The URL http://vitillo.github.io/chess/ makes firefox crash with the following stacktrace (mesa 9.1.2):


#0  0x00007ffff6e2b1c9 in raise () from /usr/lib/libc.so.6
#1  0x00007ffff6e2c5c8 in abort () from /usr/lib/libc.so.6
#2  0x00007ffff6e24356 in __assert_fail_base () from /usr/lib/libc.so.6
#3  0x00007ffff6e24402 in __assert_fail () from /usr/lib/libc.so.6
#4  0x00007fffb57a5281 in is_loop_terminator (ir=0x7fffb9d184a0) at ../../../src/glsl/loop_analysis.cpp:506
#5  0x00007fffb57a4b7f in loop_analysis::visit_leave (this=0x7fffffff9d00, ir=0x7fffb9d18410)
    at ../../../src/glsl/loop_analysis.cpp:247
#6  0x00007fffb578f896 in ir_loop::accept (this=0x7fffb9d18410, v=0x7fffffff9d00)
    at ../../../src/glsl/ir_hv_accept.cpp:114
#7  0x00007fffb578f66b in visit_list_elements (v=0x7fffffff9d00, l=0x7fffb9dd4998, statement_list=true)
    at ../../../src/glsl/ir_hv_accept.cpp:56
#8  0x00007fffb578f957 in ir_function_signature::accept (this=0x7fffb9dd4950, v=0x7fffffff9d00)
    at ../../../src/glsl/ir_hv_accept.cpp:136
#9  0x00007fffb578f66b in visit_list_elements (v=0x7fffffff9d00, l=0x7fffc08d9228, statement_list=false)
    at ../../../src/glsl/ir_hv_accept.cpp:56
#10 0x00007fffb578f9eb in ir_function::accept (this=0x7fffc08d9200, v=0x7fffffff9d00)
    at ../../../src/glsl/ir_hv_accept.cpp:148
#11 0x00007fffb578f66b in visit_list_elements (v=0x7fffffff9d00, l=0x7fffb9d5fd10, statement_list=true)
    at ../../../src/glsl/ir_hv_accept.cpp:56
#12 0x00007fffb578f58c in ir_hierarchical_visitor::run (this=0x7fffffff9d00, instructions=0x7fffb9d5fd10)
    at ../../../src/glsl/ir_hierarchical_visitor.cpp:291
#13 0x00007fffb57a5303 in analyze_loop_variables (instructions=0x7fffb9d5fd10)
    at ../../../src/glsl/loop_analysis.cpp:525
#14 0x00007fffb577bb11 in do_common_optimization (ir=0x7fffb9d5fd10, linked=true, uniform_locations_assigned=true, 
    max_unroll_iterations=32, options=0x7fffb9da1ecc) at ../../../src/glsl/glsl_parser_extras.cpp:1254
#15 0x00007fffb5c73591 in brw_link_shader (ctx=0x7fffb9d8d030, shProg=0x7fffd2443c30) at brw_shader.cpp:214
#16 0x00007fffb57ed5fb in _mesa_glsl_link_shader (ctx=0x7fffb9d8d030, prog=0x7fffd2443c30)
    at ../../../src/mesa/program/ir_to_mesa.cpp:3214
#17 0x00007fffb561b959 in link_program (ctx=0x7fffb9d8d030, program=16) at ../../../src/mesa/main/shaderapi.c:784
#18 0x00007fffb561caec in _mesa_LinkProgram (programObj=16) at ../../../src/mesa/main/shaderapi.c:1280
#19 0x00007fffe7d18102 in shared_dispatch_stub_509 (program=16)
    at ../../../src/mapi/shared-glapi/glapi_mapi_tmp.h:16437
#20 0x00007ffff2712a68 in fLinkProgram (program=16, this=0x7fffcb37e000) at ../../../dist/include/GLContext.h:2091
#21 mozilla::WebGLContext::LinkProgram (this=this@entry=0x7fffb9ad3000, program=0x7fffb9d4df20)
    at /home/vitillo/sandbox/mozilla/content/canvas/src/WebGLContextGL.cpp:3068


Looking at the code it seems that given an if statement with a single branch that contains only an assignment to a variable that is not used anywhere else, opt_dead_code.cpp:do_dead_code removes that assignment leaving an empty if statement. The empty if statement is not immediately removed afterwards since do_if_simplification is called only before the dead code removal in glsl_parser_extras.cpp:do_common_optimization. Successively, when loop_analysis.cpp:is_loop_terminator is invoked, the assert on line 506 fails.  Since the assert doesn't seem to be necessarily true, removing it fixes the issue.

diff --git a/src/glsl/loop_analysis.cpp b/src/glsl/loop_analysis.cpp
index 191e92d..88e6e35 100644
--- a/src/glsl/loop_analysis.cpp
+++ b/src/glsl/loop_analysis.cpp
@@ -503,7 +503,9 @@ is_loop_terminator(ir_if *ir)
 
    ir_instruction *const inst =
       (ir_instruction *) ir->then_instructions.get_head();
-   assert(inst != NULL);
+
+   if(inst == NULL)
+      return false;
 
    if (inst->ir_type != ir_type_loop_jump)
       return false;