Closed
Bug 492714
Opened 15 years ago
Closed 15 years ago
"Assertion failure: cg->staticLevel >= level, at ../jsemit.cpp" with genexp
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
People
(Reporter: gkw, Assigned: jorendorff)
References
Details
(4 keywords, Whiteboard: fixed-in-tracemonkey)
Attachments
(1 file)
2.30 KB,
patch
|
brendan
:
review+
|
Details | Diff | Splinter Review |
(function ({x}) x for each (x in y)) asserts debug js shell without -j at Assertion failure: cg->staticLevel >= level, at ../jsemit.cpp:2067
Flags: in-testsuite?
Flags: blocking1.9.1?
Reporter | ||
Comment 1•15 years ago
|
||
autoBisect shows this is probably related to bug 452498 : The first bad revision is: changeset: 26784:2cf0bbe3772a user: Brendan Eich date: Sun Apr 05 21:17:22 2009 -0700 summary: upvar2, aka the big one take 2 (452498, r=mrbkap).
Summary: "Assertion failure: cg->staticLevel >= level, at ../jsemit.cpp" → "Assertion failure: cg->staticLevel >= level, at ../jsemit.cpp" with genexp
Assignee | ||
Comment 2•15 years ago
|
||
I'm not totally confident I know what's going on here, but here is my guess: ((function ({x}) x) for (y in z)); When BindDestructuringArg is first called, with atom "x", it assigns 0x10000 to pn->pn_cookie. CompExprTransplanter calls BumpStaticLevel twice for this node, so UPVAR_FRAME_SKIP(pn->pn_cookie) ends up being 3. I think this is because the node appears twice in the "tree". The assertion later happens with level == 3 and cg->staticLevel == 2.
Assignee | ||
Comment 3•15 years ago
|
||
In fact, unless I'm mistaken, we shouldn't be bumping the static level of this node at all, since it is local to a function that is, itself, being transplanted.
Assignee | ||
Updated•15 years ago
|
Assignee: general → jorendorff
Comment 4•15 years ago
|
||
(In reply to comment #3) > In fact, unless I'm mistaken, we shouldn't be bumping the static level of this > node at all, since it is local to a function that is, itself, being > transplanted. pn_cookie's skip half is an absolute static level as reckoned by the parser, which sees all statically nested functions. So we need to bump, but you are right we should not double-bump in this case. Destructuring parameters desugar to injected vars at the front of the function's body. /be
Assignee: jorendorff → general
Updated•15 years ago
|
Assignee: general → jorendorff
Assignee | ||
Comment 5•15 years ago
|
||
Attachment #377293 -
Flags: review?(brendan)
Comment 6•15 years ago
|
||
Comment on attachment 377293 [details] [diff] [review] v1 Great, thanks. Alterna-patch, or followup bug fodder, would use the CloneParseTree function (new with upvar) to make right a clone of left. /be
Attachment #377293 -
Flags: review?(brendan) → review+
Assignee | ||
Comment 7•15 years ago
|
||
Filed bug 492996. http://hg.mozilla.org/tracemonkey/rev/7797c629c576
No longer blocks: 492996
Whiteboard: fixed-in-tracemonkey
Comment 8•15 years ago
|
||
http://hg.mozilla.org/mozilla-central/rev/7797c629c576
Status: NEW → RESOLVED
Closed: 15 years ago
Flags: blocking1.9.1? → blocking1.9.1+
Resolution: --- → FIXED
Comment 9•15 years ago
|
||
http://hg.mozilla.org/releases/mozilla-1.9.1/rev/e29396a250b5
Keywords: fixed1.9.1
You need to log in
before you can comment on or make changes to this bug.
Description
•