Closed Bug 543565 Opened 12 years ago Closed 12 years ago

Assertion failure: fp->slots + fp->script->nfixed + js_ReconstructStackDepth(cx, fp->script, fp->regs->pc) == fp->regs->sp | Assertion failure: pcdepth + ndefs <= StackDepth(script)

Categories

(Core :: JavaScript Engine, defect)

x86
All
defect
Not set
major

Tracking

()

RESOLVED FIXED
Tracking Status
blocking2.0 --- alpha1+

People

(Reporter: bc, Assigned: jorendorff)

References

()

Details

(Keywords: assertion, regression, testcase, Whiteboard: fixed-in-tracemonkey)

Attachments

(3 files)

1.9.3 win/mac

1. http://finance.yahoo.com/q?s%3DAQUI.PK or
2. http://finance.yahoo.com/q?s%3DDISK
3. Assertion failure: fp->slots + fp->script->nfixed + js_ReconstructStackDepth(cx, fp->script, fp->regs->pc) == fp->regs->sp, at c:/work/mozilla/builds/1.9.3/mozilla/js/src/jstracer.cpp:6909

#3  0x003f26b2 in JS_Assert (s=0x4a3178 "fp->slots + fp->script->nfixed + js_ReconstructStackDepth(cx, fp->script, fp->regs->pc) == fp->regs->sp", file=0x49d300 "/work/mozilla/builds/1.9.3/mozilla/js/src/jstracer.cpp", ln=6909) at /work/mozilla/builds/1.9.3/mozilla/js/src/jsutil.cpp:70
#4  0x00442d29 in js::LeaveTree (tm=0x895088, state=@0xbfffb0b4, lr=0x6437bfc) at /work/mozilla/builds/1.9.3/mozilla/js/src/jstracer.cpp:6907
#5  0x00443d84 in js::ExecuteTree (cx=0x6084a00, f=0x213b8ebc, inlineCallCount=@0xbfffb518, innermostNestedGuardp=0xbfffb198) at /work/mozilla/builds/1.9.3/mozilla/js/src/jstracer.cpp:6641
#6  0x00445357 in js::MonitorLoopEdge (cx=0x6084a00, inlineCallCount=@0xbfffb518, reason=js::Record_Branch) at /work/mozilla/builds/1.9.3/mozilla/js/src/jstracer.cpp:7128
#7  0x00340b63 in js_Interpret (cx=0x6084a00) at jsops.cpp:923
#8  0x00361c48 in js_Invoke (cx=0x6084a00, argc=2, vp=0x619f668, flags=0) at jsinterp.cpp:1396
#9  0x00325521 in js_fun_call (cx=0x6084a00, argc=2, vp=0x619f62c) at /work/mozilla/builds/1.9.3/mozilla/js/src/jsfun.cpp:1989
#10 0x0034db55 in js_Interpret (cx=0x6084a00) at jsops.cpp:2270
#11 0x00361c48 in js_Invoke (cx=0x6084a00, argc=1, vp=0x619f620, flags=0) at jsinterp.cpp:1396


found from crashdata with original signatures _filbuf.
http://crash-stats.mozilla.com/query/query?do_query=1&product=Firefox&query_search=signature&query_type=exact&query=_filbuf
Summary: ssertion failure: fp->slots + fp->script->nfixed + js_ReconstructStackDepth(cx, fp->script, fp->regs->pc) == fp->regs->sp → Assertion failure: fp->slots + fp->script->nfixed + js_ReconstructStackDepth(cx, fp->script, fp->regs->pc) == fp->regs->sp
also:
http://cpplover.blogspot.com/
http://www.costco.com/Browse/Product.aspx + product stuff
http://www.wwe.com/
http://news.sina.com.cn/z/video/ethiopiancrash/index.shtml
http://robin-room.sakura.ne.jp/sns/
http://video.aol.co.uk/video-detail/hack-happy-island-cheat-exp-coin-de-todo-all-xd-01-2010-01-activo-/2245052126
http://www.yourdictionary.com/telecom/smdr

I think this is also related. If not, please split into a separate bug:

Assertion failure: pcdepth + ndefs <= StackDepth(script)
 at c:/work/mozilla/builds/1.9.3/mozilla/js/src/jsopcode.cpp:5391

http://vuaphapthuat.zooz.vn/default.aspx
http://www.quakelive.com/#home
http://servicecut.nl/Posts/Tag/Kick-Ass
Severity: normal → major
OS: Windows XP → All
Summary: Assertion failure: fp->slots + fp->script->nfixed + js_ReconstructStackDepth(cx, fp->script, fp->regs->pc) == fp->regs->sp → Assertion failure: fp->slots + fp->script->nfixed + js_ReconstructStackDepth(cx, fp->script, fp->regs->pc) == fp->regs->sp | Assertion failure: pcdepth + ndefs <= StackDepth(script)
So far, I've reproduced this 33 times although some crashes are from the same domains.
blocking2.0: --- → ?
blocking2.0: ? → beta1
crashes on load (at least here on windows)
blocking2.0: beta1 → alpha1
related assertion at http://www.katzporn.com/w.php?q%3Dfoot%26w%3Dkp (probably NSFW):

Assertion failure: js_ReconstructStackDepth(cx, fp->script, fi.pc) == uintN(fi.spdist - fp->script->nfixed), at c:/work/mozilla/builds/1.9.3/mozilla/js/src/jstracer.cpp:5565
i'm on this - i have a 150-line testcase pending reduction off the URL - will post more soon.
I can reproduce this with the first link in comment #1 - though reduced test case would be awesome for bisecting.
Assignee: general → jorendorff
Patch coming.
Attached patch v1Splinter Review
Fix and minimal test.
Attachment #424879 - Flags: review?(brendan)
Attachment #424879 - Flags: review?(brendan) → review+
Comment on attachment 424879 [details] [diff] [review]
v1

Thanks. For some reason I find the (op != JSOP_POP || ... != JSOP_UNBRAND) clearer in the context of the && chain, but either way is good.

/be
http://hg.mozilla.org/tracemonkey/rev/08ce7f3de088
Whiteboard: fixed-in-tracemonkey
Attached file 90-liner testcase
... though jorendorff might have beat me to the minimal testcase :)
(In reply to comment #10)
> Created an attachment (id=424879) [details]
> v1
> 
> Fix and minimal test.

autoBisect shows this is probably related to bug 536564:

The first bad revision is:
changeset:   37037:36bbd730e24f
user:        Brendan Eich
date:        Thu Jan 14 09:33:14 2010 -0800
summary:     Analyze module pattern and private-statics pattern in order to despecialize from methods to slots/sprops (536564, r=jorendorff).
I'm crashing several times a day with this. I hope we can get this on trunk ASAP.
Can we get this on to mozilla-central before the alpha freeze in 6 hours and 44 minutes?
http://hg.mozilla.org/mozilla-central/rev/747a088e5360

/be
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
A testcase for this bug was automatically identified at js/src/jit-test/tests/closures/bug543565.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.