Closed
Bug 980585
Opened 10 years ago
Closed 10 years ago
Assertion failure: u.i.s.script_, at js/src/jsfun.h:317
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla30
People
(Reporter: daniel.nr01, Assigned: shu)
Details
(Keywords: assertion)
Crash Data
Attachments
(3 files)
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0 (Beta/Release) Build ID: 20140306030201 Steps to reproduce: * Open the debugger * Load the testcase The console says: "SyntaxError: invalid object initializer" I'm on Windows 7 64bit, Nightly 30.0a1 (2014-03-06)
Status: UNCONFIRMED → NEW
Crash Signature: [@ js::LazyScript::staticLevel(JSContext*) ]
Component: Untriaged → Developer Tools: Debugger
Ever confirmed: true
Keywords: crash
|
||
Comment 1•10 years ago
|
||
We hit an assertion: Assertion failure: u.i.s.script_, at js/src/jsfun.h:317 Top of the stack: 0 JSFunction::nonLazyScript() const + 185 (jsfun.h:317) 1 js::StaticScopeIter<(js::AllowGC)0>::funScript() const + 140 (ScopeObject-inl.h:116) 2 js::LazyScript::staticLevel(JSContext*) const + 97 (jsscript.cpp:3672) 3 js::frontend::CompileLazyFunction(JSContext*, JS::Handle<js::LazyScript*>, char16_t const*, unsigned long) + 658 (BytecodeCompiler.cpp:452) 4 JSFunction::createScriptForLazilyInterpretedFunction(JSContext*, JS::Handle<JSFunction*>) + 1985 (jsfun.cpp:1169) 5 JSFunction::getOrCreateScript(JSContext*) + 305 (jsfun.h:291) 6 CreateLazyScriptsForCompartment(JSContext*) + 788 (jscompartment.cpp:752) 7 JSCompartment::ensureDelazifyScriptsForDebugMode(JSContext*) + 160 (jscompartment.cpp:766) 8 js::Debugger::ScriptQuery::addCompartment(JSCompartment*) + 70 (Debugger.cpp:2553) 9 js::Debugger::ScriptQuery::matchAllDebuggeeGlobals() + 207 (Debugger.cpp:2577) 10 js::Debugger::ScriptQuery::omittedQuery() + 74 (Debugger.cpp:2452) 11 js::Debugger::findScripts(JSContext*, unsigned int, JS::Value*) + 464 (Debugger.cpp:2708) 12 js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) + 165 (jscntxtinlines.h:239) 13 js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) + 1164 (Interpreter.cpp:476) 14 Interpret(JSContext*, js::RunState&) + 53311 (Interpreter.cpp:2614)
|
|
||
Comment 2•10 years ago
|
||
Here is the full crash log.
|
Assignee | |
Comment 3•10 years ago
|
||
Assignee: nobody → shu
Attachment #8389659 -
Flags: review?(bhackett1024)
|
|
Assignee | |
Comment 4•10 years ago
|
||
A distant cousin of bug 958980. The perils of GC-dependent API #2.
|
|
Assignee | |
Updated•10 years ago
|
Status: NEW → ASSIGNED
|
||
Comment 5•10 years ago
|
||
Comment on attachment 8389659 [details] [diff] [review] Don't delazify lazy scripts whose outer functions couldn't be compiled. Review of attachment 8389659 [details] [diff] [review]: ----------------------------------------------------------------- ::: js/src/jscompartment.cpp @@ +746,5 @@ > + if (enclosingFun.isInterpreted() && > + (!enclosingFun.mutableScript() || !enclosingFun.nonLazyScript()->code())) > + { > + continue; > + } Can you wrap this logic up into a method on LazyScript like enclosingScriptHasBeenCompiled()? It would be better if state was cleaned up when script compilation fails but that is a more involved fix, and absent that it would be good if the logic here was encapsulated.
Attachment #8389659 -
Flags: review?(bhackett1024) → review+
|
|
Assignee | |
Comment 6•10 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/c261d5623b08
|
||
Comment 7•10 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/c261d5623b08 https://hg.mozilla.org/mozilla-central/rev/0a5ec8ab99a2
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla30
You need to log in
before you can comment on or make changes to this bug.
Description
•