Closed
Bug 885219
Opened 11 years ago
Closed 11 years ago
Assertion failure: !exprBody, at jsfun.cpp
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla25
| Tracking | Status | |
|---|---|---|
| firefox24 | --- | affected |
People
(Reporter: gkw, Assigned: jorendorff)
References
Details
(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update])
Attachments
(4 files)
disassemble("-r", Function("()=>e,d"))
asserts js debug shell on m-c changeset 8ea92aeab783 without any CLI arguments at Assertion failure: !exprBody, at jsfun.cpp
|
||
Updated•11 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
|
|
||
Comment 1•11 years ago
|
||
JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: http://hg.mozilla.org/mozilla-central/rev/bf3ce88c6ea3 user: Jason Orendorff date: Sun Mar 17 20:42:36 2013 -0700 summary: Bug 846406 - Implement arrow functions. r=bhackett. Changes to Y.js r=brendan. This iteration took 11.746 seconds to run.
|
Reporter | |
Comment 2•11 years ago
|
||
jorendorff, is bug 846406 a possible regressor?
Blocks: 846406
Flags: needinfo?(jorendorff)
|
Assignee | |
Comment 4•11 years ago
|
||
This is a cute bug. disassemble() is special because it calls FunctionToString on the function ()=>e, nested within the other function. I don't think anything else can get a reference to that nested function to stringify it. FunctionToString contains some code that determines whether the function being stringified was created with the Function() constructor, and that code was correct pre-arrows. Arrows broke it. The fuzzer found the amazingly specific bug.
Attachment #765474 -
Flags: review?(ejpbruel)
|
|
Assignee | |
Comment 5•11 years ago
|
||
Eddy, Jim, is it important to get this into FF24? The new Debugger.Source stuff never calls FunctionToString, does it?
|
||
Comment 6•11 years ago
|
||
No, we only ask for substrings of the ScriptSource object directly; we don't deal with functions much.
|
||
Comment 7•11 years ago
|
||
Comment on attachment 765474 [details] [diff] [review] v1 Review of attachment 765474 [details] [diff] [review]: ----------------------------------------------------------------- Stealing ::: js/src/jsfun.cpp @@ +632,4 @@ > // The source data for functions created by calling the Function > + // constructor is only the function's body. This depends on the fact, > + // asserted below, that in Function("function x() {}"), the inner > + // function's sourceStart points to the '(', not the 'f'. Nit: s/f/x/ here, or s/x/f/ above
Attachment #765474 -
Flags: review?(ejpbruel) → review+
|
||
Comment 8•11 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/bcc823a6bca8
Status: NEW → RESOLVED
Closed: 11 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla25
|
|
Reporter | |
Comment 9•11 years ago
|
||
This had previously landed on inbound in: http://hg.mozilla.org/integration/mozilla-inbound/rev/bcc823a6bca8
|
|
||
Comment 10•11 years ago
|
||
|
|
||
Updated•11 years ago
|
status-firefox24:
--- → affected
|
|
||
Comment 11•11 years ago
|
||
|
|
Assignee | |
Comment 12•11 years ago
|
||
Christian, this isn't still happening, is it? We're not going to backport this fix unless it would help you.
|
|
||
Comment 13•11 years ago
|
||
(In reply to Jason Orendorff [:jorendorff] from comment #12) > Christian, this isn't still happening, is it? Just on beta :) > We're not going to backport this fix unless it would help you. No, that's fine. I am just marking this as "affected" on beta, and attach a signature, so the fuzzer knows that this bug still affects beta and can be ignored.
You need to log in
before you can comment on or make changes to this bug.
Description
•