Assertion failure: pn_u.list.tail == tail, at frontend/ParseNode.cpp

RESOLVED FIXED in mozilla38

Status

()

--
critical
RESOLVED FIXED
4 years ago
4 years ago

People

(Reporter: gkw, Assigned: luke)

Tracking

(Blocks: 1 bug, {assertion, regression, testcase})

Trunk
mozilla38
x86_64
Mac OS X
assertion, regression, testcase
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(firefox38 affected)

Details

(Whiteboard: [jsbugmon:update])

Attachments

(2 attachments)

(function() {
    "use asm"
    function f() {
        return {
            * g() {}
        }
    }
    function f
})()

asserts js debug shell on m-c changeset 08e41ea36f6d with --fuzzing-safe --no-threads --ion-eager at Assertion failure: pn_u.list.tail == tail, at frontend/ParseNode.cpp.

Debug configure options:

CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --enable-optimize --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/b56d94c7261a
user:        Jan de Mooij
date:        Fri Oct 17 10:19:40 2014 +0200
summary:     Bug 987560 - Greatly refactor generator implementation. Patch mostly written by Andy Wingo. r=wingo

Jan, is bug 987560 a likely regressor?
Flags: needinfo?(jdemooij)
Created attachment 8555810 [details]
stack

(lldb) bt 5
* thread #1: tid = 0x1a45, 0x000000010018ad04 js-dbg-opt-64-dm-nsprBuild-darwin-08e41ea36f6d`js::frontend::ParseNode::checkListConsistency(this=<unavailable>) + 228 at ParseNode.cpp:33, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
  * frame #0: 0x000000010018ad04 js-dbg-opt-64-dm-nsprBuild-darwin-08e41ea36f6d`js::frontend::ParseNode::checkListConsistency(this=<unavailable>) + 228 at ParseNode.cpp:33
    frame #1: 0x000000010018b023 js-dbg-opt-64-dm-nsprBuild-darwin-08e41ea36f6d`PushNodeChildren(pn=0x0000000103019bd0, stack=0x00007fff5fbfc2f0)::NodeStack*) + 211 at ParseNode.cpp:155
    frame #2: 0x000000010018af23 js-dbg-opt-64-dm-nsprBuild-darwin-08e41ea36f6d`js::frontend::ParseNodeAllocator::prepareNodeForMutation(this=0x00007fff5fbfe3c0, pn=<unavailable>) + 83 at ParseNode.cpp:199
    frame #3: 0x000000010003b2c0 js-dbg-opt-64-dm-nsprBuild-darwin-08e41ea36f6d`js::frontend::Parser<js::frontend::FullParseHandler>::makeDefIntoUse(js::frontend::Definition*, js::frontend::ParseNode*, JSAtom*) [inlined] js::frontend::FullParseHandler::prepareNodeForMutation(js::frontend::ParseNode*) + 192 at FullParseHandler.h:86
    frame #4: 0x000000010003b2ae js-dbg-opt-64-dm-nsprBuild-darwin-08e41ea36f6d`js::frontend::Parser<js::frontend::FullParseHandler>::makeDefIntoUse(this=<unavailable>, dn=0x0000000103019968, pn=0x0000000103019dd8, atom=<unavailable>) + 174 at Parser.cpp:1149
(lldb)
(Assignee)

Comment 2

4 years ago
The following non-asm.js testcase also reproduces the assert:

(function() {
    with ({}) {}
    function f() { return { * g() {} } }
    function f
})()

The key is for syntax parsing to be disabled (by "use asm" or with).
(Assignee)

Comment 3

4 years ago
Created attachment 8555927 [details] [diff] [review]
fix-generator

Simple enough bug; open-coded list prepend forgot to update tail.
Attachment #8555927 - Flags: review?(jdemooij)
(Assignee)

Updated

4 years ago
Flags: needinfo?(jdemooij)
Comment on attachment 8555927 [details] [diff] [review]
fix-generator

Review of attachment 8555927 [details] [diff] [review]:
-----------------------------------------------------------------

Thanks! Much nicer.
Attachment #8555927 - Flags: review?(jdemooij) → review+
https://hg.mozilla.org/mozilla-central/rev/a57d35642485
Assignee: nobody → luke
Status: NEW → RESOLVED
Last Resolved: 4 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla38
You need to log in before you can comment on or make changes to this bug.