Closed Bug 746370 Opened 12 years ago Closed 12 years ago

IonMonkey: Assertion failure: JSOp(*(script->code + tn->start + tn->length)) == JSOP_ENDITER, at js/src/ion/IonFrames.cpp:313

Categories

(Core :: JavaScript Engine, defect)

Other Branch
x86_64
Linux
defect
Not set
major

Tracking

()

RESOLVED FIXED

People

(Reporter: decoder, Assigned: dvander)

References

Details

(Keywords: assertion, testcase, Whiteboard: [fuzzblocker] [jsbugmon:update,reconfirm,ignore])

Attachments

(1 file)

The following testcase asserts on ionmonkey revision 67bf9a4a1f77 (run with --ion -n -m --ion-eager):


var a = ['p', 'q', 'r', 's', 't'];
var o = {p:1, q:2, r:(1), s:4, t:5};
for (var i in o) {
    delete o.p;
}
for each (var i in a)
  assertEq(o.hasOwnProperty(i), false);
Very noisy bug and not recognized automatically as duplicate during fuzzing. Would be nice to get this fixed quickly.
Whiteboard: [jsbugmon:update] → [jsbugmon:update][fuzzblocker]
Assignee: general → dvander
Status: NEW → ASSIGNED
JSBugMon: The testcase found in this bug no longer reproduces (tried revision de015aff650d).
Whiteboard: [jsbugmon:update][fuzzblocker] → [fuzzblocker] [jsbugmon:update,ignore]
Whiteboard: [fuzzblocker] [jsbugmon:update,ignore] → [fuzzblocker] [jsbugmon:update,reconfirm]
JSBugMon: This bug has been automatically confirmed to be still valid (reproduced on revision bc1833f2111e).
Whiteboard: [fuzzblocker] [jsbugmon:update,reconfirm] → [fuzzblocker] [jsbugmon:update,reconfirm,ignore]
Bug 749048 is fixing the way Iterators are found in the Snapshot, so you might want to import the other Bug patch for testing.
Attached patch fixSplinter Review
Bleh, I didn't copy TryNoteIter carefully enough: try notes are relative to script->main and not script->code
Attachment #624186 - Flags: review?(nicolas.b.pierron)
Comment on attachment 624186 [details] [diff] [review]
fix

Review of attachment 624186 [details] [diff] [review]:
-----------------------------------------------------------------

::: js/src/ion/IonFrames.cpp
@@ +334,5 @@
>  
>      JSTryNote *tn = script->trynotes()->vector;
>      JSTryNote *tnEnd = tn + script->trynotes()->length;
>  
> +    uint32 pcOffset = uint32(pc - script->main());

Hum … Are we likely to have this kind of bug else-where, where we have to use main() instead of code ?

::: js/src/jit-test/tests/ion/bug746370.js
@@ +3,5 @@
> +for (var i in o) {
> +    delete o.p;
> +}
> +for each (var i in a)
> +  assertEq(o.hasOwnProperty(i), true);

This assert should raise, unless you delete every property, or you replace  true  by  i == 'p' .
Attachment #624186 - Flags: review?(nicolas.b.pierron) → review+
> Hum … Are we likely to have this kind of bug else-where, where we have to
> use main() instead of code ?

I can't think of any at the moment.

> This assert should raise, unless you delete every property, or you replace 
> true  by  i == 'p' .

Thanks, I missed that.

http://hg.mozilla.org/projects/ionmonkey/rev/9407cd11d95d
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
A testcase for this bug was automatically identified at js/src/jit-test/tests/ion/bug746370.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.