Closed
Bug 775807
Opened 12 years ago
Closed 12 years ago
--dump-bytecode can observe partially-compiled scripts which breaks JSScript::enclosingScope
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
mozilla17
People
(Reporter: gkw, Assigned: luke)
References
Details
(Keywords: crash, regression, testcase, Whiteboard: [js:t])
Attachments
(2 files)
7.13 KB,
text/plain
|
Details | |
4.75 KB,
patch
|
jimb
:
review+
|
Details | Diff | Splinter Review |
(function() { const x = ((function() { return { e: function() { (function() { for (e in x) {} })() } } }(function() { return { t: { c } } }))) })() quit() crashes js debug shell on m-c changeset 01929e390ba5 with -D at js::EncapsulatedPtr
Reporter | ||
Updated•12 years ago
|
Summary: Crash [@ js::EncapsulatedPtr] with -D → Crash [@ js::EncapsulatedPtr] with --dump-bytecode
Reporter | ||
Comment 1•12 years ago
|
||
autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: 99533:99aaaee4e6b9 user: Luke Wagner date: Thu Jul 05 20:35:08 2012 -0700 summary: Bug 753158 - emit ALIASEDVAR ops for upvars (r=bhackett)
Blocks: 753158
Assignee | ||
Comment 2•12 years ago
|
||
Ugh, JS_DumpCompartmentPCCounts is finding a script where we aborted compilation, thereby leaving an unfinished interpreted function (whose script pointer is NULL).
Assignee | ||
Comment 3•12 years ago
|
||
Oh well, simple enough fix.
Assignee | ||
Updated•12 years ago
|
Summary: Crash [@ js::EncapsulatedPtr] with --dump-bytecode → --dump-bytecode can observe partially-compiled scripts which breaks JSScript::enclosingScope
Updated•12 years ago
|
Whiteboard: [js:t]
Comment 4•12 years ago
|
||
Comment on attachment 644393 [details] [diff] [review] fix and test Review of attachment 644393 [details] [diff] [review]: ----------------------------------------------------------------- ::: js/src/jsscript.cpp @@ +1415,5 @@ > +JSScript::enclosingScriptsCompiledSuccessfully() const > +{ > + /* > + * When a nested script is succesfully compiled, it is eagerly given the > + * static JSFunction of its enclosing script. The enclosing script's "The enclosing function's", right? ::: js/src/jsscript.h @@ +643,5 @@ > + } > + > + /* > + * If a compile error occurs in an enclosing function after parsing a > + * nested function, the enclosing function's JSFunction, which is embedded "embedded in" is a strange term to use here. "Appears on"?
Attachment #644393 -
Flags: review?(jimb) → review+
Assignee | ||
Comment 5•12 years ago
|
||
Agreed on both, thanks! https://hg.mozilla.org/integration/mozilla-inbound/rev/1dbd25c0205e
Target Milestone: --- → mozilla17
Comment 6•12 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/1dbd25c0205e
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Comment 7•11 years ago
|
||
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/testBug775807.js.
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•