Firefox 125.0.1 (64-bit) "Arguments" array-like object have zero-length in generator function
Categories
(Core :: JavaScript Engine, defect, P1)
Tracking
()
Tracking | Status | |
---|---|---|
relnote-firefox | --- | 125+ |
firefox-esr115 | --- | unaffected |
firefox125 | --- | fixed |
firefox126 | --- | fixed |
firefox127 | --- | fixed |
People
(Reporter: pear.knockarounder, Assigned: mgaudet)
References
(Regression)
Details
(Keywords: regression, testcase)
Attachments
(1 file)
48 bytes,
text/x-phabricator-request
|
dmeehan
:
approval-mozilla-beta+
RyanVM
:
approval-mozilla-release+
|
Details | Review |
Steps to reproduce:
When creating a generator that takes several arguments in Firefox version 125.0.1 (64 bit), I encounter a problem: the arguments arrya-like object is always empty, even if arguments are passed to the generator, although in the previous version, for example 124.0.2, it contains the passed arguments.
I run following code in developer console:
function* a(x, y, z) {
console.debug("Arguments length:", arguments.length);
yield x;
yield y;
yield z;
}
const x = a(3, 4, 5)
x.next()
Actual results:
Console output:
Arguments length: 0
Expected results:
Console output:
Arguments length: 3
This is how the code works in version 124.0.2
Comment 1•8 months ago
|
||
The Bugbug bot thinks this bug should belong to the 'Core::JavaScript Engine' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.
Comment 2•8 months ago
|
||
function* a(x, y, z) {
if (arguments.length !== 3) {
throw "Wrong output";
}
yield x;
yield y;
yield z;
}
const x = a(3, 4, 5);
x.next();
The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/086ffc46a18e
user: Matthew Gaudet
date: Mon Mar 04 16:25:47 2024 +0000
summary: Bug 1825722 - Where possible avoid allocating arguments, and use JSOp::ArgumentsLength instead r=arai
I used this slightly-modified testcase. Matt, is bug 1825722 a likely regressor?
Assignee | ||
Comment 3•8 months ago
|
||
Yes, this certainly appears to be a regression here.
For Generator functions it appears that we don't set the argument count correctly:
fp->initCallFrame(prev, prevpc, prevsp, *callee, script, argv, 0, // <--- 0 is the arg Count
NO_CONSTRUCT);
(This also suggests that should we have ever used the ArgumentsLength
intrinsic inside of a generator in self-hosted code we would have had a similar bug)
Assignee | ||
Updated•8 months ago
|
Assignee | ||
Comment 4•8 months ago
|
||
This could be potentially backed out if Bug 1892802 were fixed.
Updated•8 months ago
|
Comment 7•8 months ago
|
||
The patch landed in nightly and beta is affected.
:mgaudet, is this bug important enough to require an uplift?
- If yes, please nominate the patch for beta approval.
- If no, please set
status-firefox126
towontfix
.
For more information, please visit BugBot documentation.
Assignee | ||
Comment 8•8 months ago
|
||
Comment on attachment 9397951 [details]
Bug 1892699 - Disable arguments.length optimization in generators and async functions r?jandem
Beta/Release Uplift Approval Request
- User impact if declined: Correctness error when checking arguments.length (and not using arguments otherwise) inside of a generator or async function.
- Is this code covered by automated tests?: Yes
- Has the fix been verified in Nightly?: Yes
- Needs manual test from QE?: No
- If yes, steps to reproduce:
- List of other uplifts needed: None
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): Disables broken optimization in limited circumstance.
- String changes made/needed:
- Is Android affected?: Yes
Updated•8 months ago
|
Comment 9•8 months ago
|
||
Comment on attachment 9397951 [details]
Bug 1892699 - Disable arguments.length optimization in generators and async functions r?jandem
Approved for 126.0b6
Comment 10•8 months ago
|
||
uplift |
Updated•8 months ago
|
Comment 11•8 months ago
|
||
Comment on attachment 9397951 [details]
Bug 1892699 - Disable arguments.length optimization in generators and async functions r?jandem
Approved for 125.0.3
Updated•8 months ago
|
Comment 12•8 months ago
|
||
uplift |
Comment 13•7 months ago
|
||
Added to the 125.0.3 relnotes.
Fixed a correctness error when checking arguments.length (and not using arguments otherwise) inside of a generator or async function
Description
•