--dump-bytecode can observe partially-compiled scripts which breaks JSScript::enclosingScope

RESOLVED FIXED in mozilla17

Status

()

Core
JavaScript Engine
--
critical
RESOLVED FIXED
5 years ago
4 years ago

People

(Reporter: gkw, Assigned: luke)

Tracking

(Blocks: 1 bug, {crash, regression, testcase})

Trunk
mozilla17
crash, regression, testcase
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [js:t])

Attachments

(2 attachments)

(Reporter)

Description

5 years ago
Created attachment 644112 [details]
stack from Windows 7

(function() {
    const x = ((function() {
        return {
            e: function() {
                (function() {
                    for (e in x) {}
                })()
            }
        }
    }(function() {
        return {
            t: {
                c
            }
        }
    })))
})()
quit()

crashes js debug shell on m-c changeset 01929e390ba5 with -D at js::EncapsulatedPtr
(Reporter)

Updated

5 years ago
Summary: Crash [@ js::EncapsulatedPtr] with -D → Crash [@ js::EncapsulatedPtr] with --dump-bytecode
(Reporter)

Comment 1

5 years ago
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   99533:99aaaee4e6b9
user:        Luke Wagner
date:        Thu Jul 05 20:35:08 2012 -0700
summary:     Bug 753158 - emit ALIASEDVAR ops for upvars (r=bhackett)
Blocks: 753158
(Assignee)

Comment 2

5 years ago
Ugh, JS_DumpCompartmentPCCounts is finding a script where we aborted compilation, thereby leaving an unfinished interpreted function (whose script pointer is NULL).
(Assignee)

Comment 3

5 years ago
Created attachment 644393 [details] [diff] [review]
fix and test

Oh well, simple enough fix.
Assignee: general → luke
Status: NEW → ASSIGNED
Attachment #644393 - Flags: review?(jimb)
(Assignee)

Updated

5 years ago
Summary: Crash [@ js::EncapsulatedPtr] with --dump-bytecode → --dump-bytecode can observe partially-compiled scripts which breaks JSScript::enclosingScope
Whiteboard: [js:t]

Comment 4

5 years ago
Comment on attachment 644393 [details] [diff] [review]
fix and test

Review of attachment 644393 [details] [diff] [review]:
-----------------------------------------------------------------

::: js/src/jsscript.cpp
@@ +1415,5 @@
> +JSScript::enclosingScriptsCompiledSuccessfully() const
> +{
> +    /*
> +     * When a nested script is succesfully compiled, it is eagerly given the
> +     * static JSFunction of its enclosing script. The enclosing script's

"The enclosing function's", right?

::: js/src/jsscript.h
@@ +643,5 @@
> +    }
> +
> +    /*
> +     * If a compile error occurs in an enclosing function after parsing a
> +     * nested function, the enclosing function's JSFunction, which is embedded

"embedded in" is a strange term to use here. "Appears on"?
Attachment #644393 - Flags: review?(jimb) → review+
(Assignee)

Comment 5

5 years ago
Agreed on both, thanks!

https://hg.mozilla.org/integration/mozilla-inbound/rev/1dbd25c0205e
Target Milestone: --- → mozilla17
https://hg.mozilla.org/mozilla-central/rev/1dbd25c0205e
Status: ASSIGNED → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/testBug775807.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.