Closed Bug 522624 Opened 15 years ago Closed 15 years ago

TM: "Assertion failure: *pc == JSOP_GETARG" with recursive getter

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: jruderman, Assigned: dvander)

References

Details

(Keywords: assertion, regression, testcase, Whiteboard: fixed-in-tracemonkey)

Attachments

(1 file)

fix
907 bytes, patch
brendan
: review+
Details | Diff | Splinter Review 
function r([]) { r(); }
var a = {};
a.__defineGetter__("t", r);
try { a.t; } catch(e) { }
print(uneval(a));

Assertion failure: *pc == JSOP_GETARG, at ../jsopcode.cpp:5007

Only happens with -j.
I'm making a guess that this is due to tracerecursion, as shown by the following autoBisect's regression window:

http://hg.mozilla.org/tracemonkey/pushloghtml?fromchange=89e665eb9944&tochange=d04601f54db5

Note that the assertion had morphed from Assertion failure: unsigned(slots) == NativeStackSlots(cx, 1) - fp->argc - 2 - fp->script->nfixed - 1, at ../jsrecursion.cpp:506
Blocks: tracerecursion
Keywords: regression
Attached patch fixSplinter Review 
Assignee: general → dvander
Status: NEW → ASSIGNED

        Attachment #408083 -
        Flags: review?(brendan)

        Attachment #408083 -
        Flags: review?(brendan) → review+

    
    

    
  
Comment on attachment 408083 [details] [diff] [review]
fix

>diff --git a/js/src/jsopcode.cpp b/js/src/jsopcode.cpp
>--- a/js/src/jsopcode.cpp
>+++ b/js/src/jsopcode.cpp
>@@ -4976,17 +4976,18 @@ js_DecompileFunction(JSPrinter *jp)
> 
>         /* Print the parameters. */
>         pc = fun->u.i.script->main;
>         endpc = pc + fun->u.i.script->length;
>         ok = JS_TRUE;
> 
> #if JS_HAS_DESTRUCTURING
>         /* Skip trace hint if it appears here. */
>-        if (js_GetOpcode(jp->sprinter.context, fun->u.i.script, pc) == JSOP_TRACE) {
>+        if (js_GetOpcode(jp->sprinter.context, fun->u.i.script, pc) == JSOP_TRACE ||
>+            js_GetOpcode(jp->sprinter.context, fun->u.i.script, pc) == JSOP_NOP) {

Use a JSOp op = js_GetOpcode(...) instead of calling twice. r=me with that.

/be

    
    

    
  
http://hg.mozilla.org/mozilla-central/rev/5ab2276549b1
Status: ASSIGNED → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED

    
    

    
  
Automatically extracted testcase for this bug was committed:

https://hg.mozilla.org/mozilla-central/rev/efaf8960a929
Flags: in-testsuite+

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: