Closed Bug 715356 Opened 13 years ago Closed 13 years ago

"Assertion failure: pc[bodyLength] == JSOP_LEAVEBLOCKEXPR,"

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 716068

People

(Reporter: gkw, Assigned: luke)

References

Details

(Keywords: assertion, regression, testcase, Whiteboard: js-triage-done)

Attachments

(2 files)

stack
6.90 KB, text/plain
Details
fix
11.74 KB, patch
Details | Diff | Splinter Review 
function f(code) {
    code = code.replace(/\/\*DUPTRY\d+/, function(k) {
        n = parseInt(k.substr(8), 0);
        return g("try{}catch(e){}", n)
    })
    String(Function(code))
}
function g(s, n) {
    if (n == 0) {
        return s
    }
    s2 = s + s
    r = n % 2
    d = (n - r) / 2
    m = g(s2, d)
    return r ? m + s : m
}
f("let(x){switch(x){case 7:/*DUPTRY801([])([])([])/function(){x}}}")

asserts js debug shell on m-c changeset 44d992ccc97a without any CLI arguments at Assertion failure: pc[bodyLength] == JSOP_LEAVEBLOCKEXPR,

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   83259:38344f96b3e3
user:        Luke Wagner
date:        Fri Oct 07 12:02:50 2011 -0700
summary:     Bug Bug 692274, part 4 - Rewrite parsing, emitting and decompiling of let to fix scoping properly (r=jorendorff)
OptimizeSpanDeps!!!!
Whiteboard: js-triage-needed → js-triage-done
Attached patch fixSplinter Review 
I'm going measure how much OptimizeSpanDeps wins us on MemBuster b/c if it's not at least 1%, then this complexity is unconscionable.

Oh, the bug was that OptimizeSpanDeps wants to look into let's SRC_DECL (since js_SrcNoteSpec[SRC_DECL].isSpandDep = true) and fiddle with its offsets based.  However, what I crammed in there was a shifted offset and a bit so it just scrambles the bits.  The solution (since it is no longer necessary for SN_TYPE(sn) to be SRC_DECL) is to use a srcnote type with arity = 2 and make each one a valid offset.
Assignee: general → luke
Status: NEW → ASSIGNED
Attachment #585966 - Flags: review?(jorendorff)
Oh yeah, I need to update the JSXDR_BYTECODE_VERSION.
You know what is better than fixing a bug caused by OptimizeSpanDeps?  Removing OptimizeSpanDeps.
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → DUPLICATE
Attachment #585966 - Flags: review?(jorendorff)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: