Last Comment Bug 775807 - --dump-bytecode can observe partially-compiled scripts which breaks JSScript::enclosingScope
: --dump-bytecode can observe partially-compiled scripts which breaks JSScript:...
Status: RESOLVED FIXED
[js:t]
: crash, regression, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: All All
: -- critical (vote)
: mozilla17
Assigned To: Luke Wagner [:luke]
: general
Mentors:
Depends on:
Blocks: jsfunfuzz 753158
  Show dependency treegraph
 
Reported: 2012-07-19 18:23 PDT by Gary Kwong [:gkw] [:nth10sd]
Modified: 2013-01-14 07:46 PST (History)
6 users (show)
choller: in‑testsuite+
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
stack from Windows 7 (7.13 KB, text/plain)
2012-07-19 18:23 PDT, Gary Kwong [:gkw] [:nth10sd]
no flags Details
fix and test (4.75 KB, patch)
2012-07-20 11:06 PDT, Luke Wagner [:luke]
jimb: review+
Details | Diff | Splinter Review

Description Gary Kwong [:gkw] [:nth10sd] 2012-07-19 18:23:54 PDT
Created attachment 644112 [details]
stack from Windows 7

(function() {
    const x = ((function() {
        return {
            e: function() {
                (function() {
                    for (e in x) {}
                })()
            }
        }
    }(function() {
        return {
            t: {
                c
            }
        }
    })))
})()
quit()

crashes js debug shell on m-c changeset 01929e390ba5 with -D at js::EncapsulatedPtr
Comment 1 Gary Kwong [:gkw] [:nth10sd] 2012-07-19 18:43:52 PDT
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   99533:99aaaee4e6b9
user:        Luke Wagner
date:        Thu Jul 05 20:35:08 2012 -0700
summary:     Bug 753158 - emit ALIASEDVAR ops for upvars (r=bhackett)
Comment 2 Luke Wagner [:luke] 2012-07-20 10:28:43 PDT
Ugh, JS_DumpCompartmentPCCounts is finding a script where we aborted compilation, thereby leaving an unfinished interpreted function (whose script pointer is NULL).
Comment 3 Luke Wagner [:luke] 2012-07-20 11:06:04 PDT
Created attachment 644393 [details] [diff] [review]
fix and test

Oh well, simple enough fix.
Comment 4 Jim Blandy :jimb 2012-07-20 17:13:05 PDT
Comment on attachment 644393 [details] [diff] [review]
fix and test

Review of attachment 644393 [details] [diff] [review]:
-----------------------------------------------------------------

::: js/src/jsscript.cpp
@@ +1415,5 @@
> +JSScript::enclosingScriptsCompiledSuccessfully() const
> +{
> +    /*
> +     * When a nested script is succesfully compiled, it is eagerly given the
> +     * static JSFunction of its enclosing script. The enclosing script's

"The enclosing function's", right?

::: js/src/jsscript.h
@@ +643,5 @@
> +    }
> +
> +    /*
> +     * If a compile error occurs in an enclosing function after parsing a
> +     * nested function, the enclosing function's JSFunction, which is embedded

"embedded in" is a strange term to use here. "Appears on"?
Comment 5 Luke Wagner [:luke] 2012-07-20 17:35:16 PDT
Agreed on both, thanks!

https://hg.mozilla.org/integration/mozilla-inbound/rev/1dbd25c0205e
Comment 6 Ryan VanderMeulen [:RyanVM] 2012-07-21 06:21:40 PDT
https://hg.mozilla.org/mozilla-central/rev/1dbd25c0205e
Comment 7 Christian Holler (:decoder) 2013-01-14 07:46:59 PST
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/testBug775807.js.

Note You need to log in before you can comment on or make changes to this bug.