Ignore crazy break-to-label edge cases (bug 684037, r=sstangl).
authorDavid Anderson <danderson@mozilla.com>
Fri, 02 Sep 2011 15:46:51 -0700
changeset 105227 834f8ff1748e1ec00c9006ac0c7ef3cb5f60e2de
parent 105226 eeb8be61e48bfdd6e9f86c968d1bc72c92043635
child 105228 c7199a1523c39a6e43b76cadcbd1be4f181b5543
push id14706
push usereakhgari@mozilla.com
push dateTue, 11 Sep 2012 20:39:52 +0000
treeherdermozilla-inbound@d50bf1edaabe [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerssstangl
bugs684037
milestone9.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Ignore crazy break-to-label edge cases (bug 684037, r=sstangl).
js/src/ion/IonBuilder.cpp
--- a/js/src/ion/IonBuilder.cpp
+++ b/js/src/ion/IonBuilder.cpp
@@ -986,19 +986,37 @@ IonBuilder::processBreak(JSOp op, jssrcn
     for (size_t i = loops_.length() - 1; i < loops_.length(); i--) {
         CFGState &cfg = cfgStack_[loops_[i].cfgEntry];
         if (cfg.loop.exitpc == target) {
             found = &cfg;
             break;
         }
     }
 
+    if (!found) {
+        // Sometimes, we can't determine the structure of a labeled break. For
+        // example:
+        //
+        // 0:    label: {
+        // 1:        for (;;) {
+        // 2:            break label;
+        // 3:        }
+        // 4:        stuff;
+        // 5:    }
+        //
+        // In this case, the successor of the block is 4, but the target of the
+        // single-level break is actually 5. To recognize this case we'd need
+        // to know about the label structure at 0,5 ahead of time - and lacking
+        // those source notes for now, we just abort instead.
+        abort("could not find the target of a break");
+        return ControlStatus_Error;
+    }
+
     // There must always be a valid target loop structure. If not, there's
     // probably an off-by-something error in which pc we track.
-    JS_ASSERT(found);
     CFGState &state = *found;
 
     state.loop.breaks = new DeferredEdge(current, state.loop.breaks);
 
     current = NULL;
     pc += js_CodeSpec[op].length;
     return processControlEnd();
 }