Closed Bug 935294 Opened 11 years ago Closed 10 years ago

Assertion failure: exprStack == stackDepth, at jit/shared/CodeGenerator-shared.cpp:300

Categories

(Core :: JavaScript Engine: JIT, defect)

Product:
Core
Component:
JavaScript Engine: JIT
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 937058

People

(Reporter: decoder, Unassigned)

References

Details

(Keywords: assertion, regression, testcase, Whiteboard: [fuzzblocker] [jsbugmon:])

Attachments

(1 file, 1 obsolete file)

[crash-signature] Machine-readable crash signature
345 bytes, text/plain
Details 
The following testcase asserts on mozilla-central revision 770de5942471 (run with --fuzzing-safe --ion-eager):


for (var c in foo)
  try {
    throw new Error();
  } catch (e)  {}
Whiteboard: [jsbugmon:update,bisect][fuzzblocker]
Whiteboard: [jsbugmon:update,bisect][fuzzblocker] → [fuzzblocker] [jsbugmon:update]
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   http://hg.mozilla.org/mozilla-central/rev/3510684869de
user:        Andy Wingo
date:        Wed Oct 30 12:27:22 2013 +0100
summary:     Bug 932180 - Rewrite decompiler's bytecode parser to not need SRC_HIDDEN annotations. r=jandem

This iteration took 426.513 seconds to run.
wingo do you have time to take a look maybe? :)
Flags: needinfo?(wingo)
Sure, I'll take a look.

        Attachment #827706 -
        Attachment is obsolete: true

    
    

    
  
So, I tracked this one down.  The abort happens here:

typein:1
    sn stack loc   line  op
    -- ----- ----- ----  --
       00000 00000:   1  defvar "c"
main:
       00000 00005:   1  getgname "foo"
       00001 00010:   1  iter 1
    06 00001 00012:   1  goto 68 (+56)
       00001 00017:   1  loophead
       00001 00018:   1  iternext
       00002 00019:   1  bindgname "c"
       00003 00024:   1  pick 1
       00003 00026:   1  setgname "c"
       00002 00031:   1  pop
    18 00001 00032:   2  try
       00001 00033:   3  getgname "Error"
       00002 00038:   3  undefined
       00003 00039:   3  notearg
       00003 00040:   3  new 0
-->    00002 00043:   3  throw
    16 00000 00044:   3  goto 68 (+24)
       00001 00049:   4  enterblock object
       00002 00054:   4  exception
       00003 00055:   4  setlocal 1
       00003 00058:   4  pop
    17 00002 00059:   4  leaveblock 1
    16 00001 00062:   4  goto 68 (+6)
       00000 00067:   4  nop
       00001 00068:   4  loopentry 1
       00001 00070:   4  moreiter
       00002 00071:   4  ifne 17 (-54)
       00001 00076:   4  enditer
       00000 00077:   4  retrval

The abort is this:

CodeGenerator-shared.cpp:CodeGenerator::encode:   JS_ASSERT(exprStack == stackDepth);

and the stack depth that the generator has simulated internally after the throw is 1, and the depth that the bytecode parser has given us is 0.

The reason the bytecode parser gives 0 is because the goto is unreachable.  On the other hand the MIR doesn't appear to know this, and I guess it assumes that each instruction can fall through?  Will find jandem on the IRC to see what the deal is.

Note that this is very similar to bug 932180 comment 13 and bug 932180 comment 22.
Flags: needinfo?(wingo)

    
  
Depends on: 937058

    
  
Whiteboard: [fuzzblocker] [jsbugmon:update] → [fuzzblocker] [jsbugmon:update,ignore]

    
    

    
  
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 581d180a37f3).

    
    

    
  
decoder: is this fuzzblocker assertion still relevant? In comment 7, JSBugMon said it was no reproducible.
Flags: needinfo?(choller)
Keywords: regression
Whiteboard: [fuzzblocker] [jsbugmon:update,ignore] → [fuzzblocker] [jsbugmon:bisectfix]

    
  
Whiteboard: [fuzzblocker] [jsbugmon:bisectfix] → [fuzzblocker] [jsbugmon:]

    
    

    
  
JSBugMon: Fix Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first good revision is:
changeset:   http://hg.mozilla.org/mozilla-central/rev/2c7ad2dabeb8
user:        Andy Wingo
date:        Mon Nov 11 16:21:20 2013 +0100
summary:     Bug 937058 - Paper over debug-mode checks of stack depth for unreachable bytecode. r=jandem

This iteration took 139.983 seconds to run.

    
    

    
  
Andy, is this likely a dup of bug 937058?
Flags: needinfo?(choller) → needinfo?(wingo)

    
    

    
  
(In reply to Christian Holler (:decoder) from comment #10)
> Andy, is this likely a dup of bug 937058?

Yes.  I will dup it.  Thanks for the heads-up.
Status: NEW → RESOLVED
Closed: 10 years ago
Flags: needinfo?(wingo)
Resolution: --- → DUPLICATE

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: