Last Comment Bug 746370 - IonMonkey: Assertion failure: JSOp(*(script->code + tn->start + tn->length)) == JSOP_ENDITER, at js/src/ion/IonFrames.cpp:313
: IonMonkey: Assertion failure: JSOp(*(script->code + tn->start + tn->length)) ...
Status: RESOLVED FIXED
[fuzzblocker] [jsbugmon:update,reconf...
: assertion, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Other Branch
: x86_64 Linux
: -- major (vote)
: ---
Assigned To: David Anderson [:dvander]
:
Mentors:
Depends on:
Blocks: langfuzz IonFuzz
  Show dependency treegraph
 
Reported: 2012-04-17 15:37 PDT by Christian Holler (:decoder)
Modified: 2013-01-14 08:23 PST (History)
6 users (show)
choller: in‑testsuite+
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
fix (1.40 KB, patch)
2012-05-15 14:16 PDT, David Anderson [:dvander]
nicolas.b.pierron: review+
Details | Diff | Review

Description Christian Holler (:decoder) 2012-04-17 15:37:38 PDT
The following testcase asserts on ionmonkey revision 67bf9a4a1f77 (run with --ion -n -m --ion-eager):


var a = ['p', 'q', 'r', 's', 't'];
var o = {p:1, q:2, r:(1), s:4, t:5};
for (var i in o) {
    delete o.p;
}
for each (var i in a)
  assertEq(o.hasOwnProperty(i), false);
Comment 1 Christian Holler (:decoder) 2012-04-17 15:38:24 PDT
Very noisy bug and not recognized automatically as duplicate during fuzzing. Would be nice to get this fixed quickly.
Comment 2 Christian Holler (:decoder) 2012-04-19 15:29:10 PDT
JSBugMon: The testcase found in this bug no longer reproduces (tried revision de015aff650d).
Comment 3 Christian Holler (:decoder) 2012-04-23 08:43:22 PDT
JSBugMon: This bug has been automatically confirmed to be still valid (reproduced on revision bc1833f2111e).
Comment 4 Nicolas B. Pierron [:nbp] 2012-04-26 11:48:18 PDT
Bug 749048 is fixing the way Iterators are found in the Snapshot, so you might want to import the other Bug patch for testing.
Comment 5 David Anderson [:dvander] 2012-05-15 14:16:29 PDT
Created attachment 624186 [details] [diff] [review]
fix

Bleh, I didn't copy TryNoteIter carefully enough: try notes are relative to script->main and not script->code
Comment 6 Nicolas B. Pierron [:nbp] 2012-05-15 14:28:36 PDT
Comment on attachment 624186 [details] [diff] [review]
fix

Review of attachment 624186 [details] [diff] [review]:
-----------------------------------------------------------------

::: js/src/ion/IonFrames.cpp
@@ +334,5 @@
>  
>      JSTryNote *tn = script->trynotes()->vector;
>      JSTryNote *tnEnd = tn + script->trynotes()->length;
>  
> +    uint32 pcOffset = uint32(pc - script->main());

Hum … Are we likely to have this kind of bug else-where, where we have to use main() instead of code ?

::: js/src/jit-test/tests/ion/bug746370.js
@@ +3,5 @@
> +for (var i in o) {
> +    delete o.p;
> +}
> +for each (var i in a)
> +  assertEq(o.hasOwnProperty(i), true);

This assert should raise, unless you delete every property, or you replace  true  by  i == 'p' .
Comment 7 David Anderson [:dvander] 2012-05-15 15:14:25 PDT
> Hum … Are we likely to have this kind of bug else-where, where we have to
> use main() instead of code ?

I can't think of any at the moment.

> This assert should raise, unless you delete every property, or you replace 
> true  by  i == 'p' .

Thanks, I missed that.

http://hg.mozilla.org/projects/ionmonkey/rev/9407cd11d95d
Comment 8 Christian Holler (:decoder) 2013-01-14 08:23:19 PST
A testcase for this bug was automatically identified at js/src/jit-test/tests/ion/bug746370.js.

Note You need to log in before you can comment on or make changes to this bug.