"Assertion failure: 0, at ../jsopcode.cpp" with uneval, yield, Function, do...while

VERIFIED FIXED

Status

()

--
critical
VERIFIED FIXED
9 years ago
6 years ago

People

(Reporter: gkw, Assigned: jorendorff)

Tracking

(Blocks: 1 bug, {assertion, regression, testcase})

Trunk
x86
Mac OS X
assertion, regression, testcase
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: fixed-in-tracemonkey)

Attachments

(1 attachment)

uneval(Function("\
  do {\
  for each(y in []) {\
    yield\
    }\
  }\
  while(x)\
"))

asserts js debug shell without -j on TM tip at Assertion failure: 0, at ../jsopcode.cpp:3312. This seems to occur frequently.
autoBisect shows this is probably related to bug 522624:

The first bad revision is:
changeset:   34070:5ab2276549b1
user:        David Anderson
date:        Fri Oct 23 14:28:35 2009 -0700
summary:     Fixed decompiler assertion related to JSOP_TRACE (bug 522624, r=brendan).
Blocks: 522624
Summary: "Assertion failure: 0, at ../jsopcode.cpp" → "Assertion failure: 0, at ../jsopcode.cpp" with uneval, yield, Function, do...while
I can't win against this thing.
(Assignee)

Comment 3

9 years ago
Smaller test case:

uneval(function () { do yield; while (0); });

dvander and I figured this out on IRC. js_DecompileFunction is fixing up pc to skip a JSOP_TRACE opcode that isn't there for generators.
(Assignee)

Comment 4

9 years ago
Created attachment 409181 [details] [diff] [review]
v1
Assignee: general → jorendorff
Status: NEW → ASSIGNED
Attachment #409181 - Flags: review?(dvander)
Attachment #409181 - Flags: review?(dvander) → review+
(Assignee)

Comment 5

9 years ago
http://hg.mozilla.org/tracemonkey/rev/bd1b0c451b85
Whiteboard: fixed-in-tracemonkey

Comment 6

9 years ago
http://hg.mozilla.org/mozilla-central/rev/bd1b0c451b85
Status: ASSIGNED → RESOLVED
Last Resolved: 9 years ago
Resolution: --- → FIXED
A testcase for this bug was automatically identified at js/src/tests/js1_8_1/regress/regress-524264.js.
Flags: in-testsuite+
Testcases have been landed by virtue of being marked in-testsuite+ -> VERIFIED as well.
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.