Closed Bug 775807 Opened 10 years ago Closed 10 years ago

--dump-bytecode can observe partially-compiled scripts which breaks JSScript::enclosingScope

Categories

(Core :: JavaScript Engine, defect)

defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla17

People

(Reporter: gkw, Assigned: luke)

References

Details

(Keywords: crash, regression, testcase, Whiteboard: [js:t])

Attachments

(2 files)

Attached file stack from Windows 7
(function() {
    const x = ((function() {
        return {
            e: function() {
                (function() {
                    for (e in x) {}
                })()
            }
        }
    }(function() {
        return {
            t: {
                c
            }
        }
    })))
})()
quit()

crashes js debug shell on m-c changeset 01929e390ba5 with -D at js::EncapsulatedPtr
Summary: Crash [@ js::EncapsulatedPtr] with -D → Crash [@ js::EncapsulatedPtr] with --dump-bytecode
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   99533:99aaaee4e6b9
user:        Luke Wagner
date:        Thu Jul 05 20:35:08 2012 -0700
summary:     Bug 753158 - emit ALIASEDVAR ops for upvars (r=bhackett)
Blocks: 753158
Ugh, JS_DumpCompartmentPCCounts is finding a script where we aborted compilation, thereby leaving an unfinished interpreted function (whose script pointer is NULL).
Attached patch fix and testSplinter Review
Oh well, simple enough fix.
Assignee: general → luke
Status: NEW → ASSIGNED
Attachment #644393 - Flags: review?(jimb)
Summary: Crash [@ js::EncapsulatedPtr] with --dump-bytecode → --dump-bytecode can observe partially-compiled scripts which breaks JSScript::enclosingScope
Whiteboard: [js:t]
Comment on attachment 644393 [details] [diff] [review]
fix and test

Review of attachment 644393 [details] [diff] [review]:
-----------------------------------------------------------------

::: js/src/jsscript.cpp
@@ +1415,5 @@
> +JSScript::enclosingScriptsCompiledSuccessfully() const
> +{
> +    /*
> +     * When a nested script is succesfully compiled, it is eagerly given the
> +     * static JSFunction of its enclosing script. The enclosing script's

"The enclosing function's", right?

::: js/src/jsscript.h
@@ +643,5 @@
> +    }
> +
> +    /*
> +     * If a compile error occurs in an enclosing function after parsing a
> +     * nested function, the enclosing function's JSFunction, which is embedded

"embedded in" is a strange term to use here. "Appears on"?
Attachment #644393 - Flags: review?(jimb) → review+
Agreed on both, thanks!

https://hg.mozilla.org/integration/mozilla-inbound/rev/1dbd25c0205e
Target Milestone: --- → mozilla17
https://hg.mozilla.org/mozilla-central/rev/1dbd25c0205e
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/testBug775807.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.