Closed Bug 680976 Opened 8 years ago Closed 8 years ago

TI: "Assertion failure: stackDepth >= nuses,"

Categories

(Core :: JavaScript Engine, defect, critical)

x86
Windows 7
defect
Not set
critical

Tracking

()

RESOLVED FIXED

People

(Reporter: gkw, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, testcase, Whiteboard: js-triage-needed)

Attachments

(2 files)

Attached file testcase
The attached testcase asserts at Assertion failure: stackDepth >= nuses, on JM changeset 8fe193e034cb with -m and -a, on Windows 7 debug shell.

This was found using a triple combination of an existing js test, jsfunfuzz and jandem's method fuzzer. Eventually the reduced testcase revealed jsfunfuzz was not needed for the assert.
Probably JM-only, doesn't occur on mc changeset 33e4aa663bba.

Thanks Luke who confirms via IRC that it doesn't on 64-bit Linux debug shell (assuming mozilla-central).
Summary: "Assertion failure: stackDepth >= nuses," → TI: "Assertion failure: stackDepth >= nuses,"
Attached patch patchSplinter Review
For decomposed incops which needed an INDEXBASE opcode to adjust their atom operand, the resulting bytecode was deformed --- a RESETBASE opcode must be emitted after such ops, and it was taking the place of the one-byte decomposed length attached to these ops.

http://hg.mozilla.org/projects/jaegermonkey/rev/a30c64a27b4a
Attachment #555007 - Flags: review?(dvander)
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Attachment #555007 - Flags: review?(dvander) → review+
You need to log in before you can comment on or make changes to this bug.