477048 - "Assertion failure: cg->stackDepth == loopDepth, at ../jsemit.cpp"

Status: VERIFIED FIXED

(Core :: JavaScript Engine, defect)

Description

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

for each (this.__proto__ in x) {}
Assertion failure: cg->stackDepth == loopDepth, at ../jsemit.cpp:4433
Trace/BPT trap

asserts debug (TM not needed) but seems to work as expected in opt. Related to bug 467495?

Nominating blocking-1.9.1 in case it is a regression from bug 467495, which is a P1 critical trunk bug.

Comment 1

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

(In reply to comment #0)
> Nominating blocking-1.9.1 in case it is a regression from bug 467495, which is
> a P1 critical trunk bug.

... and also because jsfunfuzz is hitting it very very frequently due to simplicity.

Comment 2

[Jason Orendorff [:jorendorff]]

Taking.

Comment 3

[Jason Orendorff [:jorendorff]]

Attachment: v1

Fallout from bug 469625.

This fixes the specific test case in the description. There are five calls to EmitPropOp in jsemit.cpp, need to check that none of them trip the assertion.

Comment 4

[Brendan Eich [:brendan]]

Comment on attachment 360751 [details] [diff] [review]
v1

Bad reviewer (me). Just a few lines more context would show the requirements. Thanks,

/be

Comment 5

[Jason Orendorff [:jorendorff]]

I checked, and FORPROP was the only opcode tripping the assertion there.  Pushed.

http://hg.mozilla.org/tracemonkey/rev/dc636df847be

Comment 6

[Robert Sayre]

http://hg.mozilla.org/mozilla-central/rev/dc636df847be

Comment 7

[Bob Clary [:bc] (inactive)]

http://hg.mozilla.org/mozilla-central/rev/7b238852cf5d

Comment 8

[Robert Sayre]

http://hg.mozilla.org/releases/mozilla-1.9.1/rev/08b9729fd612

Comment 9

[Bob Clary [:bc] (inactive)]

js1_7/extensions/regress-477048.js
v 1.9.1, 1.9.2