Closed Bug 648839 Opened 13 years ago Closed 13 years ago

TI: Assertion failure: stackDepth == newDepth, at jsanalyze.cpp:100

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: decoder, Unassigned)

References

Details

(Keywords: assertion, testcase) 

The following testcase asserts on TI revision d3215d1e985a (run with -m -n -a),
tested on 64 bit:

ForIn_1( { length:4, company:"netscape", year:2000, 0:"zero" } );
function ForIn_1( object ) {
  PropertyArray = new Array();
  for ( PropertyArray[PropertyArray.length] in object ) {
      object[1];
  }
}
Fixed by rev 3816e4abb158 I think, this also showed up in the jstest this was derived from.  This was introduced by array bounds check hoisting --- we annotate SETELEMs which have been used to grow arrays by replacing them in the bytecode with a SETHOLE opcode (same semantics).  The problem is we would also overwrite ENUMELEM with SETHOLE because ENUMELEM is implemented in terms of SETELEM by the method JIT, and the different stack usages of these opcodes broke downstream analysis.

I'm going to try to avoid breaking the jstests again in the future.
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Automatically extracted testcase for this bug was committed:

https://hg.mozilla.org/mozilla-central/rev/efaf8960a929
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.