Note: There are a few cases of duplicates in user autocompletion which are being worked on.

IonMonkey: Assertion failure: JSOp(*(script->code + tn->start + tn->length)) == JSOP_ENDITER, at js/src/ion/IonFrames.cpp:313

RESOLVED FIXED

Status

()

Core
JavaScript Engine
--
major
RESOLVED FIXED
5 years ago
5 years ago

People

(Reporter: decoder, Assigned: dvander)

Tracking

(Blocks: 2 bugs, {assertion, testcase})

Other Branch
x86_64
Linux
assertion, testcase
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [fuzzblocker] [jsbugmon:update,reconfirm,ignore])

Attachments

(1 attachment)

(Reporter)

Description

5 years ago
The following testcase asserts on ionmonkey revision 67bf9a4a1f77 (run with --ion -n -m --ion-eager):


var a = ['p', 'q', 'r', 's', 't'];
var o = {p:1, q:2, r:(1), s:4, t:5};
for (var i in o) {
    delete o.p;
}
for each (var i in a)
  assertEq(o.hasOwnProperty(i), false);
(Reporter)

Comment 1

5 years ago
Very noisy bug and not recognized automatically as duplicate during fuzzing. Would be nice to get this fixed quickly.
Whiteboard: [jsbugmon:update] → [jsbugmon:update][fuzzblocker]
(Assignee)

Updated

5 years ago
Assignee: general → dvander
Status: NEW → ASSIGNED
(Reporter)

Comment 2

5 years ago
JSBugMon: The testcase found in this bug no longer reproduces (tried revision de015aff650d).
(Reporter)

Updated

5 years ago
Whiteboard: [jsbugmon:update][fuzzblocker] → [fuzzblocker] [jsbugmon:update,ignore]
(Reporter)

Updated

5 years ago
Whiteboard: [fuzzblocker] [jsbugmon:update,ignore] → [fuzzblocker] [jsbugmon:update,reconfirm]
(Reporter)

Comment 3

5 years ago
JSBugMon: This bug has been automatically confirmed to be still valid (reproduced on revision bc1833f2111e).
(Reporter)

Updated

5 years ago
Whiteboard: [fuzzblocker] [jsbugmon:update,reconfirm] → [fuzzblocker] [jsbugmon:update,reconfirm,ignore]
Bug 749048 is fixing the way Iterators are found in the Snapshot, so you might want to import the other Bug patch for testing.
(Assignee)

Comment 5

5 years ago
Created attachment 624186 [details] [diff] [review]
fix

Bleh, I didn't copy TryNoteIter carefully enough: try notes are relative to script->main and not script->code
Attachment #624186 - Flags: review?(nicolas.b.pierron)
Comment on attachment 624186 [details] [diff] [review]
fix

Review of attachment 624186 [details] [diff] [review]:
-----------------------------------------------------------------

::: js/src/ion/IonFrames.cpp
@@ +334,5 @@
>  
>      JSTryNote *tn = script->trynotes()->vector;
>      JSTryNote *tnEnd = tn + script->trynotes()->length;
>  
> +    uint32 pcOffset = uint32(pc - script->main());

Hum … Are we likely to have this kind of bug else-where, where we have to use main() instead of code ?

::: js/src/jit-test/tests/ion/bug746370.js
@@ +3,5 @@
> +for (var i in o) {
> +    delete o.p;
> +}
> +for each (var i in a)
> +  assertEq(o.hasOwnProperty(i), true);

This assert should raise, unless you delete every property, or you replace  true  by  i == 'p' .
Attachment #624186 - Flags: review?(nicolas.b.pierron) → review+
(Assignee)

Comment 7

5 years ago
> Hum … Are we likely to have this kind of bug else-where, where we have to
> use main() instead of code ?

I can't think of any at the moment.

> This assert should raise, unless you delete every property, or you replace 
> true  by  i == 'p' .

Thanks, I missed that.

http://hg.mozilla.org/projects/ionmonkey/rev/9407cd11d95d
Status: ASSIGNED → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
(Reporter)

Comment 8

5 years ago
A testcase for this bug was automatically identified at js/src/jit-test/tests/ion/bug746370.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.