Closed
Bug 775807
Opened 13 years ago
Closed 13 years ago
--dump-bytecode can observe partially-compiled scripts which breaks JSScript::enclosingScope
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
mozilla17
People
(Reporter: gkw, Assigned: luke)
References
Details
(Keywords: crash, regression, testcase, Whiteboard: [js:t])
Attachments
(2 files)
|
7.13 KB,
text/plain
|
Details | |
|
4.75 KB,
patch
|
jimb
:
review+
|
Details | Diff | Splinter Review |
(function() {
const x = ((function() {
return {
e: function() {
(function() {
for (e in x) {}
})()
}
}
}(function() {
return {
t: {
c
}
}
})))
})()
quit()
crashes js debug shell on m-c changeset 01929e390ba5 with -D at js::EncapsulatedPtr
|
Reporter | |
Updated•13 years ago
|
Summary: Crash [@ js::EncapsulatedPtr] with -D → Crash [@ js::EncapsulatedPtr] with --dump-bytecode
|
|
Reporter | |
Comment 1•13 years ago
|
||
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: 99533:99aaaee4e6b9
user: Luke Wagner
date: Thu Jul 05 20:35:08 2012 -0700
summary: Bug 753158 - emit ALIASEDVAR ops for upvars (r=bhackett)
Blocks: 753158
|
|
Assignee | |
Comment 2•13 years ago
|
||
Ugh, JS_DumpCompartmentPCCounts is finding a script where we aborted compilation, thereby leaving an unfinished interpreted function (whose script pointer is NULL).
|
|
Assignee | |
Comment 3•13 years ago
|
||
Oh well, simple enough fix.
|
|
Assignee | |
Updated•13 years ago
|
Summary: Crash [@ js::EncapsulatedPtr] with --dump-bytecode → --dump-bytecode can observe partially-compiled scripts which breaks JSScript::enclosingScope
|
|
||
Updated•13 years ago
|
Whiteboard: [js:t]
|
||
Comment 4•13 years ago
|
||
Comment on attachment 644393 [details] [diff] [review]
fix and test
Review of attachment 644393 [details] [diff] [review]:
-----------------------------------------------------------------
::: js/src/jsscript.cpp
@@ +1415,5 @@
> +JSScript::enclosingScriptsCompiledSuccessfully() const
> +{
> + /*
> + * When a nested script is succesfully compiled, it is eagerly given the
> + * static JSFunction of its enclosing script. The enclosing script's
"The enclosing function's", right?
::: js/src/jsscript.h
@@ +643,5 @@
> + }
> +
> + /*
> + * If a compile error occurs in an enclosing function after parsing a
> + * nested function, the enclosing function's JSFunction, which is embedded
"embedded in" is a strange term to use here. "Appears on"?
Attachment #644393 -
Flags: review?(jimb) → review+
|
|
Assignee | |
Comment 5•13 years ago
|
||
Agreed on both, thanks!
https://hg.mozilla.org/integration/mozilla-inbound/rev/1dbd25c0205e
Target Milestone: --- → mozilla17
|
||
Comment 6•13 years ago
|
||
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
|
||
Comment 7•13 years ago
|
||
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/testBug775807.js.
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•