546069 - "Assertion failure: cg->stackDepth >= 0, at ../jsemit.cpp"

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect, P1)

Description

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

(function() {
  const x;
  _( function() x %= a )
})()


asserts js debug shell on TM tip without -j at Assertion failure: cg->stackDepth >= 0, at ../jsemit.cpp:184

autoBisect shows this is probably related to bug 542002:

The first bad revision is:
changeset:   38030:a353e155804e
user:        Brendan Eich
date:        Wed Feb 10 15:17:52 2010 -0800
summary:     Bug 542002 - Optimize to flat closures even if some upvars can't be copied (r=jorendorff).

Comment 1

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

This seems to be occurring somewhat often in jsfunfuzz.

Comment 2

[Brendan Eich [:brendan]]

Attachment: minimal fix

If the use of a name being processed by BindNameToSlot can't be optimized, it should be left unmutated. This PND_CONST propagation must be followed by the code commented starting

    /*
     * Turn attempts to mutate const-declared bindings into get ops (for
 . . .

A bit too widely separated still but I'm going with the minimal patch here. 

/be

Comment 3

[Brendan Eich [:brendan]]

http://hg.mozilla.org/tracemonkey/rev/93a270561814

/be

Comment 4

[Robert Sayre]

http://hg.mozilla.org/mozilla-central/rev/93a270561814