Closed Bug 491806 Opened 15 years ago Closed 15 years ago

"Assertion failure: (uintN)i < ss->top, at ../jsopcode.cpp" with uneval, for, yield

Categories

(Core :: JavaScript Engine, defect, P1)

Product:
Core
Component:
JavaScript Engine
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla1.9.2a1

People

(Reporter: gkw, Assigned: brendan)

References

Details

(4 keywords, Whiteboard: fixed-in-tracemonkey)

Attachments

(1 file)

fix
1.46 KB, patch
mrbkap
: review+
Details | Diff | Splinter Review 
uneval(new Function("\
  for(\
    ((let (functional) x) for each ([] in [])); \
    yield x; \
    (let (x = true) x));\
"))

asserts debug js shell at Assertion failure: (uintN)i < ss->top, at ../jsopcode.cpp:2855

(gdb) bt
#0  JS_Assert (s=0x81f0405 "(uintN)i < ss->top", file=0x81ef705 "../jsopcode.cpp", ln=2855) at ../jsutil.cpp:69
#1  0x080d8521 in Decompile (ss=0xbffa87f4, pc=0x8cafcc0 "V", nb=4, nextop=JSOP_NOP) at ../jsopcode.cpp:2855
#2  0x080d5c8f in Decompile (ss=0xbffa87f4, pc=0x8cafcad "\006", nb=35, nextop=JSOP_NOP) at ../jsopcode.cpp:2178
#3  0x080e172c in DecompileCode (jp=0x8cad348, script=0x8cafc60, pc=0x8cafca5 "\200", len=35, pcdepth=0) at ../jsopcode.cpp:4831
#4  0x080d4fef in js_DecompileFunction (jp=0x8cad348) at ../jsopcode.cpp:5000
#5  0x0805840b in JS_DecompileFunction (cx=0x8ca31b0, fun=0x8cb06c8, indent=32768) at ../jsapi.cpp:5006
#6  0x080a670e in fun_toStringHelper (cx=0x8ca31b0, indent=32768, argc=0, vp=0x8cad458) at ../jsfun.cpp:1614
#7  0x080a6766 in fun_toSource (cx=0x8ca31b0, argc=0, vp=0x8cad458) at ../jsfun.cpp:1631
#8  0x080b390d in js_Invoke (cx=0x8ca31b0, argc=0, vp=0x8cad458, flags=0) at ../jsinterp.cpp:1234
#9  0x080b459d in js_InternalInvoke (cx=0x8ca31b0, obj=0x8cb06c8, fval=147484784, flags=0, argc=0, argv=0x0, rval=0xbffa8b28) at ../jsinterp.cpp:1428
#10 0x080c49ed in js_TryMethod (cx=0x8ca31b0, obj=0x8cb06c8, atom=0x8ca4234, argc=0, argv=0x0, rval=0xbffa8b28) at ../jsobj.cpp:5556
#11 0x081200b4 in js_ValueToSource (cx=0x8ca31b0, v=147523272) at ../jsstr.cpp:3000
#12 0x08120165 in str_uneval (cx=0x8ca31b0, argc=1, vp=0x8cad430) at ../jsstr.cpp:506
#13 0x081cd0f8 in js_Interpret (cx=0x8ca31b0) at ../jsinterp.cpp:5116
#14 0x080b31a8 in js_Execute (cx=0x8ca31b0, chain=0x8ca6000, script=0x8cad3b8, down=0x0, flags=0, result=0x0) at ../jsinterp.cpp:1601
#15 0x080581a8 in JS_ExecuteScript (cx=0x8ca31b0, obj=0x8ca6000, script=0x8cad3b8, rval=0x0) at ../jsapi.cpp:5040
#16 0x08051a4f in Process (cx=0x8ca31b0, obj=0x8ca6000, filename=0xbffaa715 "37a.js", forceTTY=0) at ../../shell/js.cpp:412
#17 0x080525d1 in ProcessArgs (cx=0x8ca31b0, obj=0x8ca6000, argv=0xbffa9538, argc=1) at ../../shell/js.cpp:806
#18 0x08052998 in main (argc=1, argv=0xbffa9538, envp=0xbffa9540) at ../../shell/js.cpp:4728
(gdb) frame 1
#1  0x080d8521 in Decompile (ss=0xbffa87f4, pc=0x8cafcc0 "V", nb=4, nextop=JSOP_NOP) at ../jsopcode.cpp:2855
2855	                LOCAL_ASSERT((uintN)i < ss->top);
(gdb) l
2850	                if (IsVarSlot(jp, pc, &i)) {
2851	                    atom = GetArgOrVarAtom(jp, i);
2852	                    LOCAL_ASSERT(atom);
2853	                    goto do_name;
2854	                }
2855	                LOCAL_ASSERT((uintN)i < ss->top);
2856	                sn = js_GetSrcNote(jp->script, pc);
2857	
2858	#if JS_HAS_DESTRUCTURING
2859	                if (sn && SN_TYPE(sn) == SRC_GROUPASSIGN) {
(gdb)

autoBisect shows this is probably related to bug 452498 :

The first bad revision is:
changeset:   26784:2cf0bbe3772a
user:        Brendan Eich
date:        Sun Apr 05 21:17:22 2009 -0700
summary:     upvar2, aka the big one take 2 (452498, r=mrbkap).
Flags: blocking1.9.1?
Attached patch fixSplinter Review 
Transplanting a comprehension expression, whether in a generator expression or not, can adjust blockids to hit or exceed tc->blockidGen, so that counter must be advanced to one more than the maximum adjusted blockid.

In a generator expression in a for loop head (or similar contexts), the failure to do this can lead to blockid replay, which confuses def/use chaining, as shown in the fuzzer-generated testcase for this bug.

/be
Assignee: general → brendan
Status: NEW → ASSIGNED
Attachment #376186 - Flags: review?(mrbkap)
OS: Linux → All
Priority: -- → P1
Hardware: x86 → All
Target Milestone: --- → mozilla1.9.1
Flags: blocking1.9.1? → blocking1.9.1+
Attachment #376186 - Flags: review?(mrbkap) → review+
Fixed:

http://hg.mozilla.org/tracemonkey/rev/d50aaa0e1085
http://hg.mozilla.org/mozilla-central/rev/81080882c3b5

/be
Status: ASSIGNED → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Whiteboard: fixed-in-tracemonkey
Verified fixed with testcase in comment 0 with the following debug builds:

Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.2a1pre)
Gecko/20090522 Minefield/3.6a1pre ID:20090522133810

Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1pre)
Gecko/20090522 Shiretoko/3.5pre ID:20090522153422
Status: RESOLVED → VERIFIED
Keywords: fixed1.9.1verified1.9.1
Target Milestone: mozilla1.9.1 → mozilla1.9.2a1
Flags: in-testsuite?
Automatically extracted testcase for this bug was committed:

https://hg.mozilla.org/mozilla-central/rev/efaf8960a929
Flags: in-testsuite? → in-testsuite+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: