Closed Bug 656381 Opened 13 years ago Closed 13 years ago

"Assertion failure: js_GetOpcode(cx, fp->script(), pc) == op" trapping nullblockchain op for "with"

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: jruderman, Assigned: billm)

References

Details

(Keywords: assertion, regression, testcase, Whiteboard: fixed-in-tracemonkey)

Attachments

(1 file)

fix
1.13 KB, patch
dmandelin
: review+
Details | Diff | Splinter Review 
Testcase for tracemonkey tip (rev 3d65474edc0e)

./js -d

var f = (function () {with ({}) {}});
dis(f);
trap(f, 5, ''); // trap "nullblockchain" op
f();

Assertion failure: js_GetOpcode(cx, fp->script(), pc) == op, at jsinterp.cpp:202

Suitably modified testcases trigger the assertion all the way back to when the assertion was introduced, in bug 610026:

changeset:   http://hg.mozilla.org/tracemonkey/rev/805c1a5d5cc6
user:        Brendan Eich
date:        Fri Nov 05 15:03:39 2010 -0700
summary:     Handle extended indexes around JSOP_*BLOCKCHAIN (610026, r=billm).

In case you need to debug older versions, these changesets require changes to the testcase:

rev 52538:a8aeff259925 made it necessary to call setDebug(true) before trap().
rev 54291:ea0669bacf12 added the -d flag as an alternative to setDebug(true).
rev 57064:805c1a5d5cc6 added this assertion.
rev 57580:32aa5d70f490 changed nullblockchain offset in f() from 7 to 5.
rev 62194:af9658ce7993 disallowed setDebug(true) in favor of -d.
flags: LAMBDA HEAVYWEIGHT
main:
00000:  newobject ({})
00003:  endinit
00004:  enterwith
00005:  nullblockchain        <-- trap goes here
00006:  leavewith
00007:  stop
Similar problem with "let" / "blockchain".

function f() { let(j) { eval(''); } }
dis(f);
trap(f, 19, '');
f();

flags: HEAVYWEIGHT
main:
00000:  enterblock depth 0 {j: 0}
00003:  getlocal 0
00006:  pop
00007:  callname "eval"
00010:  string ""
00013:  eval 1
00016:  lineno 1
00019:  blockchain depth 0 {j: 0}      <-- trap goes here
00022:  pop
00023:  leaveblock 1
00028:  stop
Attached patch fixSplinter Review 
This assertion wasn't really needed. If we hit a trap opcode here, we'll just fall back to the slow path, which handles it.
Assignee: general → wmccloskey
Status: NEW → ASSIGNED
Attachment #531999 - Flags: review?(dmandelin)
Attachment #531999 - Flags: review?(dmandelin) → review+
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/bug656381.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: