Closed
Bug 779850
Opened 13 years ago
Closed 13 years ago
Assertion failure: pc[-2] == JSOP_ITER, at jsopcode.cpp:3820
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
mozilla17
People
(Reporter: decoder, Assigned: jimb)
References
Details
(Keywords: assertion, regression, testcase, Whiteboard: [fuzzblocker])
Attachments
(1 obsolete file)
The following test asserts on mozilla-central revision 074fb996dfd7 (no options required):
(function() {
for each(let Math in []) {}
}).floor(2147483649)
![]() |
||
Comment 1•13 years ago
|
||
jsfunfuzz hits this very often too.
![]() |
||
Comment 2•13 years ago
|
||
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: 101170:88798c5eafa9
parent: 101160:a91040f69ea3
user: Jason Orendorff
date: Fri Sep 02 16:52:13 2011 -0500
summary: Bug 677957 - Fix peculiarly dynamically-nested for-in loops. ("Assertion failure: !cx->iterValue.isMagic(JS_NO_ITER_VALUE), at jsiter.cpp:1017") r=dvander.
Blocks: 677957
Assignee | ||
Comment 3•13 years ago
|
||
The problem here is that there can be an intervening JSOP_ENTERLET between the JSOP_ITER and the JSOP_GOTO. (Similarly, there can be a JSOP_LEAVEFORLETIN between the JSOP_IF* and the JSOP_ENDITER.)
(That assert is kind of strange --- it could fail to trigger if JSOP_GOTO were preceded by a single-byte opcode, and that was preceded by a multi-byte opcode whose last operand byte happened to be equal to JSOP_ITER. But that's a false negative, and unlikely, so it's fine.)
Assignee | ||
Updated•13 years ago
|
Assignee: general → jimb
Assignee | ||
Comment 4•13 years ago
|
||
Assignee | ||
Comment 5•13 years ago
|
||
Status: NEW → ASSIGNED
Flags: in-testsuite+
Target Milestone: --- → mozilla17
![]() |
||
Comment 6•13 years ago
|
||
Likely fixed by bug 767274.
autoBisect shows this is probably related to the following changeset:
The first good revision is:
changeset: 101243:7852a8f73313
user: Benjamin Peterson
date: Thu Aug 02 09:20:08 2012 -0700
summary: Bug 767274: New expression decompiler. r=luke
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
![]() |
||
Comment 7•13 years ago
|
||
Comment on attachment 648431 [details] [diff] [review]
Disassembler should permit JSOP_ENTERLET1 between JSOP_ITER and JSOP_GOTO
Would this patch still be needed?
(if not, it should probably be obsoleted)
Assignee | ||
Updated•13 years ago
|
Attachment #648431 -
Attachment is obsolete: true
Reporter | ||
Comment 8•13 years ago
|
||
Automatically extracted testcase for this bug was committed:
https://hg.mozilla.org/mozilla-central/rev/efaf8960a929
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•