Closed Bug 1111293 Opened 5 years ago Closed 5 years ago

Assertion failure: !IsUninitializedLexical(val), at js/src/vm/Interpreter.cpp:2851 or Crash [@ js::ToBooleanSlow]


(Core :: JavaScript Engine, defect, critical)

Not set



Tracking Status
firefox35 --- wontfix
firefox36 --- fixed
firefox37 --- fixed


(Reporter: decoder, Assigned: shu)


(Blocks 1 open bug)


(4 keywords, Whiteboard: [jsbugmon:update])

Crash Data


(1 file)

The following testcase crashes on mozilla-central revision f14dcd1c8c0b (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-debug, run with --fuzzing-safe --no-threads):

function printStatus(msg) {}
function blah() {
    printStatus(test() && true || testcase || this);
    const haveTracemonkey = !!(this.tracemonkey)
    function jitstatHandler(f) {
        if (!haveTracemonkey)
    function test(f)
    jitstatHandler(function(prop, local, global) {});


Program received signal SIGSEGV, Segmentation fault.
js::ToBooleanSlow (v=...) at js/src/jsbool.cpp:181
181	    return !EmulatesUndefined(&v.toObject());
#0  js::ToBooleanSlow (v=...) at js/src/jsbool.cpp:181
#1  0x000000000089a614 in ToBoolean (v=...) at js/src/jsapi.h:1153
#2  Interpret (cx=0x16eb960, state=...) at js/src/vm/Interpreter.cpp:2218
#3  0x000000000089c93b in js::RunScript (cx=0x16eb960, state=...) at js/src/vm/Interpreter.cpp:432
#4  0x000000000089cbc2 in js::ExecuteKernel (cx=0x16eb960, script=0x7ffff7e60160, scopeChainArg=(JSObject &) @0x7ffff7e5c060 [object global] delegate, thisv=..., type=<optimized out>, evalInFrame=..., result=0x0) at js/src/vm/Interpreter.cpp:641
#5  0x000000000089cd3f in js::Execute (cx=0x16eb960, script=0x7ffff7e60160, scopeChainArg=..., rval=0x0) at js/src/vm/Interpreter.cpp:678
#6  0x00000000007749d9 in ExecuteScript (cx=<optimized out>, obj=..., scriptArg=..., rval=<optimized out>) at js/src/jsapi.cpp:4722
#7  0x0000000000412e07 in RunFile (compileOnly=false, file=0x17c2210, filename=0x7fffffffef6b "min.js", obj=..., cx=0x16eb960) at js/src/shell/js.cpp:450
#8  Process (cx=0x16eb960, obj_=<optimized out>, filename=0x7fffffffef6b "min.js", forceTTY=<optimized out>) at js/src/shell/js.cpp:583
#9  0x0000000000415fc7 in ProcessArgs (op=0x7fffffffe9a0, obj_=<optimized out>, cx=0x16eb960) at js/src/shell/js.cpp:5399
#10 Shell (op=0x7fffffffe9a0, cx=0x16eb960, envp=<optimized out>) at js/src/shell/js.cpp:5638
#11 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:5977
rax	0xfffa000000000010	-1688849860263920
rbx	0x16eb960	24033632
rcx	0xfffa000000000010	-1688849860263920
rdx	0x1fff4	131060
rsi	0x1fff4	131060
rdi	0x10	16
rbp	0x7fffffffde90	140737488346768
rsp	0x7fffffffddc0	140737488346560
r8	0x0	0
r9	0x17b69b8	24865208
r10	0x17b68c0	24864960
r11	0x17cc704	24954628
r12	0x16573c0	23425984
r13	0x16eb978	24033656
r14	0x16eb9c8	24033736
r15	0x7fffffffe620	140737488348704
rip	0x75cde3 <js::ToBooleanSlow(JS::Handle<JS::Value>)+35>
=> 0x75cde3 <js::ToBooleanSlow(JS::Handle<JS::Value>)+35>:	mov    0x8(%rdi),%rax
   0x75cde7 <js::ToBooleanSlow(JS::Handle<JS::Value>)+39>:	mov    (%rax),%rax
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
user:        Eric Faust
date:        Thu Oct 30 17:27:03 2014 -0700
summary:     Bug 611388 - |const| should be block scoped and require an initializer. (r=shu)

This iteration took 320.143 seconds to run.
This probably dates back to let-TDZ, because the identical case with s/const/let/ crashes similarly.
Blocks: 1001090
Comment on attachment 8540958 [details] [diff] [review]
Body level function statement hoisted use analysis to elide TDZ checks is wrong. Pessimize all body level function statements.

Review of attachment 8540958 [details] [diff] [review]:

Yum.  Commence backports!

::: js/src/frontend/Parser.cpp
@@ +1452,5 @@
> +                    // graph analysis of all body-level functions to compute
> +                    // the transitive closure of which hoisted body level use
> +                    // of which function forces TDZ checks on which uses. This
> +                    // is unreasonably difficult to do in a single pass parser
> +                    // like ours.

"in our single-pass parser" is a little more concise.
Attachment #8540958 - Flags: review?(jwalden+bmo) → review+
Comment on attachment 8540958 [details] [diff] [review]
Body level function statement hoisted use analysis to elide TDZ checks is wrong. Pessimize all body level function statements.

Approval Request Comment
[Feature/regressing bug #]: 1001090
[User impact if declined]: Non-ES6 compliance when using body-level functions statements with let declarations.
[Describe test coverage new/current, TBPL]: pushed to m-c
[Risks and why]: Low, let declarations aren't turned on unversioned for content, so for all intents and purposes only affects addons and chrome code.
[String/UUID change made/needed]: None
Attachment #8540958 - Flags: approval-mozilla-beta?
Attachment #8540958 - Flags: approval-mozilla-aurora?
Closed: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla37
Comment on attachment 8540958 [details] [diff] [review]
Body level function statement hoisted use analysis to elide TDZ checks is wrong. Pessimize all body level function statements.

Too late for 35 as we already built the rc.
Attachment #8540958 - Flags: approval-mozilla-beta?
Attachment #8540958 - Flags: approval-mozilla-beta-
Attachment #8540958 - Flags: approval-mozilla-aurora?
Attachment #8540958 - Flags: approval-mozilla-aurora+
Depends on: 1183423
You need to log in before you can comment on or make changes to this bug.