Closed Bug 492714 Opened 15 years ago Closed 15 years ago

"Assertion failure: cg->staticLevel >= level, at ../jsemit.cpp" with genexp

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: gkw, Assigned: jorendorff)

References

Details

(4 keywords, Whiteboard: fixed-in-tracemonkey)

Attachments

(1 file)

v1
2.30 KB, patch
brendan
: review+
Details | Diff | Splinter Review 
(function ({x}) x for each (x in y))

asserts debug js shell without -j at Assertion failure: cg->staticLevel >= level, at ../jsemit.cpp:2067
Flags: in-testsuite?
Flags: blocking1.9.1?
autoBisect shows this is probably related to bug 452498 :

The first bad revision is:
changeset:   26784:2cf0bbe3772a
user:        Brendan Eich
date:        Sun Apr 05 21:17:22 2009 -0700
summary:     upvar2, aka the big one take 2 (452498, r=mrbkap).
Summary: "Assertion failure: cg->staticLevel >= level, at ../jsemit.cpp" → "Assertion failure: cg->staticLevel >= level, at ../jsemit.cpp" with genexp
I'm not totally confident I know what's going on here, but here is my guess:

   ((function ({x}) x) for (y in z));

When BindDestructuringArg is first called, with atom "x", it assigns 0x10000 to pn->pn_cookie.  CompExprTransplanter calls BumpStaticLevel twice for this node, so UPVAR_FRAME_SKIP(pn->pn_cookie) ends up being 3.

I think this is because the node appears twice in the "tree".

The assertion later happens with level == 3 and cg->staticLevel == 2.
In fact, unless I'm mistaken, we shouldn't be bumping the static level of this node at all, since it is local to a function that is, itself, being transplanted.
Assignee: general → jorendorff
(In reply to comment #3)
> In fact, unless I'm mistaken, we shouldn't be bumping the static level of this
> node at all, since it is local to a function that is, itself, being
> transplanted.

pn_cookie's skip half is an absolute static level as reckoned by the parser, which sees all statically nested functions. So we need to bump, but you are right we should not double-bump in this case.

Destructuring parameters desugar to injected vars at the front of the function's body.

/be
Assignee: jorendorff → general
Assignee: general → jorendorff
Attached patch v1Splinter Review 

        Attachment #377293 -
        Flags: review?(brendan)

    
    

    
  
Comment on attachment 377293 [details] [diff] [review]
v1

Great, thanks. Alterna-patch, or followup bug fodder, would use the CloneParseTree function (new with upvar) to make right a clone of left.

/be

        Attachment #377293 -
        Flags: review?(brendan) → review+

    
  
Blocks: 492996

    
    

    
  
Filed bug 492996.

http://hg.mozilla.org/tracemonkey/rev/7797c629c576
No longer blocks: 492996
Whiteboard: fixed-in-tracemonkey

    
    

    
  
http://hg.mozilla.org/mozilla-central/rev/7797c629c576
Status: NEW → RESOLVED
Closed: 15 years ago
Flags: blocking1.9.1? → blocking1.9.1+
Resolution: --- → FIXED

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: