543565 - Assertion failure: fp->slots + fp->script->nfixed + js_ReconstructStackDepth(cx, fp->script, fp->regs->pc) == fp->regs->sp | Assertion failure: pcdepth + ndefs <= StackDepth(script)

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Bob Clary [:bc] (inactive)]

1.9.3 win/mac

1. http://finance.yahoo.com/q?s%3DAQUI.PK or
2. http://finance.yahoo.com/q?s%3DDISK
3. Assertion failure: fp->slots + fp->script->nfixed + js_ReconstructStackDepth(cx, fp->script, fp->regs->pc) == fp->regs->sp, at c:/work/mozilla/builds/1.9.3/mozilla/js/src/jstracer.cpp:6909

#3  0x003f26b2 in JS_Assert (s=0x4a3178 "fp->slots + fp->script->nfixed + js_ReconstructStackDepth(cx, fp->script, fp->regs->pc) == fp->regs->sp", file=0x49d300 "/work/mozilla/builds/1.9.3/mozilla/js/src/jstracer.cpp", ln=6909) at /work/mozilla/builds/1.9.3/mozilla/js/src/jsutil.cpp:70
#4  0x00442d29 in js::LeaveTree (tm=0x895088, state=@0xbfffb0b4, lr=0x6437bfc) at /work/mozilla/builds/1.9.3/mozilla/js/src/jstracer.cpp:6907
#5  0x00443d84 in js::ExecuteTree (cx=0x6084a00, f=0x213b8ebc, inlineCallCount=@0xbfffb518, innermostNestedGuardp=0xbfffb198) at /work/mozilla/builds/1.9.3/mozilla/js/src/jstracer.cpp:6641
#6  0x00445357 in js::MonitorLoopEdge (cx=0x6084a00, inlineCallCount=@0xbfffb518, reason=js::Record_Branch) at /work/mozilla/builds/1.9.3/mozilla/js/src/jstracer.cpp:7128
#7  0x00340b63 in js_Interpret (cx=0x6084a00) at jsops.cpp:923
#8  0x00361c48 in js_Invoke (cx=0x6084a00, argc=2, vp=0x619f668, flags=0) at jsinterp.cpp:1396
#9  0x00325521 in js_fun_call (cx=0x6084a00, argc=2, vp=0x619f62c) at /work/mozilla/builds/1.9.3/mozilla/js/src/jsfun.cpp:1989
#10 0x0034db55 in js_Interpret (cx=0x6084a00) at jsops.cpp:2270
#11 0x00361c48 in js_Invoke (cx=0x6084a00, argc=1, vp=0x619f620, flags=0) at jsinterp.cpp:1396


found from crashdata with original signatures _filbuf.
http://crash-stats.mozilla.com/query/query?do_query=1&product=Firefox&query_search=signature&query_type=exact&query=_filbuf

Comment 1

[Bob Clary [:bc] (inactive)]

also:
http://cpplover.blogspot.com/
http://www.costco.com/Browse/Product.aspx + product stuff
http://www.wwe.com/
http://news.sina.com.cn/z/video/ethiopiancrash/index.shtml
http://robin-room.sakura.ne.jp/sns/
http://video.aol.co.uk/video-detail/hack-happy-island-cheat-exp-coin-de-todo-all-xd-01-2010-01-activo-/2245052126
http://www.yourdictionary.com/telecom/smdr

I think this is also related. If not, please split into a separate bug:

Assertion failure: pcdepth + ndefs <= StackDepth(script)
 at c:/work/mozilla/builds/1.9.3/mozilla/js/src/jsopcode.cpp:5391

http://vuaphapthuat.zooz.vn/default.aspx
http://www.quakelive.com/#home
http://servicecut.nl/Posts/Tag/Kick-Ass

Comment 2

[Robert O'Callahan (:roc) (email my personal email if necessary)]

http://edition.cnn.com/2010/WORLD/asiapcf/01/30/taiwan.animated.news/index.html

Comment 3

[Bob Clary [:bc] (inactive)]

So far, I've reproduced this 33 times although some crashes are from the same domains.

Comment 5

[Carsten Book [:Tomcat]]

Attachment: zipped source of the crashing page - crashes on load as local testcase

crashes on load (at least here on windows)

Comment 6

[Bob Clary [:bc] (inactive)]

related assertion at http://www.katzporn.com/w.php?q%3Dfoot%26w%3Dkp (probably NSFW):

Assertion failure: js_ReconstructStackDepth(cx, fp->script, fi.pc) == uintN(fi.spdist - fp->script->nfixed), at c:/work/mozilla/builds/1.9.3/mozilla/js/src/jstracer.cpp:5565

Comment 7

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

i'm on this - i have a 150-line testcase pending reduction off the URL - will post more soon.

Comment 8

[David Anderson [:dvander] - inactive, e-mail if emergency]

I can reproduce this with the first link in comment #1 - though reduced test case would be awesome for bisecting.

Comment 9

[Jason Orendorff [:jorendorff]]

Patch coming.

Comment 10

[Jason Orendorff [:jorendorff]]

Attachment: v1

Fix and minimal test.

Comment 11

[Brendan Eich [:brendan]]

Comment on attachment 424879 [details] [diff] [review]
v1

Thanks. For some reason I find the (op != JSOP_POP || ... != JSOP_UNBRAND) clearer in the context of the && chain, but either way is good.

/be

Comment 12

[Jason Orendorff [:jorendorff]]

http://hg.mozilla.org/tracemonkey/rev/08ce7f3de088

Comment 13

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Attachment: 90-liner testcase

... though jorendorff might have beat me to the minimal testcase :)

Comment 14

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

(In reply to comment #10)
> Created an attachment (id=424879) [details]
> v1
> 
> Fix and minimal test.

autoBisect shows this is probably related to bug 536564:

The first bad revision is:
changeset:   37037:36bbd730e24f
user:        Brendan Eich
date:        Thu Jan 14 09:33:14 2010 -0800
summary:     Analyze module pattern and private-statics pattern in order to despecialize from methods to slots/sprops (536564, r=jorendorff).

Comment 16

[Robert O'Callahan (:roc) (email my personal email if necessary)]

I'm crashing several times a day with this. I hope we can get this on trunk ASAP.

Comment 17

[David Baron :dbaron: (⌚️UTC-4, no longer working on Mozilla)]

Can we get this on to mozilla-central before the alpha freeze in 6 hours and 44 minutes?

Comment 18

[Brendan Eich [:brendan]]

http://hg.mozilla.org/mozilla-central/rev/747a088e5360

/be

Comment 19

[Robert Sayre]

http://hg.mozilla.org/mozilla-central/rev/08ce7f3de088

Comment 20

[Christian Holler (:decoder)]

A testcase for this bug was automatically identified at js/src/jit-test/tests/closures/bug543565.js.