Last Comment Bug 737818 - IonMonkey: Assertion failure: JSOp(*bodyStart) == JSOP_NOP, at IonBuilder.cpp:1758
: IonMonkey: Assertion failure: JSOp(*bodyStart) == JSOP_NOP, at IonBuilder.cpp...
Status: RESOLVED FIXED
:
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: unspecified
: All All
: -- normal (vote)
: ---
Assigned To: Jan de Mooij [:jandem] (PTO until July 31)
:
Mentors:
Depends on:
Blocks: 737647 677337
  Show dependency treegraph
 
Reported: 2012-03-21 05:44 PDT by Jan de Mooij [:jandem] (PTO until July 31)
Modified: 2012-03-23 04:22 PDT (History)
1 user (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
Patch (1.27 KB, patch)
2012-03-21 06:21 PDT, Jan de Mooij [:jandem] (PTO until July 31)
nicolas.b.pierron: review+
Details | Diff | Splinter Review

Description Jan de Mooij [:jandem] (PTO until July 31) 2012-03-21 05:44:53 PDT
jit-test/tests/ion/bug724975.js and box2d (bug 737647) trigger this assert.
Comment 1 Jan de Mooij [:jandem] (PTO until July 31) 2012-03-21 06:21:14 PDT
Created attachment 607927 [details] [diff] [review]
Patch

The bytecode was very confusing, I had to look at the emitter to understand what's happening. For-loops start with either a JSOP_POP or JSOP_NOP, and the extra JSOP_NOP is only inserted if the loop starts with a JSOP_POP.
Comment 2 Nicolas B. Pierron [:nbp] 2012-03-21 11:28:16 PDT
Comment on attachment 607927 [details] [diff] [review]
Patch

Review of attachment 607927 [details] [diff] [review]:
-----------------------------------------------------------------

::: js/src/ion/IonBuilder.cpp
@@ +1755,5 @@
>          bodyStart = GetNextPc(bodyStart);
>      } else {
>          // No loop condition, such as for(j = 0; ; j++)
> +        if (op != JSOP_NOP) {
> +            // If the loop starts with POP, we have to skip a NOP.

comment-for-myself:
This condition correspond to the code at frontend/BytecodeEmitter.cpp around line 4861 in EmitNormalFor function.

    if (forHead->pn_kid2) {
        /* Goto the loop condition, which branches back to iterate. */
        jmp = EmitJump(cx, bce, JSOP_GOTO, 0);
        if (jmp < 0)
            return false;
    } else {
        if (op != JSOP_NOP && Emit1(cx, bce, JSOP_NOP) < 0)
            return false;
    }
Comment 3 Jan de Mooij [:jandem] (PTO until July 31) 2012-03-23 04:22:00 PDT
https://hg.mozilla.org/projects/ionmonkey/rev/083f0d4215c3

Note You need to log in before you can comment on or make changes to this bug.