Closed Bug 701222 Opened 8 years ago Closed 8 years ago

Crash [@ js::frontend::EmitTree]

Categories

(Core :: JavaScript Engine, defect, critical)

defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla11

People

(Reporter: gkw, Assigned: Waldo)

References

(Blocks 1 open bug)

Details

(Keywords: crash, regression, testcase, Whiteboard: js-triage-done)

Crash Data

Attachments

(2 files)

Attached file stack
d, {
  x: [{
    x: x::x
  }]
} = q

crashes js debug and opt shell on m-c changeset 4fb61ebbf8ff with patch v1 from bug 697279 without any CLI arguments at js::frontend::EmitTree

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   80013:944c81533751
user:        Jeff Walden
date:        Tue Oct 25 16:04:48 2011 -0700
summary:     Bug 697297 - Replace TOK_UNARYOP with separate kinds for each op it covers, in both the tokenizer and in the parser (with different semantics in each!).  r=dherman, r=cdleary
Crash Signature: [@ js::frontend::EmitTree]
Attached patch Patch with testsSplinter Review
The problem is I took one sort of punning -- on TOK_UNARYOP -- and incompletely replaced it with another sort -- on TOK_{AT,ANYNAME,DBLCOLON}.  Probably completely replacing would have avoided this problem, but that wouldn't avoid the punning confusion.  I really should have used a new kind for these rather than just bifurcating the punning -- it's definitely much clearer.

This patch adds a new kind with the sense that TOK_UNARYOP had.  It passes all tests, plus the one here and the one in bug 701224 (and the one from bug 701227, which is functionally identical to bug 701224).  And I'm definitely happier with it than with the corresponding aspects of the patch that caused this regression.
Assignee: general → jwalden+bmo
Status: NEW → ASSIGNED
Attachment #573406 - Flags: review?(cdleary)
Attachment #573406 - Flags: review?(cdleary) → review+
Er, when I said "and the one from bug 701227, which is functionally identical to bug 701224", I really meant "and the one from bug 701247, which is functionally identical to bug 701224".

https://hg.mozilla.org/integration/mozilla-inbound/rev/46b40e2c1953
OS: Mac OS X → All
Hardware: x86 → All
Whiteboard: js-triage-needed → js-triage-done
Target Milestone: --- → mozilla11
https://hg.mozilla.org/mozilla-central/rev/46b40e2c1953
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.