844364 - IonMonkey: "Assertion failure: !frame.isEvalFrame(),"

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Attachment: stack

function f() {
    eval("this")
}
f()
f()

asserts js debug shell on m-c changeset 08a034e1d43a without any CLI arguments at Assertion failure: !frame.isEvalFrame(),

Comment 1

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   122546:0ded3af9b2d7
user:        Brian Hackett
date:        Thu Feb 21 06:56:54 2013 -0700
summary:     Bug 743394 - Ion compile JSOP_EVAL, r=jandem.

Brian, is bug 743394 a likely regressor?

Comment 2

[Brian Hackett [Laid off!]]

Attachment: patch

Fix for this and bug 844459, which is related.  This is a bogus assert, bug 844459 is due to an inverted test that could cause an eval to see a primitive this values.

Comment 3

[Jan de Mooij [:jandem]]

Comment on attachment 717542 [details] [diff] [review]
patch

Review of attachment 717542 [details] [diff] [review]:
-----------------------------------------------------------------

::: js/src/ion/IonBuilder.cpp
@@ +4484,5 @@
>          if (!info().fun())
>              return abort("Direct eval in global code");
>  
>          types::StackTypeSet *thisTypes = oracle->thisTypeSet(script());
> +        if (thisTypes) {

Nit: either JS_ASSERT(thisTypes); and remove the |if|, or add an "else" with "return abort(..);"

Comment 4

[Brian Hackett [Laid off!]]

https://hg.mozilla.org/integration/mozilla-inbound/rev/0f9bcf85f0b7

Comment 5

[Ryan VanderMeulen [:RyanVM]]

https://hg.mozilla.org/mozilla-central/rev/0f9bcf85f0b7