
Attachment #312833 -
Flags: review?(mrbkap) → review+
Comment 9•16 years ago
|
||
(In reply to comment #8) > +'ing. Do we need tests here? > you'll get one when the bug is fixed.
Comment 10•16 years ago
|
||
Comment on attachment 312833 [details] [diff] [review] fix a1.9+=damons
Attachment #312833 -
Flags: approval1.9+
Assignee | ||
Comment 11•16 years ago
|
||
Fixed: js/src/jsparse.c 3.343 /be
Status: ASSIGNED → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
Comment 12•16 years ago
|
||
Checking in js1_5/Regress/regress-387951-01.js; /cvsroot/mozilla/js/tests/js1_5/Regress/regress-387951-01.js,v <-- regress-387951-01.js initial revision: 1.1 Checking in js1_5/Regress/regress-387951-02.js; /cvsroot/mozilla/js/tests/js1_5/Regress/regress-387951-02.js,v <-- regress-387951-02.js initial revision: 1.1 /cvsroot/mozilla/js/tests/js1_5/Regress/regress-387951-03.js,v <-- regress-387951-03.js initial revision: 1.1 /cvsroot/mozilla/js/tests/js1_7/regress/regress-387951.js,v <-- regress-387951.js initial revision: 1.1
Flags: in-testsuite+
Flags: in-litmus-
Updated•13 years ago
|
Crash Signature: [@ SprintEnsureBuffer]
You need to log in
before you can comment on or make changes to this bug.
Description
•