Closed Bug 787848 Opened 7 years ago Closed 7 years ago

IonMonkey: Crash [@ ExpressionDecompiler::decompilePC] or "Assertion failure: script->analysis()->getCode(pc).stackDepth == ((hpcdepth == unsigned(-1)) ? pcdepth : hpcdepth),"

Categories

(Core :: JavaScript Engine, defect, critical)

Other Branch
x86
macOS
defect
Not set
critical

Tracking

()

VERIFIED FIXED
mozilla18
Tracking Status
firefox17 --- unaffected
firefox18 --- fixed
firefox-esr10 --- unaffected
firefox-esr17 --- unaffected

People

(Reporter: gkw, Assigned: nbp)

References

(Blocks 1 open bug)

Details

(4 keywords, Whiteboard: [ion:p1:fx18] [jsbugmon:update,ignore][adv-main18-])

Crash Data

Attachments

(1 file)

+++ This bug was initially created as a clone of Bug #787309 +++

+++ This bug was initially created as a clone of Bug #781660 +++

try {
    i
}
catch (x if (function() {})()) {}
catch (d) {
    this.z.z
}

=====

try {
  t
} catch (d if true.b) {}
catch (x if new(print)) {}

=====

options('strict')
try {
  w
} catch (e if 2[1]) {}
catch (N) {
  eval.m
}

=====

try {
  e
} catch (e if "") {}
catch (x if (function() {})) {
  new print
}

=====

try {
  x
} catch (b if print()) {}
catch (z) {
  let(a = print()()) {}
}

=====

These testcases assert js debug shell on IonMonkey changeset f9ff9c554d4b without any CLI arguments, even with the patch in bug 781660 comment 10 (which fixes the testcases spun off in bug 787309) applied, at Assertion failure: script->analysis()->getCode(pc).stackDepth == ((hpcdepth == unsigned(-1)) ? pcdepth : hpcdepth),

options('strict');
try {
  w
} catch (a if (function() {})()) {}
catch (a if ({})) {
  NaN.m
}

crashes js opt shell on IonMonkey changeset f9ff9c554d4b without any CLI arguments at ExpressionDecompiler::decompilePC


These testcases are not fixed by the patches in bug 781660. Also assigning to Nicolas.
Blocks: LandIon
If we are not following the JSOP_GOTO, we might evaluate a hidden JSOP_THROWING which expect 2 extra stack slots, as documented in the bytecode emitter code.  Fake the 2 extra stack slots when we do not follow gotos.
Attachment #660435 - Flags: review?(luke)
Comment on attachment 660435 [details] [diff] [review]
Handle JSOP_THROWING opcode in the decompiler.

Review of attachment 660435 [details] [diff] [review]:
-----------------------------------------------------------------

::: js/src/jsopcode.cpp
@@ +6466,3 @@
>              }
> +
> +            // see BytecodeEmitter.cpp

BytecodeEmitter.cpp is a large file; it would be much nicer to write a nice little paragraph to the effect of your comment 1.  Also, let's not mix // and /* comments in the same function.
Attachment #660435 - Flags: review?(luke) → review+
Blocks: 794286
I did not put all the test cases reported in this bug because they were all having the same problem.
Flags: in-testsuite+
Flags: in-testsuite+
https://hg.mozilla.org/mozilla-central/rev/57e4febd2775
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla18
Whiteboard: [ion:p1:fx18] [jsbugmon:update] → [ion:p1:fx18] [jsbugmon:update,reconfirm]
decoder, how can it be reconfirmed, knowing that the test case is landed and that tbpl is green?
(In reply to Nicolas B. Pierron [:pierron] [:nbp] from comment #9)
> decoder, how can it be reconfirmed, knowing that the test case is landed and
> that tbpl is green?

I think I marked the wrong bug here, thanks :)
Whiteboard: [ion:p1:fx18] [jsbugmon:update,reconfirm] → [ion:p1:fx18] [jsbugmon:update,ignore]
Status: RESOLVED → VERIFIED
JSBugMon: This bug has been automatically verified fixed.
Whiteboard: [ion:p1:fx18] [jsbugmon:update,ignore] → [ion:p1:fx18] [jsbugmon:update,ignore][adv-main18-]
Group: core-security
You need to log in before you can comment on or make changes to this bug.