Closed
Bug 557841
Opened 14 years ago
Closed 14 years ago
TM: "Assertion failure: BINDNAME in global code resolved to non-global object, at ../jstracer.cpp"
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: gkw, Assigned: jorendorff)
References
Details
(Keywords: assertion, regression, testcase, Whiteboard: fixed-in-tracemonkey)
Attachments
(1 file, 1 obsolete file)
|
4.89 KB,
patch
|
dmandelin
:
review+
|
Details | Diff | Splinter Review |
({e:(eval("for(let a = 0; a < 4; a++){x = print}",[])),get 6()("")})
asserts js debug shell on TM tip with -j at Assertion failure: BINDNAME in global code resolved to non-global object, at ../jstracer.cpp:13679
autoBisect shows this is probably related to bug 556937:
The first bad revision is:
changeset: 40429:9acb5bcc134f
user: Jason Orendorff
date: Tue Apr 06 16:49:33 2010 -0500
summary: Bug 556937 - TM: Trace JSOP_SETNAME when preceding BINDNAME produces the global object. r=dmandelin.
|
Assignee | |
Comment 1•14 years ago
|
||
The fact that we trace in eval like that, when there's a With object on the scope chain, is pretty dumb. We record the loop, emit code for it, and then never execute it, because ExecuteTree calls ScopeChainCheck.
Assignee: general → jorendorff
Attachment #437615 -
Flags: review?(dmandelin)
|
||
Comment 2•14 years ago
|
||
Why is two-arg eval still alive? Someone please take bug 531675. Jason: could this bug be fixed by moving ScopeChainCheck to the recorder? /be
|
|
Assignee | |
Comment 3•14 years ago
|
||
(In reply to comment #2) > Jason: could this bug be fixed by moving ScopeChainCheck to the recorder? Even if we check the scope chain in startRecorder (or wherever), I think we still need the check in ExecuteTree (or somewhere) to guard against weird API use like: script = JS_CompileScript(...) JS_ExecuteScript(cx, script, global, ...) // record a trace JS_ExecuteScript(cx, script, badobj, ...) // execute it and probably variations on that theme using JS_CloneFunctionObject, etc. I favor checking in both places, because the invariant "we don't have non-cacheable objects on the scope chain at record time" seems only sane. I'll file and patch a followup bug if you agree.
|
|
||
Comment 4•14 years ago
|
||
Yes, have to check both places -- I should have written "copying" not "moving". /be
|
||
Comment 5•14 years ago
|
||
Do you still want this patch reviewed or are you going to do a new one?
|
|
Assignee | |
Comment 6•14 years ago
|
||
Please review it. I'll file a followup bug.
|
|
Assignee | |
Comment 7•14 years ago
|
||
hg got this diff wrong. It shows me moving a big chunk of code up; actually I moved the asserts down.
Attachment #437615 -
Attachment is obsolete: true
Attachment #439627 -
Flags: review?(dmandelin)
Attachment #437615 -
Flags: review?(dmandelin)
|
|
||
Comment 8•14 years ago
|
||
Comment on attachment 439627 [details] [diff] [review] v2 - check before recording starts Looks good. The new abort reason should be added to js/src/tracevis/acts.py. r+ with that.
Attachment #439627 -
Flags: review?(dmandelin) → review+
|
|
Assignee | |
Comment 9•14 years ago
|
||
http://hg.mozilla.org/tracemonkey/rev/6c84ffb9c16e
Whiteboard: fixed-in-tracemonkey
|
||
Comment 10•14 years ago
|
||
http://hg.mozilla.org/mozilla-central/rev/6c84ffb9c16e
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
|
||
Comment 11•11 years ago
|
||
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/bug557841.js.
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•