Closed Bug 522624 Opened 16 years ago Closed 15 years ago

TM: "Assertion failure: *pc == JSOP_GETARG" with recursive getter

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: jruderman, Assigned: dvander)

References

Details

(Keywords: assertion, regression, testcase, Whiteboard: fixed-in-tracemonkey)

Attachments

(1 file)

fix
907 bytes, patch
brendan
: review+
Details | Diff | Splinter Review
function r([]) { r(); } var a = {}; a.__defineGetter__("t", r); try { a.t; } catch(e) { } print(uneval(a)); Assertion failure: *pc == JSOP_GETARG, at ../jsopcode.cpp:5007 Only happens with -j.
I'm making a guess that this is due to tracerecursion, as shown by the following autoBisect's regression window: http://hg.mozilla.org/tracemonkey/pushloghtml?fromchange=89e665eb9944&tochange=d04601f54db5 Note that the assertion had morphed from Assertion failure: unsigned(slots) == NativeStackSlots(cx, 1) - fp->argc - 2 - fp->script->nfixed - 1, at ../jsrecursion.cpp:506
Blocks: tracerecursion
Keywords: regression
Attached patch fixSplinter Review
Assignee: general → dvander
Status: NEW → ASSIGNED
Attachment #408083 - Flags: review?(brendan)
Attachment #408083 - Flags: review?(brendan) → review+
Comment on attachment 408083 [details] [diff] [review] fix >diff --git a/js/src/jsopcode.cpp b/js/src/jsopcode.cpp >--- a/js/src/jsopcode.cpp >+++ b/js/src/jsopcode.cpp >@@ -4976,17 +4976,18 @@ js_DecompileFunction(JSPrinter *jp) > > /* Print the parameters. */ > pc = fun->u.i.script->main; > endpc = pc + fun->u.i.script->length; > ok = JS_TRUE; > > #if JS_HAS_DESTRUCTURING > /* Skip trace hint if it appears here. */ >- if (js_GetOpcode(jp->sprinter.context, fun->u.i.script, pc) == JSOP_TRACE) { >+ if (js_GetOpcode(jp->sprinter.context, fun->u.i.script, pc) == JSOP_TRACE || >+ js_GetOpcode(jp->sprinter.context, fun->u.i.script, pc) == JSOP_NOP) { Use a JSOp op = js_GetOpcode(...) instead of calling twice. r=me with that. /be
http://hg.mozilla.org/mozilla-central/rev/5ab2276549b1
Status: ASSIGNED → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Automatically extracted testcase for this bug was committed: https://hg.mozilla.org/mozilla-central/rev/efaf8960a929
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: