Closed
Bug 356250
Opened 18 years ago
Closed 18 years ago
"Assertion failure: !fp->fun || !(fp->fun->flags & JSFUN_HEAVYWEIGHT) || fp->callobj"
Categories
(Core :: JavaScript Engine, defect, P1)
Core
JavaScript Engine
Tracking
()
VERIFIED
FIXED
mozilla1.9alpha1
People
(Reporter: jruderman, Assigned: brendan)
References
Details
(4 keywords)
Attachments
(1 file, 3 obsolete files)
4.24 KB,
patch
|
mrbkap
:
review+
dveditz
:
approval1.8.1.1+
|
Details | Diff | Splinter Review |
js> (function() { eval("function() { }"); })() Assertion failure: !fp->fun || !(fp->fun->flags & JSFUN_HEAVYWEIGHT) || fp->callobj, at jsinterp.c:480 Seems harmless in opt. Usually bites the fuzzer within 2 iterations if I use it in debug. The assertion was added in bug 352797.
Assignee | ||
Comment 1•18 years ago
|
||
This isn't just a bogus assertion. Rather, for just about ever, eval has not had its frame's callobj (or argsobj) member forwarded from its callers. But eval runs with dynamic scope, so it should. This didn't matter because varobj was forwarded correctly, but for the assertion, and for greater consistency indicated by the terms in the assertion (no function or not heavyweight or callobj), we want a fix like this one. /be
Reporter | ||
Comment 2•18 years ago
|
||
With the patch: js> new Function("<x/>.('fafafa'.replace(/a/g, eval))")() Assertion failure: fp->scopeChain == parent, at jsfun.c:614
Reporter | ||
Comment 3•18 years ago
|
||
js> let(a) ((function() { let(b) (function(){ }); })()); Assertion failure: OBJ_GET_CLASS(cx, fp->scopeChain) != &js_BlockClass, at jsinterp.c:491
Assignee | ||
Comment 4•18 years ago
|
||
Thanks Jesse -- toldya it needed testing :-). /be
Attachment #242003 -
Attachment is obsolete: true
Attachment #242035 -
Flags: review?(mrbkap)
Attachment #242003 -
Flags: review?(mrbkap)
Assignee | ||
Comment 5•18 years ago
|
||
Attachment #242035 -
Attachment is obsolete: true
Attachment #242036 -
Flags: review?(mrbkap)
Attachment #242035 -
Flags: review?(mrbkap)
Assignee | ||
Comment 6•18 years ago
|
||
We do not want to force a Call object in js_GetScopeChain, because doing so would deoptimize function outer() {function inner(a, b){/*only a, b, arguments used*/} ...} so that outer would get a Call object, even though inner does not use non-local names. Instead, we must either js_GetCallObject before js_GetScopeChain explicitly (as the jsdbgapi.c code does, via JS_GetFrameScopeChain) or implicitly (the parser arranging to set JSFUN_HEAVYWEIGHT, see jsparse.c). /be
Attachment #242036 -
Attachment is obsolete: true
Attachment #242038 -
Flags: review?(mrbkap)
Attachment #242036 -
Flags: review?(mrbkap)
Assignee | ||
Updated•18 years ago
|
Assignee | ||
Comment 7•18 years ago
|
||
(In reply to comment #6) > Created an attachment (id=242038) [edit] > better fix > > We do not want to force a Call object in js_GetScopeChain, because doing so > would deoptimize function outer() {function inner(a, b){/*only a, b, arguments > used*/} ...} so that outer would get a Call object, even though inner does not > use non-local names. Correction: the deoptimization if js_GetScopeChain were to force a Call object to reflect the frame immediately would hit named and anonymous function expressions: function outer() { var inner = function (a, b) {/*only a, b, arguments*/} /* use inner here... */ } Such lambdas *do* need to capture their lexical scope at runtime if enclosed in blocks, even if they don't use outer names, in case they contain lambdas that leak out somehow. SpiderMonkey does not have the machinery to analyze data flow, so we have to pessimize somewhat currently. But we should not regress the optimizations we do have, since real code does embed "pure" lambdas in outer functions, and we don't want to slow down such outer functions' activations. /be
Updated•18 years ago
|
Attachment #242038 -
Flags: review?(mrbkap) → review+
Assignee | ||
Comment 8•18 years ago
|
||
Fixed on trunk: Checking in jsdbgapi.c; /cvsroot/mozilla/js/src/jsdbgapi.c,v <-- jsdbgapi.c new revision: 3.69; previous revision: 3.68 done Checking in jsinterp.c; /cvsroot/mozilla/js/src/jsinterp.c,v <-- jsinterp.c new revision: 3.299; previous revision: 3.298 done Checking in jsparse.c; /cvsroot/mozilla/js/src/jsparse.c,v <-- jsparse.c new revision: 3.258; previous revision: 3.257 done /be
Status: ASSIGNED → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
Assignee | ||
Updated•18 years ago
|
Attachment #242038 -
Flags: approval1.8.1.1?
Assignee | ||
Updated•18 years ago
|
Flags: blocking1.8.1.1?
Comment 9•18 years ago
|
||
Checking in regress-356250.js; /cvsroot/mozilla/js/tests/js1_5/Regress/regress-356250.js,v <-- regress-356250.js initial revision: 1.1 done
Flags: in-testsuite+
Comment 10•18 years ago
|
||
I don't see the assert for the testcase in this bug for 1.8.0, 1.8, 1.9 on 20061014 but did see it for the testcases in bug 356085, bug 355992 prior to 20061014 but no longer do. verified fixed 1.9 20061014 windows/linux
Status: RESOLVED → VERIFIED
Updated•18 years ago
|
Flags: blocking1.8.1.1? → blocking1.8.1.1+
Comment 11•18 years ago
|
||
Comment on attachment 242038 [details] [diff] [review] better fix approved for 1.8 branch, a=dveditz for drivers
Attachment #242038 -
Flags: approval1.8.1.1? → approval1.8.1.1+
Assignee | ||
Comment 12•18 years ago
|
||
Fixed on the 1.8 branch: Checking in jsdbgapi.c; /cvsroot/mozilla/js/src/jsdbgapi.c,v <-- jsdbgapi.c new revision: 3.56.2.4; previous revision: 3.56.2.3 done Checking in jsinterp.c; /cvsroot/mozilla/js/src/jsinterp.c,v <-- jsinterp.c new revision: 3.181.2.72; previous revision: 3.181.2.71 done Checking in jsparse.c; /cvsroot/mozilla/js/src/jsparse.c,v <-- jsparse.c new revision: 3.142.2.67; previous revision: 3.142.2.66 done (I committed the fix for bug 352797 along with this followup fix.) /be
Keywords: fixed1.8.1
Assignee | ||
Updated•18 years ago
|
Keywords: fixed1.8.1 → fixed1.8.1.1
Comment 13•18 years ago
|
||
verified fixed 20061122 1.8.1.1 windows/linux/mac*, 1.9 windows/linux
Keywords: fixed1.8.1.1 → verified1.8.1.1
You need to log in
before you can comment on or make changes to this bug.
Description
•