Closed Bug 691593 Opened 12 years ago Closed 12 years ago

IonMonkey: Assertion failure: *pc == JSOP_CALL, at jsopcode.cpp:4143

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Version:
Other Branch
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: decoder, Unassigned)

References

Details

(Keywords: assertion, testcase)

Attachments

(1 file)

Assert that JSOP_NOTEARG occurs after |this| push.
935 bytes, patch
dvander
: review+
Details | Diff | Splinter Review 
The following testcase asserts on ionmonkey revision acf3c1fb7c94 (run with --ion-eager), tested on 64 bit:


genexp = "x * x for (x in [])";
genexpParened = "(" + genexp + ")";
needParens(2, "if (1, xx) { }");
function needParens(section, pat, exp) {
  ft = pat.replace(/xx/, genexpParened);
  try {
    f = new Function(ft);
  } catch(e) {  } 
  overParenTest(section, f, exp);
}
function overParenTest(section, f, exp) {
  var uf = "" + f;
  if (uf.indexOf(genexpParened) != -1) {  }
}
String(
    (function() {
        ([] for (x in []))
    })
)

asserts js debug shell on IM changeset 5602420006bb without any CLI flags at Assertion failure: *pc == JSOP_CALL, 32-bit js shell in 64-bit Windows 7.
I remember this issue being posted in a bug before, but can't seem to find it now.

JSOP_PUSH for |this| is followed by JSOP_NOTEARG so IonBuilder can be single-pass with MPassArg at point-of-definition. In adding JSOP_NOTEARG, I missed a spot that asserts the next op after JSOP_PUSH is JSOP_CALL.
Attachment #564618 - Flags: review?(dvander)
Attachment #564618 - Flags: review?(dvander) → review+
http://hg.mozilla.org/projects/ionmonkey/rev/5dbfb891d8df
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Blocks: IonFuzz
Summary: IM: Assertion failure: *pc == JSOP_CALL, at jsopcode.cpp:4143 → IonMonkey: Assertion failure: *pc == JSOP_CALL, at jsopcode.cpp:4143
Automatically extracted testcase for this bug was committed:

https://hg.mozilla.org/mozilla-central/rev/2e891e0db397
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.