372565 - "Assertion failure: top < ss->printer->script->depth" decompiling a function where a const identifier is used as a for-loop variable

Status: VERIFIED FIXED

(Core :: JavaScript Engine, defect)

Description

[Jesse Ruderman]

js> function() { for each(x in y) { } const x; }
Assertion failure: top < ss->printer->script->depth, at jsopcode.c:845

Comment 1

[Blake Kaplan (:mrbkap) (inactive)]

Attachment: Proposed fix

Because we rely on the JSOP_FOR* to call the current iterator's next method, the current code, which emits a JSOP_GETVAR in place of the JSOP_FORVAR breaks not only decompilation, but actually goes into an infinite loop. Here's a testcase:
(function() { const x = 3; for each(x in {1:1,2:2}) { print(x); }  })()

My proposed solution is to add a JSOP_FORCONST which knows to not actually update the slot given, but does call the iterator's next method. The testcase correctly decompiles and runs with this patch.

Comment 2

[Brendan Eich [:brendan]]

How about eliminating the useless JSOP_STARTITER while you are at it, and reclaiming that bytecode? (Be careful to set pos = blockpos + 1; in the JSOP_ARRAYPUSH case of Decompile.)

/be

Comment 3

[Blake Kaplan (:mrbkap) (inactive)]

Attachment: With that

Comment 4

[Brendan Eich [:brendan]]

Comment on attachment 258152 [details] [diff] [review]
With that

Great, thanks!

/be

Comment 5

[Blake Kaplan (:mrbkap) (inactive)]

Fix checked into trunk.

Comment 6

[Bob Clary [:bc] (inactive)]

/cvsroot/mozilla/js/tests/js1_6/Regress/regress-372565.js,v  <--  regress-372565.js
initial revision: 1.1

Comment 7

[Bob Clary [:bc] (inactive)]

verified fixed 1.9.0 20070320 win/mac*/linux

Comment 8

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

This bug also exists on the MOZILLA_1_8_BRANCH and I backported the patch above in bug 437288.