Last Comment Bug 752205 - Assertion failure: v.toString()->isAtom(), at ../frontend/BytecodeEmitter.h:547
: Assertion failure: v.toString()->isAtom(), at ../frontend/BytecodeEmitter.h:547
: assertion, regression, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: x86_64 All
-- critical (vote)
: mozilla15
Assigned To: Luke Wagner [:luke]
: Jason Orendorff [:jorendorff]
Depends on:
Blocks: jsfunfuzz langfuzz 749617
  Show dependency treegraph
Reported: 2012-05-05 05:48 PDT by Christian Holler (:decoder)
Modified: 2013-01-14 08:33 PST (History)
5 users (show)
choller: in‑testsuite+
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---

fix and test (1.66 KB, patch)
2012-05-07 08:40 PDT, Luke Wagner [:luke]
n.nethercote: review+
Details | Diff | Splinter Review

Description User image Christian Holler (:decoder) 2012-05-05 05:48:52 PDT
The following test asserts on mozilla-central revision 032d43b1770f (no options required):

for (d in [(1000), 0]) {
    const a = (d += (this).toString())
eval("switch(b) { case a: }");
Comment 1 User image Gary Kwong [:gkw] [:nth10sd] 2012-05-07 07:32:47 PDT
jsfunfuzz found this too - reproduced on 64-bit Mac OS X 10.7.

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   92788:6dbb135d3f1f
user:        Luke Wagner
date:        Tue May 01 14:01:06 2012 -0700
summary:     Bug 749617 - rm XDRState::codeString (r=njn,a=not-libxul)
Comment 2 User image Luke Wagner [:luke] 2012-05-07 08:40:09 PDT
Created attachment 621617 [details] [diff] [review]
fix and test

Ah, const vars as case labels allow raw values hence non-atomized strings.

Thanks for the test case!
Comment 4 User image Ed Morley [:emorley] 2012-05-08 03:23:00 PDT
Comment 5 User image Christian Holler (:decoder) 2013-01-14 08:33:54 PST
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/testBug752205.js.

Note You need to log in before you can comment on or make changes to this bug.