Closed Bug 543565 Opened 15 years ago Closed 15 years ago

Assertion failure: fp->slots + fp->script->nfixed + js_ReconstructStackDepth(cx, fp->script, fp->regs->pc) == fp->regs->sp | Assertion failure: pcdepth + ndefs <= StackDepth(script)

Categories

(Core :: JavaScript Engine, defect)

x86
All
defect
Not set
major

Tracking

()

RESOLVED FIXED
Tracking Status
blocking2.0 --- alpha1+

People

(Reporter: bc, Assigned: jorendorff)

References

()

Details

(Keywords: assertion, regression, testcase, Whiteboard: fixed-in-tracemonkey)

Attachments

(3 files)

1.9.3 win/mac 1. http://finance.yahoo.com/q?s%3DAQUI.PK or 2. http://finance.yahoo.com/q?s%3DDISK 3. Assertion failure: fp->slots + fp->script->nfixed + js_ReconstructStackDepth(cx, fp->script, fp->regs->pc) == fp->regs->sp, at c:/work/mozilla/builds/1.9.3/mozilla/js/src/jstracer.cpp:6909 #3 0x003f26b2 in JS_Assert (s=0x4a3178 "fp->slots + fp->script->nfixed + js_ReconstructStackDepth(cx, fp->script, fp->regs->pc) == fp->regs->sp", file=0x49d300 "/work/mozilla/builds/1.9.3/mozilla/js/src/jstracer.cpp", ln=6909) at /work/mozilla/builds/1.9.3/mozilla/js/src/jsutil.cpp:70 #4 0x00442d29 in js::LeaveTree (tm=0x895088, state=@0xbfffb0b4, lr=0x6437bfc) at /work/mozilla/builds/1.9.3/mozilla/js/src/jstracer.cpp:6907 #5 0x00443d84 in js::ExecuteTree (cx=0x6084a00, f=0x213b8ebc, inlineCallCount=@0xbfffb518, innermostNestedGuardp=0xbfffb198) at /work/mozilla/builds/1.9.3/mozilla/js/src/jstracer.cpp:6641 #6 0x00445357 in js::MonitorLoopEdge (cx=0x6084a00, inlineCallCount=@0xbfffb518, reason=js::Record_Branch) at /work/mozilla/builds/1.9.3/mozilla/js/src/jstracer.cpp:7128 #7 0x00340b63 in js_Interpret (cx=0x6084a00) at jsops.cpp:923 #8 0x00361c48 in js_Invoke (cx=0x6084a00, argc=2, vp=0x619f668, flags=0) at jsinterp.cpp:1396 #9 0x00325521 in js_fun_call (cx=0x6084a00, argc=2, vp=0x619f62c) at /work/mozilla/builds/1.9.3/mozilla/js/src/jsfun.cpp:1989 #10 0x0034db55 in js_Interpret (cx=0x6084a00) at jsops.cpp:2270 #11 0x00361c48 in js_Invoke (cx=0x6084a00, argc=1, vp=0x619f620, flags=0) at jsinterp.cpp:1396 found from crashdata with original signatures _filbuf. http://crash-stats.mozilla.com/query/query?do_query=1&product=Firefox&query_search=signature&query_type=exact&query=_filbuf
Summary: ssertion failure: fp->slots + fp->script->nfixed + js_ReconstructStackDepth(cx, fp->script, fp->regs->pc) == fp->regs->sp → Assertion failure: fp->slots + fp->script->nfixed + js_ReconstructStackDepth(cx, fp->script, fp->regs->pc) == fp->regs->sp
Severity: normal → major
OS: Windows XP → All
Summary: Assertion failure: fp->slots + fp->script->nfixed + js_ReconstructStackDepth(cx, fp->script, fp->regs->pc) == fp->regs->sp → Assertion failure: fp->slots + fp->script->nfixed + js_ReconstructStackDepth(cx, fp->script, fp->regs->pc) == fp->regs->sp | Assertion failure: pcdepth + ndefs <= StackDepth(script)
So far, I've reproduced this 33 times although some crashes are from the same domains.
blocking2.0: --- → ?
blocking2.0: ? → beta1
crashes on load (at least here on windows)
blocking2.0: beta1 → alpha1
related assertion at http://www.katzporn.com/w.php?q%3Dfoot%26w%3Dkp (probably NSFW): Assertion failure: js_ReconstructStackDepth(cx, fp->script, fi.pc) == uintN(fi.spdist - fp->script->nfixed), at c:/work/mozilla/builds/1.9.3/mozilla/js/src/jstracer.cpp:5565
i'm on this - i have a 150-line testcase pending reduction off the URL - will post more soon.
I can reproduce this with the first link in comment #1 - though reduced test case would be awesome for bisecting.
Assignee: general → jorendorff
Patch coming.
Attached patch v1Splinter Review
Fix and minimal test.
Attachment #424879 - Flags: review?(brendan)
Attachment #424879 - Flags: review?(brendan) → review+
Comment on attachment 424879 [details] [diff] [review] v1 Thanks. For some reason I find the (op != JSOP_POP || ... != JSOP_UNBRAND) clearer in the context of the && chain, but either way is good. /be
Whiteboard: fixed-in-tracemonkey
Attached file 90-liner testcase
... though jorendorff might have beat me to the minimal testcase :)
(In reply to comment #10) > Created an attachment (id=424879) [details] > v1 > > Fix and minimal test. autoBisect shows this is probably related to bug 536564: The first bad revision is: changeset: 37037:36bbd730e24f user: Brendan Eich date: Thu Jan 14 09:33:14 2010 -0800 summary: Analyze module pattern and private-statics pattern in order to despecialize from methods to slots/sprops (536564, r=jorendorff).
I'm crashing several times a day with this. I hope we can get this on trunk ASAP.
Can we get this on to mozilla-central before the alpha freeze in 6 hours and 44 minutes?
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
A testcase for this bug was automatically identified at js/src/jit-test/tests/closures/bug543565.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: