Last Comment Bug 701222 - Crash [@ js::frontend::EmitTree]
: Crash [@ js::frontend::EmitTree]
Status: RESOLVED FIXED
js-triage-done
: crash, regression, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: All All
: -- critical (vote)
: mozilla11
Assigned To: Jeff Walden [:Waldo] (remove +bmo to email)
:
Mentors:
Depends on:
Blocks: jsfunfuzz 697297
  Show dependency treegraph
 
Reported: 2011-11-09 16:03 PST by Gary Kwong [:gkw] [:nth10sd]
Modified: 2011-11-10 03:29 PST (History)
7 users (show)
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
stack (9.33 KB, text/plain)
2011-11-09 16:03 PST, Gary Kwong [:gkw] [:nth10sd]
no flags Details
Patch with tests (10.44 KB, patch)
2011-11-09 18:45 PST, Jeff Walden [:Waldo] (remove +bmo to email)
cdleary: review+
Details | Diff | Review

Description Gary Kwong [:gkw] [:nth10sd] 2011-11-09 16:03:00 PST
Created attachment 573357 [details]
stack

d, {
  x: [{
    x: x::x
  }]
} = q

crashes js debug and opt shell on m-c changeset 4fb61ebbf8ff with patch v1 from bug 697279 without any CLI arguments at js::frontend::EmitTree

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   80013:944c81533751
user:        Jeff Walden
date:        Tue Oct 25 16:04:48 2011 -0700
summary:     Bug 697297 - Replace TOK_UNARYOP with separate kinds for each op it covers, in both the tokenizer and in the parser (with different semantics in each!).  r=dherman, r=cdleary
Comment 1 Jeff Walden [:Waldo] (remove +bmo to email) 2011-11-09 18:45:30 PST
Created attachment 573406 [details] [diff] [review]
Patch with tests

The problem is I took one sort of punning -- on TOK_UNARYOP -- and incompletely replaced it with another sort -- on TOK_{AT,ANYNAME,DBLCOLON}.  Probably completely replacing would have avoided this problem, but that wouldn't avoid the punning confusion.  I really should have used a new kind for these rather than just bifurcating the punning -- it's definitely much clearer.

This patch adds a new kind with the sense that TOK_UNARYOP had.  It passes all tests, plus the one here and the one in bug 701224 (and the one from bug 701227, which is functionally identical to bug 701224).  And I'm definitely happier with it than with the corresponding aspects of the patch that caused this regression.
Comment 2 Jeff Walden [:Waldo] (remove +bmo to email) 2011-11-09 23:20:54 PST
Er, when I said "and the one from bug 701227, which is functionally identical to bug 701224", I really meant "and the one from bug 701247, which is functionally identical to bug 701224".

https://hg.mozilla.org/integration/mozilla-inbound/rev/46b40e2c1953
Comment 3 Marco Bonardo [::mak] 2011-11-10 03:29:19 PST
https://hg.mozilla.org/mozilla-central/rev/46b40e2c1953

Note You need to log in before you can comment on or make changes to this bug.