Last Comment Bug 656381 - "Assertion failure: js_GetOpcode(cx, fp->script(), pc) == op" trapping nullblockchain op for "with"
: "Assertion failure: js_GetOpcode(cx, fp->script(), pc) == op" trapping nullbl...
Status: RESOLVED FIXED
fixed-in-tracemonkey
: assertion, regression, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: x86_64 Mac OS X
: -- critical (vote)
: ---
Assigned To: Bill McCloskey (:billm)
:
Mentors:
Depends on:
Blocks: jsfunfuzz 610026
  Show dependency treegraph
 
Reported: 2011-05-11 11:03 PDT by Jesse Ruderman
Modified: 2013-01-14 08:14 PST (History)
5 users (show)
choller: in‑testsuite+
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
fix (1.13 KB, patch)
2011-05-12 12:02 PDT, Bill McCloskey (:billm)
dmandelin: review+
Details | Diff | Splinter Review

Description Jesse Ruderman 2011-05-11 11:03:46 PDT
Testcase for tracemonkey tip (rev 3d65474edc0e)

./js -d

var f = (function () {with ({}) {}});
dis(f);
trap(f, 5, ''); // trap "nullblockchain" op
f();

Assertion failure: js_GetOpcode(cx, fp->script(), pc) == op, at jsinterp.cpp:202

Suitably modified testcases trigger the assertion all the way back to when the assertion was introduced, in bug 610026:

changeset:   http://hg.mozilla.org/tracemonkey/rev/805c1a5d5cc6
user:        Brendan Eich
date:        Fri Nov 05 15:03:39 2010 -0700
summary:     Handle extended indexes around JSOP_*BLOCKCHAIN (610026, r=billm).

In case you need to debug older versions, these changesets require changes to the testcase:

rev 52538:a8aeff259925 made it necessary to call setDebug(true) before trap().
rev 54291:ea0669bacf12 added the -d flag as an alternative to setDebug(true).
rev 57064:805c1a5d5cc6 added this assertion.
rev 57580:32aa5d70f490 changed nullblockchain offset in f() from 7 to 5.
rev 62194:af9658ce7993 disallowed setDebug(true) in favor of -d.
Comment 1 Jesse Ruderman 2011-05-11 11:06:21 PDT
flags: LAMBDA HEAVYWEIGHT
main:
00000:  newobject ({})
00003:  endinit
00004:  enterwith
00005:  nullblockchain        <-- trap goes here
00006:  leavewith
00007:  stop
Comment 2 Jesse Ruderman 2011-05-11 22:11:56 PDT
Similar problem with "let" / "blockchain".

function f() { let(j) { eval(''); } }
dis(f);
trap(f, 19, '');
f();

flags: HEAVYWEIGHT
main:
00000:  enterblock depth 0 {j: 0}
00003:  getlocal 0
00006:  pop
00007:  callname "eval"
00010:  string ""
00013:  eval 1
00016:  lineno 1
00019:  blockchain depth 0 {j: 0}      <-- trap goes here
00022:  pop
00023:  leaveblock 1
00028:  stop
Comment 3 Bill McCloskey (:billm) 2011-05-12 12:02:31 PDT
Created attachment 531999 [details] [diff] [review]
fix

This assertion wasn't really needed. If we hit a trap opcode here, we'll just fall back to the slow path, which handles it.
Comment 4 Bill McCloskey (:billm) 2011-05-18 10:35:40 PDT
http://hg.mozilla.org/tracemonkey/rev/0619ebfaed3d
Comment 5 Chris Leary [:cdleary] (not checking bugmail) 2011-05-23 14:18:19 PDT
cdleary-bot mozilla-central merge info:
http://hg.mozilla.org/mozilla-central/rev/0619ebfaed3d
Comment 6 Christian Holler (:decoder) 2013-01-14 08:14:32 PST
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/bug656381.js.

Note You need to log in before you can comment on or make changes to this bug.