Last Comment Bug 701222 - Crash [@ js::frontend::EmitTree]
: Crash [@ js::frontend::EmitTree]
: crash, regression, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: All All
-- critical (vote)
: mozilla11
Assigned To: Jeff Walden [:Waldo] (remove +bmo to email)
: Jason Orendorff [:jorendorff]
Depends on:
Blocks: jsfunfuzz 697297
  Show dependency treegraph
Reported: 2011-11-09 16:03 PST by Gary Kwong [:gkw] [:nth10sd]
Modified: 2011-11-10 03:29 PST (History)
7 users (show)
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---

stack (9.33 KB, text/plain)
2011-11-09 16:03 PST, Gary Kwong [:gkw] [:nth10sd]
no flags Details
Patch with tests (10.44 KB, patch)
2011-11-09 18:45 PST, Jeff Walden [:Waldo] (remove +bmo to email)
cdleary: review+
Details | Diff | Splinter Review

Description User image Gary Kwong [:gkw] [:nth10sd] 2011-11-09 16:03:00 PST
Created attachment 573357 [details]

d, {
  x: [{
    x: x::x
} = q

crashes js debug and opt shell on m-c changeset 4fb61ebbf8ff with patch v1 from bug 697279 without any CLI arguments at js::frontend::EmitTree

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   80013:944c81533751
user:        Jeff Walden
date:        Tue Oct 25 16:04:48 2011 -0700
summary:     Bug 697297 - Replace TOK_UNARYOP with separate kinds for each op it covers, in both the tokenizer and in the parser (with different semantics in each!).  r=dherman, r=cdleary
Comment 1 User image Jeff Walden [:Waldo] (remove +bmo to email) 2011-11-09 18:45:30 PST
Created attachment 573406 [details] [diff] [review]
Patch with tests

The problem is I took one sort of punning -- on TOK_UNARYOP -- and incompletely replaced it with another sort -- on TOK_{AT,ANYNAME,DBLCOLON}.  Probably completely replacing would have avoided this problem, but that wouldn't avoid the punning confusion.  I really should have used a new kind for these rather than just bifurcating the punning -- it's definitely much clearer.

This patch adds a new kind with the sense that TOK_UNARYOP had.  It passes all tests, plus the one here and the one in bug 701224 (and the one from bug 701227, which is functionally identical to bug 701224).  And I'm definitely happier with it than with the corresponding aspects of the patch that caused this regression.
Comment 2 User image Jeff Walden [:Waldo] (remove +bmo to email) 2011-11-09 23:20:54 PST
Er, when I said "and the one from bug 701227, which is functionally identical to bug 701224", I really meant "and the one from bug 701247, which is functionally identical to bug 701224".
Comment 3 User image Marco Bonardo [::mak] 2011-11-10 03:29:19 PST

Note You need to log in before you can comment on or make changes to this bug.