Closed
Bug 935294
Opened 11 years ago
Closed 10 years ago
Assertion failure: exprStack == stackDepth, at jit/shared/CodeGenerator-shared.cpp:300
Categories
(Core :: JavaScript Engine: JIT, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 937058
People
(Reporter: decoder, Unassigned)
References
Details
(Keywords: assertion, regression, testcase, Whiteboard: [fuzzblocker] [jsbugmon:])
Attachments
(1 file, 1 obsolete file)
345 bytes,
text/plain
|
Details |
The following testcase asserts on mozilla-central revision 770de5942471 (run with --fuzzing-safe --ion-eager): for (var c in foo) try { throw new Error(); } catch (e) {}
Reporter | ||
Comment 1•11 years ago
|
||
Reporter | ||
Updated•11 years ago
|
Whiteboard: [jsbugmon:update,bisect][fuzzblocker]
Reporter | ||
Updated•11 years ago
|
Whiteboard: [jsbugmon:update,bisect][fuzzblocker] → [fuzzblocker] [jsbugmon:update]
Reporter | ||
Comment 2•11 years ago
|
||
JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: http://hg.mozilla.org/mozilla-central/rev/3510684869de user: Andy Wingo date: Wed Oct 30 12:27:22 2013 +0100 summary: Bug 932180 - Rewrite decompiler's bytecode parser to not need SRC_HIDDEN annotations. r=jandem This iteration took 426.513 seconds to run.
Comment 4•11 years ago
|
||
Sure, I'll take a look.
Reporter | ||
Comment 5•11 years ago
|
||
Attachment #827706 -
Attachment is obsolete: true
Comment 6•11 years ago
|
||
So, I tracked this one down. The abort happens here: typein:1 sn stack loc line op -- ----- ----- ---- -- 00000 00000: 1 defvar "c" main: 00000 00005: 1 getgname "foo" 00001 00010: 1 iter 1 06 00001 00012: 1 goto 68 (+56) 00001 00017: 1 loophead 00001 00018: 1 iternext 00002 00019: 1 bindgname "c" 00003 00024: 1 pick 1 00003 00026: 1 setgname "c" 00002 00031: 1 pop 18 00001 00032: 2 try 00001 00033: 3 getgname "Error" 00002 00038: 3 undefined 00003 00039: 3 notearg 00003 00040: 3 new 0 --> 00002 00043: 3 throw 16 00000 00044: 3 goto 68 (+24) 00001 00049: 4 enterblock object 00002 00054: 4 exception 00003 00055: 4 setlocal 1 00003 00058: 4 pop 17 00002 00059: 4 leaveblock 1 16 00001 00062: 4 goto 68 (+6) 00000 00067: 4 nop 00001 00068: 4 loopentry 1 00001 00070: 4 moreiter 00002 00071: 4 ifne 17 (-54) 00001 00076: 4 enditer 00000 00077: 4 retrval The abort is this: CodeGenerator-shared.cpp:CodeGenerator::encode: JS_ASSERT(exprStack == stackDepth); and the stack depth that the generator has simulated internally after the throw is 1, and the depth that the bytecode parser has given us is 0. The reason the bytecode parser gives 0 is because the goto is unreachable. On the other hand the MIR doesn't appear to know this, and I guess it assumes that each instruction can fall through? Will find jandem on the IRC to see what the deal is. Note that this is very similar to bug 932180 comment 13 and bug 932180 comment 22.
Flags: needinfo?(wingo)
Reporter | ||
Updated•11 years ago
|
Whiteboard: [fuzzblocker] [jsbugmon:update] → [fuzzblocker] [jsbugmon:update,ignore]
Reporter | ||
Comment 7•11 years ago
|
||
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 581d180a37f3).
Comment 8•10 years ago
|
||
decoder: is this fuzzblocker assertion still relevant? In comment 7, JSBugMon said it was no reproducible.
Flags: needinfo?(choller)
Updated•10 years ago
|
Keywords: regression
Whiteboard: [fuzzblocker] [jsbugmon:update,ignore] → [fuzzblocker] [jsbugmon:bisectfix]
Reporter | ||
Updated•10 years ago
|
Whiteboard: [fuzzblocker] [jsbugmon:bisectfix] → [fuzzblocker] [jsbugmon:]
Reporter | ||
Comment 9•10 years ago
|
||
JSBugMon: Fix Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first good revision is: changeset: http://hg.mozilla.org/mozilla-central/rev/2c7ad2dabeb8 user: Andy Wingo date: Mon Nov 11 16:21:20 2013 +0100 summary: Bug 937058 - Paper over debug-mode checks of stack depth for unreachable bytecode. r=jandem This iteration took 139.983 seconds to run.
Reporter | ||
Comment 10•10 years ago
|
||
Andy, is this likely a dup of bug 937058?
Flags: needinfo?(choller) → needinfo?(wingo)
Comment 11•10 years ago
|
||
(In reply to Christian Holler (:decoder) from comment #10) > Andy, is this likely a dup of bug 937058? Yes. I will dup it. Thanks for the heads-up.
Status: NEW → RESOLVED
Closed: 10 years ago
Flags: needinfo?(wingo)
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•