Closed Bug 278873 Opened 20 years ago Closed 20 years ago

debugging switch-statement causes assertion

Categories

(Core :: JavaScript Engine, defect, P2)

Product:
Core
Component:
JavaScript Engine
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla1.8beta1

People

(Reporter: vogge, Assigned: brendan)

Details

(Keywords: js1.5)

Attachments

(2 files)

fix for ancient JSOP_CONDSWITCH bug
2.22 KB, patch
shaver
: review+
Details | Diff | Splinter Review
js1_5/Regress/regress-278873.js
2.29 KB, text/plain
Details 
User-Agent:       Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; rv:1.7.3) Gecko/20050117 Firefox/0.10.1

I tried to debug the following javascript-code with jsshell (compiled on the 
Firefox-1.0PR with the DEBUG-FLAG):

tracing(true);
function SwitchTest( input) {
    switch ( input ) {
        default:   break;
        case A:    break;
    }
}

This raises an assertion:

js> tracing(true);
   1: 00008:  popv
  inputs: tracing(true) @ 1
  stack:
js> function SwitchTest( input) {
    switch ( input ) {
        default:   break;
        case A:    break;
    }
}
   2: 00000:  deffunAssertion failure: nbytes != 0, at jsapi.c:1459

Reproducible: Always

Steps to Reproduce:
1. compile jsshell with DEBUG-Flag
2. jsshell.exe
3. copy-paste the sourcecode





Speculation:

The error seems to be caused by jsopcode.c line 2054+ (case JSOP_CONDSWITCH). 
Especially:
>                sn = js_GetSrcNote(jp->script, pc);
                JS_ASSERT(sn && SN_TYPE(sn) == SRC_SWITCH);
                len = js_GetSrcNoteOffset(sn, 0);
>                off = js_GetSrcNoteOffset(sn, 1);

off becomes 0, so does off2 and so ncases is 0 and then 

                table = (TableEntry *) JS_malloc(cx, (size_t)ncases * sizeof 
*table);

mallocs 0 bytes which raises an exception.
Assignee: general → brendan
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: js1.5
OS: Windows 2000 → All
Priority: -- → P2
Hardware: PC → All
Target Milestone: --- → mozilla1.8beta
Goes back to norris, IIRC.  Shaver, what do you think?
/be
Attachment #172336 - Flags: review?(shaver)
Status: NEW → ASSIGNED
Comment on attachment 172336 [details] [diff] [review]
fix for ancient JSOP_CONDSWITCH bug

r=shaver.  I haven't yet lost all recollection of norris' great switch/case
ECMA-conformance rewrite, indeed.
Attachment #172336 - Flags: review?(shaver) → review+
Fixed.

/be
Status: ASSIGNED → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED
Philipp, is it ok to include your test case in the javascript test library?
?! Wow! Sure do whatever you want with it (isn't the best code I've written so 
far :-)). And thx, I'm honored.
js1_5/Regress/regress-278873.js checked in.
Flags: testcase+
verified fixed 1.8.x and trunk.
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: