Closed Bug 1186952 Opened 4 years ago Closed 4 years ago

Assertion failure: this->stackDepth == loopDepth, at js/src/frontend/BytecodeEmitter.cpp:5400

Categories

(Core :: JavaScript Engine, defect, critical)

x86
Linux
defect
Not set
critical

Tracking

()

RESOLVED DUPLICATE of bug 1185959
Tracking Status
firefox42 --- affected

People

(Reporter: decoder, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update,bisect])

The following testcase crashes on mozilla-central revision 2ddec2dedced (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --target=i686-pc-linux-gnu --disable-tests --enable-debug, run with --fuzzing-safe --thread-count=2):

for (var c of constructors) {
  Object.getOwnPropertyDescriptor(loc,
    class { 
      static constructor() {};
      constructor() { }
    }
  );
}



Backtrace:

Program received signal SIGSEGV, Segmentation fault.
0x08285732 in js::frontend::BytecodeEmitter::emitForOf (this=this@entry=0xffffbed0, type=type@entry=js::frontend::STMT_FOR_OF_LOOP, pn=pn@entry=0xf7a86420, top=19, top@entry=0) at js/src/frontend/BytecodeEmitter.cpp:5400
#0  0x08285732 in js::frontend::BytecodeEmitter::emitForOf (this=this@entry=0xffffbed0, type=type@entry=js::frontend::STMT_FOR_OF_LOOP, pn=pn@entry=0xf7a86420, top=19, top@entry=0) at js/src/frontend/BytecodeEmitter.cpp:5400
#1  0x08287ed0 in js::frontend::BytecodeEmitter::emitFor (this=this@entry=0xffffbed0, pn=pn@entry=0xf7a86420, top=top@entry=0) at js/src/frontend/BytecodeEmitter.cpp:5711
#2  0x0827caa9 in js::frontend::BytecodeEmitter::emitTree (this=this@entry=0xffffbed0, pn=0xf7a86420) at js/src/frontend/BytecodeEmitter.cpp:7646
#3  0x0827db3e in js::frontend::CompileScript (cx=cx@entry=0xf7a20200, alloc=0xf7a29130, scopeChain=scopeChain@entry=..., enclosingStaticScope=enclosingStaticScope@entry=..., evalCaller=..., options=..., srcBuf=..., source_=source_@entry=0x0, staticLevel=staticLevel@entry=0, extraSct=extraSct@entry=0x0) at js/src/frontend/BytecodeCompiler.cpp:409
#4  0x087368cf in Compile (cx=cx@entry=0xf7a20200, options=..., scopeOption=HasSyntacticScope, srcBuf=..., script=...) at js/src/jsapi.cpp:3931
#5  0x08736a99 in Compile (script=..., length=<optimized out>, chars=0xf5850960 u"for (var c of constructors) {\n  Object.getOwnPropertyDescriptor(loc,\n    class { \n      static constructor() {};\n      constructor() { }\n    }\n  );\n}\n", scopeOption=<optimized out>, options=..., cx=0xf7a20200) at js/src/jsapi.cpp:3940
#6  Compile (cx=cx@entry=0xf7a20200, options=..., scopeOption=scopeOption@entry=HasSyntacticScope, bytes=0xf7a20f00 "for (var c of constructors) {\n  Object.getOwnPropertyDescriptor(loc,\n    class { \n      static constructor() {};\n      constructor() { }\n    }\n  );\n}\n", '\245' <repeats 50 times>..., length=150, script=script@entry=...) at js/src/jsapi.cpp:3955
#7  0x087688ea in Compile (script=..., fp=0xf7ae49e0, fp@entry=0xffffc960, scopeOption=HasSyntacticScope, options=..., cx=0xf7a20200) at js/src/jsapi.cpp:3966
#8  JS::Compile (cx=cx@entry=0xf7a20200, options=..., file=file@entry=0xf7ae49e0, script=script@entry=...) at js/src/jsapi.cpp:4006
#9  0x0806b1a3 in RunFile (compileOnly=false, file=0xf7ae49e0, filename=0xffffd0d8 "min.js", cx=0xf7a20200) at js/src/shell/js.cpp:449
#10 Process (cx=cx@entry=0xf7a20200, filename=0xffffd0d8 "min.js", forceTTY=forceTTY@entry=false) at js/src/shell/js.cpp:576
#11 0x080ce2a7 in ProcessArgs (op=0xffffcda0, cx=<optimized out>) at js/src/shell/js.cpp:5771
#12 Shell (envp=<optimized out>, op=0xffffcda0, cx=<optimized out>) at js/src/shell/js.cpp:6040
#13 main (argc=4, argv=0xffffcef4, envp=0xffffcf08) at js/src/shell/js.cpp:6384
eax	0x0	0
ebx	0x975ef0c	158723852
ecx	0xf7e3b88c	-136071028
edx	0x0	0
esi	0x2	2
edi	0xf7a860d8	-139960104
ebp	0xffffb928	4294949160
esp	0xffffb800	4294948864
eip	0x8285732 <js::frontend::BytecodeEmitter::emitForOf(js::frontend::StmtType, js::frontend::ParseNode*, int)+2210>
=> 0x8285732 <js::frontend::BytecodeEmitter::emitForOf(js::frontend::StmtType, js::frontend::ParseNode*, int)+2210>:	movl   $0x1518,0x0
   0x828573c <js::frontend::BytecodeEmitter::emitForOf(js::frontend::StmtType, js::frontend::ParseNode*, int)+2220>:	call   0x80ef620 <abort()>
Needinfo from Eric because it's related to Classes.
Flags: needinfo?(efaustbmo)
This is a dupe of 1185959. It's been handled there.
Status: NEW → RESOLVED
Closed: 4 years ago
Flags: needinfo?(efaustbmo)
Resolution: --- → DUPLICATE
Duplicate of bug: 1185959
You need to log in before you can comment on or make changes to this bug.