Bug 1147907. Relax our realParent asserts in CloneFunction a bit, pending a proper fix for bug 1143794. r=luke
authorBoris Zbarsky <bzbarsky@mit.edu>
Thu, 26 Mar 2015 23:03:20 -0400
changeset 264923 f0c08ce4f555821c8a3bc6ca9df5e7fff15fb456
parent 264922 a88de895edc832164a33c377ed38b6b1f8d3762e
child 264924 92aeec7102fe44addbd50cef9d3c6b194730f617
push id4718
push userraliiev@mozilla.com
push dateMon, 11 May 2015 18:39:53 +0000
treeherdermozilla-beta@c20c4ef55f08 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersluke
bugs1147907, 1143794
milestone39.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1147907. Relax our realParent asserts in CloneFunction a bit, pending a proper fix for bug 1143794. r=luke
js/src/jit-test/tests/auto-regress/bug1147907.js
js/src/jsfun.cpp
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/auto-regress/bug1147907.js
@@ -0,0 +1,13 @@
+var evalInFrame = (function (global) {
+  var dbgGlobal = newGlobal();
+  var dbg = new dbgGlobal.Debugger();
+  return function evalInFrame(upCount, code) {
+    dbg.addDebuggee(global);
+    var frame = dbg.getNewestFrame().older;
+    var completion = frame.eval(code);
+  };
+})(this);
+var x = 5;
+let (x = eval("x++")) {
+  evalInFrame(0, ("for (var x = 0; x < 3; ++x) { (function(){})() } "))
+}
--- a/js/src/jsfun.cpp
+++ b/js/src/jsfun.cpp
@@ -2045,17 +2045,24 @@ js::NewFunctionWithProto(ExclusiveContex
     RootedObject funobj(cx);
     // Don't mark asm.js module functions as singleton since they are
     // cloned (via CloneFunctionObjectIfNotSingleton) which assumes that
     // isSingleton implies isInterpreted.
     if (native && !IsAsmJSModuleNative(native))
         newKind = SingletonObject;
 #ifdef DEBUG
     RootedObject nonScopeParent(cx, SkipScopeParent(enclosingDynamicScope));
-    MOZ_ASSERT(!nonScopeParent || nonScopeParent == cx->global());
+    // We'd like to assert that nonScopeParent is null-or-global, but
+    // js::ExecuteInGlobalAndReturnScope and debugger eval bits mess that up.
+    // Assert that it's one of those or a debug scope proxy or the unqualified
+    // var obj, since it should still be ok to parent to the global in that
+    // case.
+    MOZ_ASSERT(!nonScopeParent || nonScopeParent == cx->global() ||
+               nonScopeParent->is<DebugScopeObject>() ||
+               nonScopeParent->isUnqualifiedVarObj());
 #endif
     funobj = NewObjectWithClassProto(cx, &JSFunction::class_, proto, allocKind,
                                      newKind);
     if (!funobj)
         return nullptr;
 
     RootedFunction fun(cx, &funobj->as<JSFunction>());
 
@@ -2136,20 +2143,22 @@ js::CloneFunctionObject(JSContext *cx, H
     if (!cloneProto && fun->isStarGenerator()) {
         cloneProto = GlobalObject::getOrCreateStarGeneratorFunctionPrototype(cx, cx->global());
         if (!cloneProto)
             return nullptr;
     }
 #ifdef DEBUG
     RootedObject realParent(cx, SkipScopeParent(parent));
     // We'd like to assert that realParent is null-or-global, but
-    // js::ExecuteInGlobalAndReturnScope messes that up.  Assert that it's one
-    // of those or the unqualified var obj, since it should still be ok to
-    // parent to the global in that case.
+    // js::ExecuteInGlobalAndReturnScope and debugger eval bits mess that up.
+    // Assert that it's one of those or a debug scope proxy or the unqualified
+    // var obj, since it should still be ok to parent to the global in that
+    // case.
     MOZ_ASSERT(!realParent || realParent == cx->global() ||
+               realParent->is<DebugScopeObject>() ||
                realParent->isUnqualifiedVarObj());
 #endif
     JSObject *cloneobj = NewObjectWithClassProto(cx, &JSFunction::class_, cloneProto,
                                                  allocKind, newKind);
     if (!cloneobj)
         return nullptr;
     RootedFunction clone(cx, &cloneobj->as<JSFunction>());