Closed Bug 656555 Opened 11 years ago Closed 11 years ago

"Assertion failure: op2 == JSOP_POP || op2 == JSOP_POPV", trap on pop following setmethod

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: jruderman, Assigned: billm)

References

Details

(Keywords: assertion, regression, testcase, Whiteboard: fixed-in-tracemonkey)

Attachments

(1 file)

fix
1.30 KB, patch
dmandelin
: review+
Details | Diff | Splinter Review 
function f() { ({}).m = function(){}; }
dis(f);
trap(f, 11, '');
f();

Assertion failure: op2 == JSOP_POP || op2 == JSOP_POPV, at jsinterp.cpp:5510

flags: NULL_CLOSURE
main:
00000:  newobject ({})
00003:  endinit
00004:  lambda (function () {})
00007:  nullblockchain
00008:  setmethod "m"              <-- jsinterp dies here
00011:  pop                        <-- trap is here
00012:  stop

This assertion was added in:

changeset:   http://hg.mozilla.org/tracemonkey/rev/d03cc1038c7a
user:        Bill McCloskey
date:        Wed Oct 06 10:41:36 2010 -0700
summary:     Bug 601986 - Make blockchain determination faster for with, flat closures (r=igor)
Attached patch fixSplinter Review 
I just fixed this to overlook the trap opcode. We also directly access an opcode a little bit earlier in this code, but it's an optimization and I think it's okay to ignore JSOP_TRAP there.
Assignee: general → wmccloskey
Status: NEW → ASSIGNED
Attachment #532001 - Flags: review?(dmandelin)
Attachment #532001 - Flags: review?(dmandelin) → review+
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/bug656555.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.