Closed Bug 937089 Opened 6 years ago Closed 6 years ago

Assertion failure: !val.isMagic(), at jsobj.cpp:5358

Categories

(Core :: JavaScript Engine, defect, critical)

x86
Linux
defect
Not set
critical

Tracking

()

VERIFIED FIXED
mozilla29
Tracking Status
firefox27 --- wontfix
firefox28 --- wontfix
firefox29 --- verified

People

(Reporter: decoder, Assigned: bhackett)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, testcase)

Attachments

(2 files, 1 obsolete file)

The following testcase asserts on mozilla-central revision bc8c1eb0f2ba (run with --fuzzing-safe):


function test() {
  eval("with (arguments) var arguments = 0;");
} test();
Direct eval correctly marks the enclosing function 'test' as requiring an arguments object.

The 'arguments; setaliased; pop' bytecode sequence is emitted in the prolog as expected.

However, at runtime, when we execute that bytecode, we nonetheless store MagicValue(JS_OPTIMIZED_ARGUMENTS) in the Call object, I think because of this in ScriptAnalysis::needsArgsObj():

    /*
     ...
     * New accesses on 'arguments' can occur through 'eval' or the debugger
     * statement. In the former case, we will dynamically detect the use and
     * mark the arguments optimization as having failed.
     */
    if (script_->bindingsAccessedDynamically)
        return false;

The comment there seems all right. But then we get into the eval code and the magic value is still there.  The direct eval code is sensible:

  00000:  defvar "arguments"
  main:
  00005:  name "arguments"
  00010:  enterwith
  ...

During JSOP_NAME, with the stack
  Interpret -> NameOperation -> FetchNameNoGC
we fetch MagicValue(JS_OPTIMIZED_ARGUMENTS) out of slot 2 of the Call object.

During JSOP_ENTERWITH, we assert. Somewhere we should have been able to "dynamically detect the use", but we didn't.
I think the deoptimization is supposed to happen when compiling the eval, when 'arguments' is encountered.  IIRC, this was part of the optimization in bug 842522.
Yeah, bug 842522 introduced it. Brian, can you take this?
Flags: needinfo?(bhackett1024)
Attached patch patchSplinter Review
We try to check for 'arguments' within an eval script by looking at its free variables.  Unfortunately, free variables aren't computed correctly for |with| statements and we need to do a stupid workaround.  That workaround didn't work when the |with| was within the eval itself (only when the with was within the function itself, where we hit the same issues).
Assignee: general → bhackett1024
Attachment #8348332 - Flags: review?(luke)
Flags: needinfo?(bhackett1024)
Attachment #8348332 - Flags: review?(luke) → review+
https://hg.mozilla.org/mozilla-central/rev/6a8bcdd35d1e
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla29
Duplicate of this bug: 896419
Attachment #830136 - Attachment is obsolete: true
Duplicate of this bug: 956308
Keywords: verifyme
Status: RESOLVED → VERIFIED
JSBugMon: This bug has been automatically verified fixed.
Keywords: verifyme
You need to log in before you can comment on or make changes to this bug.