Last Comment Bug 779850 - Assertion failure: pc[-2] == JSOP_ITER, at jsopcode.cpp:3820
: Assertion failure: pc[-2] == JSOP_ITER, at jsopcode.cpp:3820
Status: RESOLVED FIXED
[fuzzblocker]
: assertion, regression, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: All All
: -- critical (vote)
: mozilla17
Assigned To: Jim Blandy :jimb
: general
:
Mentors:
Depends on:
Blocks: jsfunfuzz langfuzz 677957
  Show dependency treegraph
 
Reported: 2012-08-02 07:53 PDT by Christian Holler (:decoder)
Modified: 2013-01-19 14:34 PST (History)
7 users (show)
choller: in‑testsuite+
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
Disassembler should permit JSOP_ENTERLET1 between JSOP_ITER and JSOP_GOTO (2.15 KB, patch)
2012-08-02 12:21 PDT, Jim Blandy :jimb
no flags Details | Diff | Splinter Review

Description Christian Holler (:decoder) 2012-08-02 07:53:06 PDT
The following test asserts on mozilla-central revision 074fb996dfd7 (no options required):


(function() {
    for each(let Math in []) {}
}).floor(2147483649)
Comment 1 Gary Kwong [:gkw] [:nth10sd] 2012-08-02 10:09:01 PDT
jsfunfuzz hits this very often too.
Comment 2 Gary Kwong [:gkw] [:nth10sd] 2012-08-02 10:19:30 PDT
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   101170:88798c5eafa9
parent:      101160:a91040f69ea3
user:        Jason Orendorff
date:        Fri Sep 02 16:52:13 2011 -0500
summary:     Bug 677957 - Fix peculiarly dynamically-nested for-in loops. ("Assertion failure: !cx->iterValue.isMagic(JS_NO_ITER_VALUE), at jsiter.cpp:1017") r=dvander.
Comment 3 Jim Blandy :jimb 2012-08-02 12:00:23 PDT
The problem here is that there can be an intervening JSOP_ENTERLET between the JSOP_ITER and the JSOP_GOTO. (Similarly, there can be a JSOP_LEAVEFORLETIN between the JSOP_IF* and the JSOP_ENDITER.)

(That assert is kind of strange --- it could fail to trigger if JSOP_GOTO were preceded by a single-byte opcode, and that was preceded by a multi-byte opcode whose last operand byte happened to be equal to JSOP_ITER. But that's a false negative, and unlikely, so it's fine.)
Comment 4 Jim Blandy :jimb 2012-08-02 12:21:32 PDT
Created attachment 648431 [details] [diff] [review]
Disassembler should permit JSOP_ENTERLET1 between JSOP_ITER and JSOP_GOTO
Comment 5 Jim Blandy :jimb 2012-08-02 12:22:31 PDT
Try: https://tbpl.mozilla.org/?tree=Try&rev=9813210c428b
Comment 6 Gary Kwong [:gkw] [:nth10sd] 2012-08-10 00:29:07 PDT
Likely fixed by bug 767274.

autoBisect shows this is probably related to the following changeset:

The first good revision is:
changeset:   101243:7852a8f73313
user:        Benjamin Peterson
date:        Thu Aug 02 09:20:08 2012 -0700
summary:     Bug 767274: New expression decompiler. r=luke
Comment 7 Gary Kwong [:gkw] [:nth10sd] 2012-08-10 00:30:13 PDT
Comment on attachment 648431 [details] [diff] [review]
Disassembler should permit JSOP_ENTERLET1 between JSOP_ITER and JSOP_GOTO

Would this patch still be needed?

(if not, it should probably be obsoleted)
Comment 8 Christian Holler (:decoder) 2013-01-19 14:34:36 PST
Automatically extracted testcase for this bug was committed:

https://hg.mozilla.org/mozilla-central/rev/efaf8960a929

Note You need to log in before you can comment on or make changes to this bug.