debugging switch-statement causes assertion

VERIFIED FIXED in mozilla1.8beta1

Status

()

Core
JavaScript Engine
P2
minor
VERIFIED FIXED
13 years ago
12 years ago

People

(Reporter: Philipp Vogt, Assigned: brendan)

Tracking

({js1.5})

Trunk
mozilla1.8beta1
js1.5
Points:
---
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(2 attachments)

(Reporter)

Description

13 years ago
User-Agent:       Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; rv:1.7.3) Gecko/20050117 Firefox/0.10.1

I tried to debug the following javascript-code with jsshell (compiled on the 
Firefox-1.0PR with the DEBUG-FLAG):

tracing(true);
function SwitchTest( input) {
    switch ( input ) {
        default:   break;
        case A:    break;
    }
}

This raises an assertion:

js> tracing(true);
   1: 00008:  popv
  inputs: tracing(true) @ 1
  stack:
js> function SwitchTest( input) {
    switch ( input ) {
        default:   break;
        case A:    break;
    }
}
   2: 00000:  deffunAssertion failure: nbytes != 0, at jsapi.c:1459

Reproducible: Always

Steps to Reproduce:
1. compile jsshell with DEBUG-Flag
2. jsshell.exe
3. copy-paste the sourcecode





Speculation:

The error seems to be caused by jsopcode.c line 2054+ (case JSOP_CONDSWITCH). 
Especially:
>                sn = js_GetSrcNote(jp->script, pc);
                JS_ASSERT(sn && SN_TYPE(sn) == SRC_SWITCH);
                len = js_GetSrcNoteOffset(sn, 0);
>                off = js_GetSrcNoteOffset(sn, 1);

off becomes 0, so does off2 and so ncases is 0 and then 

                table = (TableEntry *) JS_malloc(cx, (size_t)ncases * sizeof 
*table);

mallocs 0 bytes which raises an exception.
(Assignee)

Updated

13 years ago
Assignee: general → brendan
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: js1.5
OS: Windows 2000 → All
Priority: -- → P2
Hardware: PC → All
Target Milestone: --- → mozilla1.8beta
(Assignee)

Comment 1

13 years ago
Created attachment 172336 [details] [diff] [review]
fix for ancient JSOP_CONDSWITCH bug

Goes back to norris, IIRC.  Shaver, what do you think?
/be
Attachment #172336 - Flags: review?(shaver)
(Assignee)

Updated

13 years ago
Status: NEW → ASSIGNED
Comment on attachment 172336 [details] [diff] [review]
fix for ancient JSOP_CONDSWITCH bug

r=shaver.  I haven't yet lost all recollection of norris' great switch/case
ECMA-conformance rewrite, indeed.
Attachment #172336 - Flags: review?(shaver) → review+
(Assignee)

Comment 3

13 years ago
Fixed.

/be
Status: ASSIGNED → RESOLVED
Last Resolved: 13 years ago
Resolution: --- → FIXED

Comment 4

13 years ago
Created attachment 174883 [details]
js1_5/Regress/regress-278873.js

Philipp, is it ok to include your test case in the javascript test library?
(Reporter)

Comment 5

13 years ago
?! Wow! Sure do whatever you want with it (isn't the best code I've written so 
far :-)). And thx, I'm honored.

Comment 6

13 years ago
js1_5/Regress/regress-278873.js checked in.

Updated

13 years ago
Flags: testcase+

Comment 7

12 years ago
verified fixed 1.8.x and trunk.
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.