The default bug view has changed. See this FAQ.

IonMonkey: Assertion failure: *pc == JSOP_CALL, at jsopcode.cpp:4143

RESOLVED FIXED

Status

()

Core
JavaScript Engine
--
major
RESOLVED FIXED
6 years ago
4 years ago

People

(Reporter: decoder, Unassigned)

Tracking

(Blocks: 2 bugs, {assertion, testcase})

Other Branch
x86_64
Linux
assertion, testcase
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

(Reporter)

Description

6 years ago
The following testcase asserts on ionmonkey revision acf3c1fb7c94 (run with --ion-eager), tested on 64 bit:


genexp = "x * x for (x in [])";
genexpParened = "(" + genexp + ")";
needParens(2, "if (1, xx) { }");
function needParens(section, pat, exp) {
  ft = pat.replace(/xx/, genexpParened);
  try {
    f = new Function(ft);
  } catch(e) {  } 
  overParenTest(section, f, exp);
}
function overParenTest(section, f, exp) {
  var uf = "" + f;
  if (uf.indexOf(genexpParened) != -1) {  }
}
String(
    (function() {
        ([] for (x in []))
    })
)

asserts js debug shell on IM changeset 5602420006bb without any CLI flags at Assertion failure: *pc == JSOP_CALL, 32-bit js shell in 64-bit Windows 7.
Created attachment 564618 [details] [diff] [review]
Assert that JSOP_NOTEARG occurs after |this| push.

I remember this issue being posted in a bug before, but can't seem to find it now.

JSOP_PUSH for |this| is followed by JSOP_NOTEARG so IonBuilder can be single-pass with MPassArg at point-of-definition. In adding JSOP_NOTEARG, I missed a spot that asserts the next op after JSOP_PUSH is JSOP_CALL.
Attachment #564618 - Flags: review?(dvander)
Attachment #564618 - Flags: review?(dvander) → review+
http://hg.mozilla.org/projects/ionmonkey/rev/5dbfb891d8df
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED
Blocks: 724444
Summary: IM: Assertion failure: *pc == JSOP_CALL, at jsopcode.cpp:4143 → IonMonkey: Assertion failure: *pc == JSOP_CALL, at jsopcode.cpp:4143
(Reporter)

Comment 4

4 years ago
Automatically extracted testcase for this bug was committed:

https://hg.mozilla.org/mozilla-central/rev/2e891e0db397
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.