"Assertion failure: cg->stackDepth >= 0, at ../jsemit.cpp"

RESOLVED FIXED in mozilla1.9.3a2

Status

()

Core
JavaScript Engine
P1
critical
RESOLVED FIXED
8 years ago
8 years ago

People

(Reporter: gkw, Assigned: brendan)

Tracking

(Blocks: 1 bug, {assertion, regression, testcase})

Trunk
mozilla1.9.3a2
assertion, regression, testcase
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(blocking2.0 betaN+)

Details

(Whiteboard: fixed-in-tracemonkey)

Attachments

(1 attachment)

(Reporter)

Description

8 years ago
(function() {
  const x;
  _( function() x %= a )
})()


asserts js debug shell on TM tip without -j at Assertion failure: cg->stackDepth >= 0, at ../jsemit.cpp:184

autoBisect shows this is probably related to bug 542002:

The first bad revision is:
changeset:   38030:a353e155804e
user:        Brendan Eich
date:        Wed Feb 10 15:17:52 2010 -0800
summary:     Bug 542002 - Optimize to flat closures even if some upvars can't be copied (r=jorendorff).
blocking2.0: --- → ?
(Reporter)

Comment 1

8 years ago
This seems to be occurring somewhat often in jsfunfuzz.
(Assignee)

Comment 2

8 years ago
Created attachment 427725 [details] [diff] [review]
minimal fix

If the use of a name being processed by BindNameToSlot can't be optimized, it should be left unmutated. This PND_CONST propagation must be followed by the code commented starting

    /*
     * Turn attempts to mutate const-declared bindings into get ops (for
 . . .

A bit too widely separated still but I'm going with the minimal patch here. 

/be
Assignee: general → brendan
Status: NEW → ASSIGNED
Attachment #427725 - Flags: review?(jorendorff)
(Assignee)

Updated

8 years ago
OS: Mac OS X → All
Priority: -- → P1
Hardware: x86 → All
Target Milestone: --- → mozilla1.9.3a2
Attachment #427725 - Flags: review?(jorendorff) → review+
(Assignee)

Comment 3

8 years ago
http://hg.mozilla.org/tracemonkey/rev/93a270561814

/be
Whiteboard: fixed-in-tracemonkey

Comment 4

8 years ago
http://hg.mozilla.org/mozilla-central/rev/93a270561814
Status: ASSIGNED → RESOLVED
Last Resolved: 8 years ago
Resolution: --- → FIXED

Updated

8 years ago
blocking2.0: ? → betaN+
You need to log in before you can comment on or make changes to this bug.