"Assertion failure: op2 == JSOP_POP || op2 == JSOP_POPV", trap on pop following setmethod

RESOLVED FIXED

Status

()

Product:
Core
Component:
JavaScript Engine
Type:
defect
Importance:
--
critical
Status:
RESOLVED FIXED
Opened:
8 years ago
Updated:
7 years ago

People

(Reporter: jruderman, Assigned: billm)

Tracking

(Blocks 1 bug, {assertion, regression, testcase})

Version:
Trunk
Platform:
x86
macOS
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: fixed-in-tracemonkey)

Attachments

(1 attachment)

fix
1.30 KB, patch
dmandelin
: review+
Details | Diff | Splinter Review 
function f() { ({}).m = function(){}; }
dis(f);
trap(f, 11, '');
f();

Assertion failure: op2 == JSOP_POP || op2 == JSOP_POPV, at jsinterp.cpp:5510

flags: NULL_CLOSURE
main:
00000:  newobject ({})
00003:  endinit
00004:  lambda (function () {})
00007:  nullblockchain
00008:  setmethod "m"              <-- jsinterp dies here
00011:  pop                        <-- trap is here
00012:  stop

This assertion was added in:

changeset:   http://hg.mozilla.org/tracemonkey/rev/d03cc1038c7a
user:        Bill McCloskey
date:        Wed Oct 06 10:41:36 2010 -0700
summary:     Bug 601986 - Make blockchain determination faster for with, flat closures (r=igor)
Posted patch fixSplinter Review 
I just fixed this to overlook the trap opcode. We also directly access an opcode a little bit earlier in this code, but it's an optimization and I think it's okay to ignore JSOP_TRAP there.
Assignee: general → wmccloskey
Status: NEW → ASSIGNED
Attachment #532001 - Flags: review?(dmandelin)
Attachment #532001 - Flags: review?(dmandelin) → review+
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/bug656555.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.