Closed
Bug 937089
Opened 11 years ago
Closed 10 years ago
Assertion failure: !val.isMagic(), at jsobj.cpp:5358
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
mozilla29
People
(Reporter: decoder, Assigned: bhackett1024)
References
Details
(Keywords: assertion, testcase)
Attachments
(2 files, 1 obsolete file)
2.00 KB,
patch
|
luke
:
review+
|
Details | Diff | Splinter Review |
485 bytes,
text/plain
|
Details |
The following testcase asserts on mozilla-central revision bc8c1eb0f2ba (run with --fuzzing-safe): function test() { eval("with (arguments) var arguments = 0;"); } test();
Reporter | ||
Comment 1•11 years ago
|
||
Comment 2•10 years ago
|
||
Direct eval correctly marks the enclosing function 'test' as requiring an arguments object. The 'arguments; setaliased; pop' bytecode sequence is emitted in the prolog as expected. However, at runtime, when we execute that bytecode, we nonetheless store MagicValue(JS_OPTIMIZED_ARGUMENTS) in the Call object, I think because of this in ScriptAnalysis::needsArgsObj(): /* ... * New accesses on 'arguments' can occur through 'eval' or the debugger * statement. In the former case, we will dynamically detect the use and * mark the arguments optimization as having failed. */ if (script_->bindingsAccessedDynamically) return false; The comment there seems all right. But then we get into the eval code and the magic value is still there. The direct eval code is sensible: 00000: defvar "arguments" main: 00005: name "arguments" 00010: enterwith ... During JSOP_NAME, with the stack Interpret -> NameOperation -> FetchNameNoGC we fetch MagicValue(JS_OPTIMIZED_ARGUMENTS) out of slot 2 of the Call object. During JSOP_ENTERWITH, we assert. Somewhere we should have been able to "dynamically detect the use", but we didn't.
Comment 3•10 years ago
|
||
I think the deoptimization is supposed to happen when compiling the eval, when 'arguments' is encountered. IIRC, this was part of the optimization in bug 842522.
Comment 4•10 years ago
|
||
Yeah, bug 842522 introduced it. Brian, can you take this?
Flags: needinfo?(bhackett1024)
Assignee | ||
Comment 5•10 years ago
|
||
We try to check for 'arguments' within an eval script by looking at its free variables. Unfortunately, free variables aren't computed correctly for |with| statements and we need to do a stupid workaround. That workaround didn't work when the |with| was within the eval itself (only when the with was within the function itself, where we hit the same issues).
Assignee: general → bhackett1024
Attachment #8348332 -
Flags: review?(luke)
Flags: needinfo?(bhackett1024)
Updated•10 years ago
|
Attachment #8348332 -
Flags: review?(luke) → review+
Assignee | ||
Comment 6•10 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/6a8bcdd35d1e
https://hg.mozilla.org/mozilla-central/rev/6a8bcdd35d1e
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla29
Reporter | ||
Updated•10 years ago
|
status-firefox27:
--- → affected
status-firefox28:
--- → affected
Reporter | ||
Comment 9•10 years ago
|
||
Attachment #830136 -
Attachment is obsolete: true
Reporter | ||
Updated•10 years ago
|
Status: RESOLVED → VERIFIED
Reporter | ||
Comment 11•10 years ago
|
||
JSBugMon: This bug has been automatically verified fixed.
Updated•10 years ago
|
You need to log in
before you can comment on or make changes to this bug.
Description
•