Assertion failure: pc[-2] == JSOP_ITER, at jsopcode.cpp:3820

RESOLVED FIXED in mozilla17

Status

()

Core
JavaScript Engine
--
critical
RESOLVED FIXED
5 years ago
4 years ago

People

(Reporter: decoder, Assigned: jimb)

Tracking

(Blocks: 2 bugs, {assertion, regression, testcase})

Trunk
mozilla17
assertion, regression, testcase
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [fuzzblocker])

Attachments

(1 obsolete attachment)

(Reporter)

Description

5 years ago
The following test asserts on mozilla-central revision 074fb996dfd7 (no options required):


(function() {
    for each(let Math in []) {}
}).floor(2147483649)
jsfunfuzz hits this very often too.
Blocks: 349611
Keywords: regression
OS: Linux → All
Hardware: x86 → All
Whiteboard: [fuzzblocker]
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   101170:88798c5eafa9
parent:      101160:a91040f69ea3
user:        Jason Orendorff
date:        Fri Sep 02 16:52:13 2011 -0500
summary:     Bug 677957 - Fix peculiarly dynamically-nested for-in loops. ("Assertion failure: !cx->iterValue.isMagic(JS_NO_ITER_VALUE), at jsiter.cpp:1017") r=dvander.
Blocks: 677957
(Assignee)

Comment 3

5 years ago
The problem here is that there can be an intervening JSOP_ENTERLET between the JSOP_ITER and the JSOP_GOTO. (Similarly, there can be a JSOP_LEAVEFORLETIN between the JSOP_IF* and the JSOP_ENDITER.)

(That assert is kind of strange --- it could fail to trigger if JSOP_GOTO were preceded by a single-byte opcode, and that was preceded by a multi-byte opcode whose last operand byte happened to be equal to JSOP_ITER. But that's a false negative, and unlikely, so it's fine.)
(Assignee)

Updated

5 years ago
Assignee: general → jimb
(Assignee)

Comment 4

5 years ago
Created attachment 648431 [details] [diff] [review]
Disassembler should permit JSOP_ENTERLET1 between JSOP_ITER and JSOP_GOTO
(Assignee)

Comment 5

5 years ago
Try: https://tbpl.mozilla.org/?tree=Try&rev=9813210c428b
Status: NEW → ASSIGNED
Flags: in-testsuite+
Target Milestone: --- → mozilla17
Likely fixed by bug 767274.

autoBisect shows this is probably related to the following changeset:

The first good revision is:
changeset:   101243:7852a8f73313
user:        Benjamin Peterson
date:        Thu Aug 02 09:20:08 2012 -0700
summary:     Bug 767274: New expression decompiler. r=luke
Status: ASSIGNED → RESOLVED
Last Resolved: 5 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Comment on attachment 648431 [details] [diff] [review]
Disassembler should permit JSOP_ENTERLET1 between JSOP_ITER and JSOP_GOTO

Would this patch still be needed?

(if not, it should probably be obsoleted)
(Assignee)

Updated

5 years ago
Attachment #648431 - Attachment is obsolete: true
(Reporter)

Comment 8

4 years ago
Automatically extracted testcase for this bug was committed:

https://hg.mozilla.org/mozilla-central/rev/efaf8960a929
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.