Closed
Bug 488034
Opened 12 years ago
Closed 12 years ago
Crash [@ js_GetUpvar] or "Assertion failure: (script)->upvarsOffset != 0, at ../jsinterp.cpp"
Categories
(Core :: JavaScript Engine, defect, P1)
Core
JavaScript Engine
Tracking
()
VERIFIED
FIXED
mozilla1.9.2a1
People
(Reporter: gkw, Assigned: brendan)
References
Details
(5 keywords, Whiteboard: fixed-in-tracemonkey)
Crash Data
Attachments
(1 file, 1 obsolete file)
|
8.83 KB,
patch
|
mrbkap
:
review+
|
Details | Diff | Splinter Review |
(function(){
var x;
eval("var x; ((function ()x)())");
})()
asserts TM tip js shell debug without -j:
Assertion failure: (script)->upvarsOffset != 0, at ../jsinterp.cpp:5734
and crashes TM tip js shell opt without -j at js_GetUpvar near null.
autoBisect shows this is probably related to bug 452498:
The first bad revision is:
changeset: 26784:2cf0bbe3772a
user: Brendan Eich
date: Sun Apr 05 21:17:22 2009 -0700
summary: upvar2, aka the big one take 2 (452598, r=mrbkap).
Also possibly related to bug 488015 ?Flags: blocking1.9.1?
|
Assignee | |
Updated•12 years ago
|
Assignee: general → brendan
Status: NEW → ASSIGNED
OS: Mac OS X → All
Priority: -- → P1
Hardware: x86 → All
Target Milestone: --- → mozilla1.9.1b4
|
|
Assignee | |
Comment 1•12 years ago
|
||
Factor out the make-upvar-for-eval code in BindNameToSlot, use it from the place where we see a use in a function nested in eval code that references an upvar we lazily made just for eval called from a function. /be
Attachment #372360 -
Flags: review?(mrbkap)
|
||
Updated•12 years ago
|
Flags: blocking1.9.1? → blocking1.9.1+
|
|
Assignee | |
Comment 2•12 years ago
|
||
The last patch would fix the attached test, but deoptimize this variation:
(function(){
var x = 42;
eval("print((function ()x)()); var x");
})()
merely because the var x comes after the lambda whose body uses x. It was easy to fix this given the refactoring done to handle the eval-nested function use case.
/be
Attachment #372360 -
Attachment is obsolete: true
Attachment #372452 -
Flags: review?(mrbkap)
Attachment #372360 -
Flags: review?(mrbkap)
|
||
Updated•12 years ago
|
Attachment #372452 -
Flags: review?(mrbkap) → review+
|
|
Assignee | |
Comment 3•12 years ago
|
||
Fixed in tm: http://hg.mozilla.org/tracemonkey/rev/70111870bcf8 /be
Whiteboard: fixed-in-tracemonkey
|
|
||
Comment 4•12 years ago
|
||
http://hg.mozilla.org/mozilla-central/rev/70111870bcf8
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
|
|
||
Comment 5•12 years ago
|
||
http://hg.mozilla.org/releases/mozilla-1.9.1/rev/2f83aa29331b
Keywords: fixed1.9.1
|
||
Comment 6•12 years ago
|
||
Verified fixed with testcase given in comment 0 on trunk and 1.9.1 with the following debug builds: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.2a1pre) Gecko/20090422 Minefield/3.6a1pre ID:20090422224452 Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1b4pre) Gecko/20090422 Shiretoko/3.5b4pre ID:20090422122043
Status: RESOLVED → VERIFIED
Keywords: fixed1.9.1 → verified1.9.1
Target Milestone: mozilla1.9.1b4 → mozilla1.9.2a1
|
Reporter | |
Updated•12 years ago
|
Flags: in-testsuite?
|
||
Updated•10 years ago
|
Crash Signature: [@ js_GetUpvar]
|
||
Comment 7•8 years ago
|
||
Automatically extracted testcase for this bug was committed: https://hg.mozilla.org/mozilla-central/rev/efaf8960a929
Flags: in-testsuite? → in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•