Closed Bug 495843 Opened 16 years ago Closed 16 years ago

Crash [@ js_Interpret] or "Assertion failure: cg->stackDepth == stackDepth, at ../jsemit.cpp"

Tracking

()

Status:

VERIFIED FIXED

Milestone:

mozilla1.9.2a1

People

(Reporter: gkw, Assigned: mrbkap)

References

Details

(5 keywords, Whiteboard: fixed-in-tracemonkey)

Crash Data

Attachments

(1 file)

Shot in the dark 16 years ago Blake Kaplan (:mrbkap) (inactive) 910 bytes, patch	brendan : review+	Details \| Diff \| Splinter Review

Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)

Reporter

Description

•

16 years ago

const x;[x]='';for(;[];){} crashes TM opt without -j at js_Interpret and asserts TM dbg at Assertion failure: cg->stackDepth == stackDepth, at ../jsemit.cpp:3796 === $ ./js-opt-tm-intelmac js> const x;[x]='';for(;[];){} warning: internal error compiling typein: stack underflow at pc 14 warning: internal error compiling typein: stack underflow at pc 15 warning: internal error compiling typein: stack underflow at pc 16 warning: internal error compiling typein: stack underflow at pc 19 warning: internal error compiling typein: stack underflow at pc 20 warning: internal error compiling typein: stack underflow at pc 23 warning: internal error compiling typein: stack underflow at pc 26 Bus error $ ./js-dbg-tm-intelmac js> const x;[x]='';for(;[];){} Assertion failure: cg->stackDepth == stackDepth, at ../jsemit.cpp:3796 Trace/BPT trap

Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)

Reporter

Comment 1

•

16 years ago

autoBisect shows this is probably related to bug 493760 : The first bad revision is: changeset: 28520:241dad2cc2e3 user: Brendan Eich date: Tue May 19 18:40:55 2009 -0700 summary: Bug 493760: the real fix for problem left in wake of patch for bug 493466 (r=mrbkap).

Blocks: 493760

Flags: blocking1.9.1?

Keywords: regression

Robert Sayre

Updated

•

16 years ago

Flags: blocking1.9.1? → blocking1.9.1+

Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)

Reporter

Comment 2

•

16 years ago

Another testcase: "" + new Function("const x;(g)({4:x}=[])") $ ./js-opt-tm-intelmac js> "" + new Function("const x;(g)({4:x}=[])") typein:1: warning: internal error compiling typein: stack underflow at pc 18 typein:1: warning: internal error compiling typein: stack underflow at pc 21 typein:1: warning: internal error compiling typein: stack underflow at pc 22 Segmentation fault $ ./js-dbg-tm-intelmac js> "" + new Function("const x;(g)({4:x}=[])") Assertion failure: cg->stackDepth == stackDepth, at ../jsemit.cpp:3796 Trace/breakpoint trap

OS: Mac OS X → All

Hardware: x86 → All

Mike Beltzner [:beltzner, not reading bugmail]

Updated

•

16 years ago

Whiteboard: [needs assignee]

Damon Sicore (:damons)

Comment 3

•

16 years ago

Assigning to bkap.

Assignee: general → mrbkap

Blake Kaplan (:mrbkap) (inactive)

Assignee

Comment 4

•

16 years ago

Attached patch Shot in the dark — Details — Splinter Review

I don't know if this is right, but it seems to fix the assertion. The decompiler is still confused though: js> (function() {const x;[x]='';}) function () { const x; [, ] = "";

Attachment #381219 - Flags: review?(brendan)

Jesse Ruderman

Comment 5

•

16 years ago

The decompiler issue might bug 492010.

Mike Beltzner [:beltzner, not reading bugmail]

Updated

•

16 years ago

Whiteboard: [needs assignee] → [has patch]

Brendan Eich [:brendan]

Comment 6

•

16 years ago

(In reply to comment #4) > Created an attachment (id=381219) [details] > Shot in the dark > > I don't know if this is right, but it seems to fix the assertion. The > decompiler is still confused though: > > js> (function() {const x;[x]='';}) > function () { > const x; > [, ] = ""; You cut off the closing brace line, right? This is a valid decompilation and it is stable when round-tripped through eval. Patch is good, thanks. Will stamp now. /be

Brendan Eich [:brendan]

Updated

•

16 years ago

Attachment #381219 - Flags: review?(brendan) → review+

Robert Sayre

Comment 7

•

16 years ago

(In reply to comment #6) > You cut off the closing brace line, right? Yes, he did. http://hg.mozilla.org/tracemonkey/rev/619278dc6389

Whiteboard: [has patch] → fixed-in-tracemonkey

Ben Newman (:bnewman) (:benjamn)

Comment 8

•

16 years ago

Per request of damons: http://hg.mozilla.org/releases/mozilla-1.9.1/rev/ee0c5ec5d68d I'm assuming this also needs landing on mozilla-central...

Ben Newman (:bnewman) (:benjamn)

Updated

•

16 years ago

Keywords: fixed1.9.1

Ben Newman (:bnewman) (:benjamn)

Comment 9

•

16 years ago

(In reply to comment #8) > I'm assuming this also needs landing on mozilla-central... Per my assumption: http://hg.mozilla.org/mozilla-central/rev/0c053dca8ea6

Ben Newman (:bnewman) (:benjamn)

Updated

•

16 years ago

Status: NEW → RESOLVED

Closed: 16 years ago

Resolution: --- → FIXED

Ben Newman (:bnewman) (:benjamn)

Comment 10

•

16 years ago

Apologies to mrbkap for accidentally crediting myself for this patch!

Robert Sayre

Comment 11

•

16 years ago

http://hg.mozilla.org/mozilla-central/rev/619278dc6389

Henrik Skupin [:whimboo][⌚️UTC+2]

Comment 12

•

16 years ago

Verified fixed on trunk and 1.9.1 with testcase in comment 0 and debug builds like: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.2a1pre) Gecko/20090604 Minefield/3.6a1pre ID:20090604215922 Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1pre) Gecko/20090604 Shiretoko/3.5pre ID:20090604202448

Status: RESOLVED → VERIFIED

Flags: in-testsuite?

Keywords: fixed1.9.1 → verified1.9.1

Target Milestone: --- → mozilla1.9.2a1

Nobody; OK to take it and work on it

Updated

•

14 years ago

Crash Signature: [@ js_Interpret]

Christian Holler (:decoder)

Comment 13

•

13 years ago

Automatically extracted testcase for this bug was committed: https://hg.mozilla.org/mozilla-central/rev/efaf8960a929

Flags: in-testsuite? → in-testsuite+

You need to log in before you can comment on or make changes to this bug.