Closed Bug 673710 Opened 14 years ago Closed 14 years ago

Assertion failure: top != 0, at jsopcode.cpp:1154

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: jandem, Unassigned)

References

Details

-- function f() { a[1, 2]++; } f.toString(); -- $ ./js test.js Assertion failure: top != 0, at jsopcode.cpp:1154 JM repository, revision 4fbb36c1c9a3, 32-bit OS X. I have not bisected this but I'm pretty sure it's bug 647624.
Here's another testcase: +(function() { w([] = "", c--)() }) Assertion failure: top != 0,
Problem when decompiling portions of a script, where in the big switch we could end up in a situation where the pc points to an op which is followed by a decomposed version, but the case that has actually been processed was something totally different (from an '&&', '||' or ',' expression). This fix just moves the decomposed check into the individual cases which have (or might have) decomposed versions. It would be nice if the invariants in Decompile() were clearer. There are several variables that look vaguely related to the current op (pc, len, oplen, op, cs), and it's not clear at all what relationships these have to one another. http://hg.mozilla.org/projects/jaegermonkey/rev/7e5a5d2e28f8
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.