Closed
Bug 614752
Opened 14 years ago
Closed 14 years ago
"Assertion failure: simsp <= i.sp()" with apply
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: jruderman, Assigned: luke)
References
Details
(Keywords: assertion, regression, testcase, Whiteboard: fixed-in-tracemonkey)
Attachments
(2 files, 2 obsolete files)
1.78 KB,
text/plain
|
Details | |
2.25 KB,
patch
|
brendan
:
review+
|
Details | Diff | Splinter Review |
./js -m js> Object.create(function(){}).apply(null, null); Assertion failure: simsp <= i.sp(), at js/src/jsfun.cpp:3061 The first bad revision is: changeset: d9aceaabef28 user: Luke Wagner date: Thu Oct 21 11:33:22 2010 -0700 summary: Bug 605192 - JM: make f.apply(x, obj) fast, part 4 (r=dvander)
Assignee | ||
Comment 1•14 years ago
|
||
The assertion is overly strict; a weaker one that should hold is: JS_ASSERT_IF(vp < simsp, vp < i.sp()); The reason that vp < i.sp() is that f.apply(x, null) turns into x.f() which ic::SplatApplyArgs achieves by popping the top 'null' before calling (with f as callee and x as this). This puts sp below what js_ReconstructStackDepth would expect. If js_fun_apply had the same in-place call optimization (instead of copying everything above sp), it would hit the same assert.
Assignee | ||
Comment 2•14 years ago
|
||
Attachment #493208 -
Flags: review?(brendan)
Comment 3•14 years ago
|
||
(In reply to comment #1) > The assertion is overly strict; a weaker one that should hold is: > JS_ASSERT_IF(vp < simsp, vp < i.sp()); > The reason that vp < i.sp() is that f.apply(x, null) turns into x.f() which > ic::SplatApplyArgs achieves by popping the top 'null' before calling (with f as > callee and x as this). This puts sp below what js_ReconstructStackDepth would > expect. If js_fun_apply had the same in-place call optimization (instead of > copying everything above sp), it would hit the same assert. Is it worth putting this explanation, or part of it, above the assertion?
Comment 4•14 years ago
|
||
Comment on attachment 493208 [details] [diff] [review] weaken assert What njn said -- comment please, and weaker assertion does not seem better if we don't need it yet. Let someone botch it, read the comment, then weaken. Or am I missing something in favor of weakening now? /be
Attachment #493208 -
Flags: review?(brendan) → review-
Assignee | ||
Comment 5•14 years ago
|
||
Well, if we don't weaken now, it will continue to assert...
Comment 7•14 years ago
|
||
Oh, ok -- weaken now, r=me. /be
Assignee | ||
Comment 8•14 years ago
|
||
Comment on attachment 493208 [details] [diff] [review] weaken assert For the record then?
Attachment #493208 -
Flags: review- → review?(brendan)
Updated•14 years ago
|
Attachment #493208 -
Flags: review?(brendan) → review+
Assignee | ||
Comment 9•14 years ago
|
||
I thought about it again and if, in general, the actual stack can be greater or less than the simulated stack, we just need to check for inclusion in the range [base, min(actual,simulated)) This patch does that and comments why.
Assignee: general → lw
Attachment #493208 -
Attachment is obsolete: true
Status: NEW → ASSIGNED
Attachment #497602 -
Flags: review?(brendan)
Comment 10•14 years ago
|
||
Comment on attachment 497602 [details] [diff] [review] patch v.2 Great -- but where's the comment? /be
Attachment #497602 -
Flags: review?(brendan) → review+
Assignee | ||
Comment 11•14 years ago
|
||
Oops, I post patches out of .hg/patches and I forgot to hg qref.
Attachment #497602 -
Attachment is obsolete: true
Attachment #497628 -
Flags: review?(brendan)
Comment 12•14 years ago
|
||
Comment on attachment 497628 [details] [diff] [review] patch v.2 (this time hg qref) > /* > * We try to the print the code that produced vp if vp is a value in the > * most recent interpreted stack frame. Note that additional values, not > * directly produced by the script, may have been pushed onto the frame's > * expression stack (e.g. by pushInvokeArgs) thereby incrementing sp past >- * the depth simulated by ReconstructPCStack. Since we must pass an offset >- * from the top of the simulated stack to js_ReportValueError3, it is >- * important to do bounds checking using the simulated, rather than actual, >- * stack depth. >+ * the depth simulated by ReconstructPCStack. Conversely, values may have New para before Conversely for better wrapping? >+ * been popped from the stack in preparation for a call (e.g., by >+ * SplatApplyArgs). Since we must pass an offset from the top of the >+ * simulated stack to js_ReportValueError3, it is important to do bounds Why switch to passive voice? "Since we must ..., we check bounds using ...". r=me with these picked. Thanks, /be
Attachment #497628 -
Flags: review?(brendan) → review+
Assignee | ||
Comment 13•14 years ago
|
||
Sounds good http://hg.mozilla.org/tracemonkey/rev/6b7627584c94
Whiteboard: fixed-in-tracemonkey
Comment 14•14 years ago
|
||
http://hg.mozilla.org/mozilla-central/rev/6b7627584c94
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Comment 15•12 years ago
|
||
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/testBug614752.js.
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•