Closed Bug 680976 Opened 14 years ago Closed 14 years ago

TI: "Assertion failure: stackDepth >= nuses,"

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Windows 7
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: gkw, Unassigned)

References

Details

(Keywords: assertion, testcase, Whiteboard: js-triage-needed)

Attachments

(2 files)

testcase
586.62 KB, text/plain
Details
patch
6.84 KB, patch
dvander
: review+
Details | Diff | Splinter Review
Attached file testcase
The attached testcase asserts at Assertion failure: stackDepth >= nuses, on JM changeset 8fe193e034cb with -m and -a, on Windows 7 debug shell. This was found using a triple combination of an existing js test, jsfunfuzz and jandem's method fuzzer. Eventually the reduced testcase revealed jsfunfuzz was not needed for the assert.
Probably JM-only, doesn't occur on mc changeset 33e4aa663bba. Thanks Luke who confirms via IRC that it doesn't on 64-bit Linux debug shell (assuming mozilla-central).
Blocks: infer-regress
Summary: "Assertion failure: stackDepth >= nuses," → TI: "Assertion failure: stackDepth >= nuses,"
Attached patch patchSplinter Review
For decomposed incops which needed an INDEXBASE opcode to adjust their atom operand, the resulting bytecode was deformed --- a RESETBASE opcode must be emitted after such ops, and it was taking the place of the one-byte decomposed length attached to these ops. http://hg.mozilla.org/projects/jaegermonkey/rev/a30c64a27b4a
Attachment #555007 - Flags: review?(dvander)
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Attachment #555007 - Flags: review?(dvander) → review+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: