Last Comment Bug 673066 - "Assertion failure: op == JSOP_CONDSWITCH,"
: "Assertion failure: op == JSOP_CONDSWITCH,"
Status: RESOLVED FIXED
[inbound]
: assertion, regression, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: x86 Mac OS X
: -- critical (vote)
: mozilla8
Assigned To: Hannes Verschore [:h4writer]
:
Mentors:
Depends on:
Blocks: jsfunfuzz 670784
  Show dependency treegraph
 
Reported: 2011-07-21 01:59 PDT by Gary Kwong [:gkw] [:nth10sd]
Modified: 2013-01-14 08:29 PST (History)
7 users (show)
choller: in‑testsuite+
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
stack (2.96 KB, text/plain)
2011-07-21 01:59 PDT, Gary Kwong [:gkw] [:nth10sd]
no flags Details
Patch (1.52 KB, patch)
2011-07-21 11:24 PDT, Hannes Verschore [:h4writer]
dvander: review+
Details | Diff | Splinter Review
Patch with testcase (2.26 KB, patch)
2011-07-21 16:42 PDT, Hannes Verschore [:h4writer]
hv1989: review+
Details | Diff | Splinter Review

Description Gary Kwong [:gkw] [:nth10sd] 2011-07-21 01:59:34 PDT
Created attachment 547344 [details]
stack

function f(code) {
    a = code.replace(/s/, "");
    wtt = a
    code = code.replace(/\/\*DUPTRY\d+\*\//, function(k) {
        n = parseInt(k.substr(8), 0);
        return g("try{}catch(e){}", n)
    });
    f = eval("(function(){" + code + "})")
    disassemble("-r", f)
}
function g(s, n) {
    if (n == 0) {
        return s
    }
    s2 = s + s
    r = n % 2
    d = (n - r) / 2
    m = g(s2, d)
    return r ? m + s : m
}
f("switch(''){default:break;/*DUPTRY525*/}")

asserts js debug shell on MI changeset 99d121a0f799 without any CLI arguments at Assertion failure: op == JSOP_CONDSWITCH,

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   72784:d5ae5580508f
user:        Hannes Verschore <hverschore@mozilla.com>
date:        Wed Jul 13 16:12:05 2011 -0700
summary:     Bug 670784 - Add src note to break statements of switches, r=dvander
Comment 1 Hannes Verschore [:h4writer] 2011-07-21 11:24:16 PDT
Created attachment 547449 [details] [diff] [review]
Patch

I forgot to break on JSOP_GOTOX too. So when the content between the case statement and the end of the switch was too long it bailed on this error (when decoding back to JS).

This patch fixes it!
Comment 2 David Anderson [:dvander] 2011-07-21 11:44:44 PDT
Comment on attachment 547449 [details] [diff] [review]
Patch

r=me with test case included
Comment 3 Hannes Verschore [:h4writer] 2011-07-21 16:42:10 PDT
Created attachment 547560 [details] [diff] [review]
Patch with testcase

Carries r+ over from previous patch
Comment 4 David Mandelin [:dmandelin] 2011-07-26 10:51:30 PDT
Looks like the inbound flag got set by mistake.
Comment 5 David Mandelin [:dmandelin] 2011-07-26 10:59:11 PDT
http://hg.mozilla.org/integration/mozilla-inbound/rev/73c9ed9aa8f0
Comment 6 Marco Bonardo [::mak] (Away 6-20 Aug) 2011-07-27 03:27:24 PDT
http://hg.mozilla.org/mozilla-central/rev/73c9ed9aa8f0
Comment 7 Christian Holler (:decoder) 2013-01-14 08:29:26 PST
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/testBug673066.js.

Note You need to log in before you can comment on or make changes to this bug.