Closed
Bug 885219
Opened 12 years ago
Closed 11 years ago
Assertion failure: !exprBody, at jsfun.cpp
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla25
Tracking | Status | |
---|---|---|
firefox24 | --- | affected |
People
(Reporter: gkw, Assigned: jorendorff)
References
Details
(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update])
Attachments
(4 files)
disassemble("-r", Function("()=>e,d"))
asserts js debug shell on m-c changeset 8ea92aeab783 without any CLI arguments at Assertion failure: !exprBody, at jsfun.cpp
Updated•12 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
Comment 1•12 years ago
|
||
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: http://hg.mozilla.org/mozilla-central/rev/bf3ce88c6ea3
user: Jason Orendorff
date: Sun Mar 17 20:42:36 2013 -0700
summary: Bug 846406 - Implement arrow functions. r=bhackett. Changes to Y.js r=brendan.
This iteration took 11.746 seconds to run.
Reporter | ||
Comment 2•12 years ago
|
||
jorendorff, is bug 846406 a possible regressor?
Blocks: 846406
Flags: needinfo?(jorendorff)
Assignee | ||
Comment 4•12 years ago
|
||
This is a cute bug.
disassemble() is special because it calls FunctionToString on the function ()=>e, nested within the other function. I don't think anything else can get a reference to that nested function to stringify it.
FunctionToString contains some code that determines whether the function being stringified was created with the Function() constructor, and that code was correct pre-arrows. Arrows broke it. The fuzzer found the amazingly specific bug.
Attachment #765474 -
Flags: review?(ejpbruel)
Assignee | ||
Comment 5•12 years ago
|
||
Eddy, Jim, is it important to get this into FF24? The new Debugger.Source stuff never calls FunctionToString, does it?
Comment 6•12 years ago
|
||
No, we only ask for substrings of the ScriptSource object directly; we don't deal with functions much.
Comment 7•11 years ago
|
||
Comment on attachment 765474 [details] [diff] [review]
v1
Review of attachment 765474 [details] [diff] [review]:
-----------------------------------------------------------------
Stealing
::: js/src/jsfun.cpp
@@ +632,4 @@
> // The source data for functions created by calling the Function
> + // constructor is only the function's body. This depends on the fact,
> + // asserted below, that in Function("function x() {}"), the inner
> + // function's sourceStart points to the '(', not the 'f'.
Nit: s/f/x/ here, or s/x/f/ above
Attachment #765474 -
Flags: review?(ejpbruel) → review+
Comment 8•11 years ago
|
||
Status: NEW → RESOLVED
Closed: 11 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla25
Reporter | ||
Comment 9•11 years ago
|
||
This had previously landed on inbound in:
http://hg.mozilla.org/integration/mozilla-inbound/rev/bcc823a6bca8
Comment 10•11 years ago
|
||
Updated•11 years ago
|
status-firefox24:
--- → affected
Comment 11•11 years ago
|
||
Assignee | ||
Comment 12•11 years ago
|
||
Christian, this isn't still happening, is it?
We're not going to backport this fix unless it would help you.
Comment 13•11 years ago
|
||
(In reply to Jason Orendorff [:jorendorff] from comment #12)
> Christian, this isn't still happening, is it?
Just on beta :)
> We're not going to backport this fix unless it would help you.
No, that's fine. I am just marking this as "affected" on beta, and attach a signature, so the fuzzer knows that this bug still affects beta and can be ignored.
You need to log in
before you can comment on or make changes to this bug.
Description
•