Last Comment Bug 656555 - "Assertion failure: op2 == JSOP_POP || op2 == JSOP_POPV", trap on pop following setmethod
: "Assertion failure: op2 == JSOP_POP || op2 == JSOP_POPV", trap on pop followi...
Status: RESOLVED FIXED
fixed-in-tracemonkey
: assertion, regression, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: x86 Mac OS X
: -- critical (vote)
: ---
Assigned To: Bill McCloskey (:billm)
:
:
Mentors:
Depends on:
Blocks: jsfunfuzz 601986
  Show dependency treegraph
 
Reported: 2011-05-12 00:44 PDT by Jesse Ruderman
Modified: 2013-01-14 07:40 PST (History)
2 users (show)
choller: in‑testsuite+
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---

Attachments
fix (1.30 KB, patch)
2011-05-12 12:04 PDT, Bill McCloskey (:billm) 		dmandelin: review+
Details | Diff | Splinter Review
View All Add an attachment (proposed patch, testcase, etc.)

Description Jesse Ruderman 2011-05-12 00:44:18 PDT 
function f() { ({}).m = function(){}; }
dis(f);
trap(f, 11, '');
f();

Assertion failure: op2 == JSOP_POP || op2 == JSOP_POPV, at jsinterp.cpp:5510

flags: NULL_CLOSURE
main:
00000:  newobject ({})
00003:  endinit
00004:  lambda (function () {})
00007:  nullblockchain
00008:  setmethod "m"              <-- jsinterp dies here
00011:  pop                        <-- trap is here
00012:  stop

This assertion was added in:

changeset:   http://hg.mozilla.org/tracemonkey/rev/d03cc1038c7a
user:        Bill McCloskey
date:        Wed Oct 06 10:41:36 2010 -0700
summary:     Bug 601986 - Make blockchain determination faster for with, flat closures (r=igor)
Comment 1 Bill McCloskey (:billm) 2011-05-12 12:04:28 PDT 
Created attachment 532001 [details] [diff] [review]
fix

I just fixed this to overlook the trap opcode. We also directly access an opcode a little bit earlier in this code, but it's an optimization and I think it's okay to ignore JSOP_TRAP there.
Comment 2 Bill McCloskey (:billm) 2011-05-18 10:36:15 PDT 
http://hg.mozilla.org/tracemonkey/rev/deccd0dc4a41
Comment 3 Chris Leary [:cdleary] (not checking bugmail) 2011-05-23 14:08:25 PDT 
cdleary-bot mozilla-central merge info:
http://hg.mozilla.org/mozilla-central/rev/deccd0dc4a41
Comment 4 Christian Holler (:decoder) 2013-01-14 07:40:30 PST 
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/bug656555.js.
Note You need to log in before you can comment on or make changes to this bug.