"Assertion failure: op == JSOP_CONDSWITCH,"

RESOLVED FIXED in mozilla8

Status

()

Core
JavaScript Engine
--
critical
RESOLVED FIXED
6 years ago
5 years ago

People

(Reporter: gkw, Assigned: h4writer)

Tracking

(Blocks: 1 bug, {assertion, regression, testcase})

Trunk
mozilla8
x86
Mac OS X
assertion, regression, testcase
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [inbound])

Attachments

(2 attachments, 1 obsolete attachment)

(Reporter)

Description

6 years ago
Created attachment 547344 [details]
stack

function f(code) {
    a = code.replace(/s/, "");
    wtt = a
    code = code.replace(/\/\*DUPTRY\d+\*\//, function(k) {
        n = parseInt(k.substr(8), 0);
        return g("try{}catch(e){}", n)
    });
    f = eval("(function(){" + code + "})")
    disassemble("-r", f)
}
function g(s, n) {
    if (n == 0) {
        return s
    }
    s2 = s + s
    r = n % 2
    d = (n - r) / 2
    m = g(s2, d)
    return r ? m + s : m
}
f("switch(''){default:break;/*DUPTRY525*/}")

asserts js debug shell on MI changeset 99d121a0f799 without any CLI arguments at Assertion failure: op == JSOP_CONDSWITCH,

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   72784:d5ae5580508f
user:        Hannes Verschore <hverschore@mozilla.com>
date:        Wed Jul 13 16:12:05 2011 -0700
summary:     Bug 670784 - Add src note to break statements of switches, r=dvander
(Assignee)

Updated

6 years ago
Assignee: general → hv1989
(Assignee)

Comment 1

6 years ago
Created attachment 547449 [details] [diff] [review]
Patch

I forgot to break on JSOP_GOTOX too. So when the content between the case statement and the end of the switch was too long it bailed on this error (when decoding back to JS).

This patch fixes it!
Attachment #547449 - Flags: review?(dvander)
Comment on attachment 547449 [details] [diff] [review]
Patch

r=me with test case included
Attachment #547449 - Flags: review?(dvander) → review+
(Assignee)

Comment 3

6 years ago
Created attachment 547560 [details] [diff] [review]
Patch with testcase

Carries r+ over from previous patch
Attachment #547449 - Attachment is obsolete: true
Attachment #547560 - Flags: review+
(Assignee)

Updated

6 years ago
Keywords: checkin-needed
(Reporter)

Updated

6 years ago
Whiteboard: [inbound]
Looks like the inbound flag got set by mistake.
Whiteboard: [inbound]
http://hg.mozilla.org/integration/mozilla-inbound/rev/73c9ed9aa8f0
Keywords: checkin-needed
Whiteboard: [inbound]
http://hg.mozilla.org/mozilla-central/rev/73c9ed9aa8f0
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla8
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/testBug673066.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.