Closed Bug 592962 Opened 14 years ago Closed 14 years ago

"Assertion failure: simsp <= i.sp()"

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: jruderman, Assigned: luke)

References

Details

(Keywords: assertion, regression, testcase, Whiteboard: fixed-in-tracemonkey)

Attachments

(1 file)

fix
1.56 KB, patch
brendan
: review+
Details | Diff | Splinter Review 
Testcase:
  default xml namespace = Proxy.create({get: Proxy.create});

Result:
  Assertion failure: simsp <= i.sp(), at jsfun.cpp:3099

Regression from:
  changeset:   52720:66c8ad02543b
  user:        Luke Wagner <lw@mozilla.com>
  date:        Mon Aug 16 12:35:04 2010 -0700
  pushed:      Wed Sep 01 14:37:24 2010 -0700
  summary:     Bug 581263 - remove slow natives (r=waldo,mrbkap)

Result prior to regression:
  TypeError: getPropertyDescriptor is not a function
Attached patch fixSplinter Review 
This assertion just checks something I thought should be true: that the real stack pointer is at least as high as ReconstructStackDepth says it is.  However, the subsequent condition does not depend on this.

To make sure something more sinister wasn't afoot, I tracked down the bug and I think the issue is that defxmlns is popping before calling the function that ultimately calls js_ReconstructStackDepth.  I guess our error-reporting engine invariant is that you must report errors before consuming any of your nuses?  This patch seems to fix things.
Assignee: general → lw
Status: NEW → ASSIGNED
Attachment #471547 - Flags: review?(brendan)
Comment on attachment 471547 [details] [diff] [review]
fix

(In reply to comment #1)
> invariant is that you must report errors before consuming any of your nuses? 

Yes, exactly. JSOP_DEFXMLNS blew it, besides sucking inherently ("default xml namespace = ...", blech!).

> BEGIN_CASE(JSOP_DEFXMLNS)
> {
>-    Value rval;
>-    POP_COPY_TO(rval);
>+    Value rval = regs.sp[-1];
>     if (!js_SetDefaultXMLNamespace(cx, rval))

js_SetDefaultXMLNamespace's final param is const Value &v, so you don't need rval any longer (or the braces). Why not just pass regs.sp[-1]?

r=me with that addressed. Thanks,

/be
Attachment #471547 - Flags: review?(brendan) → review+
(In reply to comment #1)
> invariant is that you must report errors before consuming any of your nuses? 

This invariant was required for GC safety prior to conservative stack scanning.

/be
http://hg.mozilla.org/tracemonkey/rev/17a5586c96e1
Whiteboard: fixed-in-tracemonkey
arewefastyet.com/individual.php?machine=6 shows (if I read it right) that the tracing-jit-only time for bitwise-and more than doubled when this change landed.  I don't see how this can possibly be related however, but I'm just a spectator.  Any idea?
Heh, nope -- SS is definitely not executing JSOP_DEFXMLNS.
Sounds like this was fixed in September.
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: