Closed Bug 648839 Opened 9 years ago Closed 9 years ago

TI: Assertion failure: stackDepth == newDepth, at jsanalyze.cpp:100

Categories

(Core :: JavaScript Engine, defect, critical)

x86_64
Linux
defect
Not set
critical

Tracking

()

RESOLVED FIXED

People

(Reporter: decoder, Unassigned)

References

(Blocks 2 open bugs)

Details

(Keywords: assertion, testcase)

The following testcase asserts on TI revision d3215d1e985a (run with -m -n -a),
tested on 64 bit:

ForIn_1( { length:4, company:"netscape", year:2000, 0:"zero" } );
function ForIn_1( object ) {
  PropertyArray = new Array();
  for ( PropertyArray[PropertyArray.length] in object ) {
      object[1];
  }
}
Fixed by rev 3816e4abb158 I think, this also showed up in the jstest this was derived from.  This was introduced by array bounds check hoisting --- we annotate SETELEMs which have been used to grow arrays by replacing them in the bytecode with a SETHOLE opcode (same semantics).  The problem is we would also overwrite ENUMELEM with SETHOLE because ENUMELEM is implemented in terms of SETELEM by the method JIT, and the different stack usages of these opcodes broke downstream analysis.

I'm going to try to avoid breaking the jstests again in the future.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Blocks: 676763
Automatically extracted testcase for this bug was committed:

https://hg.mozilla.org/mozilla-central/rev/efaf8960a929
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.