1199170 - Assertion failure: isOp(JSOP_LAMBDA) || isOp(JSOP_LAMBDA_ARROW) || isOp(JSOP_DEFFUN) || isOp(JSOP_NOP) || isOp(JSOP_GETLOCAL) || isOp(JSOP_GETARG), at js/src/frontend/ParseNode.h:789

Status: RESOLVED DUPLICATE of bug 1199172

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

The following testcase crashes on mozilla-central revision f61c3cc0eb8b (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --thread-count=2 --ion-offthread-compile=off --ion-eager):

class of extends t {
    static constructor() {};
    constructor() {}
}


Backtrace:

Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x00000000004d39d7 in js::frontend::ParseNode::functionIsHoisted (this=<optimized out>) at js/src/frontend/ParseNode.h:784
#1  0x0000000000639258 in js::frontend::BytecodeEmitter::emitFunction (this=this@entry=0x7ffffd97eda8, pn=pn@entry=0x7fea636903c0, needsProto=needsProto@entry=false) at js/src/frontend/BytecodeEmitter.cpp:5779
#2  0x0000000000634ee8 in js::frontend::BytecodeEmitter::emitTree (this=this@entry=0x7ffffd97eda8, pn=0x7fea636903c0) at js/src/frontend/BytecodeEmitter.cpp:7570
#3  0x0000000000641598 in js::frontend::BytecodeEmitter::emitPropertyList (this=this@entry=0x7ffffd97eda8, pn=pn@entry=0x7fea63690338, objp=..., objp@entry=..., type=type@entry=js::frontend::ClassBody) at js/src/frontend/BytecodeEmitter.cpp:7096
#4  0x000000000064315c in js::frontend::BytecodeEmitter::emitClass (this=this@entry=0x7ffffd97eda8, pn=pn@entry=0x7fea63690750) at js/src/frontend/BytecodeEmitter.cpp:7522
#5  0x000000000063509f in js::frontend::BytecodeEmitter::emitTree (this=0x7ffffd97eda8, pn=0x7fea63690750) at js/src/frontend/BytecodeEmitter.cpp:8058
#6  0x00000000006359ae in BytecodeCompiler::prepareAndEmitTree (this=this@entry=0x7ffffd97e0f0, ppn=ppn@entry=0x7ffffd97dd00) at js/src/frontend/BytecodeCompiler.cpp:371
#7  0x0000000000635e30 in BytecodeCompiler::compileScript (this=this@entry=0x7ffffd97e0f0, scopeChain=..., scopeChain@entry=..., evalCaller=..., evalCaller@entry=...) at js/src/frontend/BytecodeCompiler.cpp:578
#8  0x0000000000636274 in js::frontend::CompileScript (cx=cx@entry=0x7fea63607000, alloc=<optimized out>, scopeChain=scopeChain@entry=..., enclosingStaticScope=..., enclosingStaticScope@entry=..., evalCaller=evalCaller@entry=..., options=..., srcBuf=..., source_=0x7fea5f784ad8, extraSct=extraSct@entry=0x0) at js/src/frontend/BytecodeCompiler.cpp:770
#9  0x00000000005bb094 in js::DirectEvalStringFromIon (cx=0x7fea63607000, scopeobj=..., callerScript=..., thisValue=..., newTargetValue=..., str=..., pc=0x7fea6365708b "{", vp=...) at js/src/builtin/Eval.cpp:422
#10 0x00007fea64cbf8ed in ?? ()
#11 0x00007fea6365708b in ?? ()
#12 0x00007ffffd97f478 in ?? ()
#13 0x0000000000000000 in ?? ()
rax	0x0	0
rbx	0x7ffffd97d450	140737447973968
rcx	0x7fea639753cd	140644669936589
rdx	0x0	0
rsi	0x7fea63c4a9d0	140644672907728
rdi	0x7fea63c491c0	140644672901568
rbp	0x7ffffd97d3e0	140737447973856
rsp	0x7ffffd97d3e0	140737447973856
r8	0x7fea64ca6780	140644690061184
r9	0x6372732f736a2f6c	7165916604736876396
r10	0x7fea63c46be0	140644672891872
r11	0x0	0
r12	0x7fea636903f8	140644666901496
r13	0x7fea636903c0	140644666901440
r14	0x0	0
r15	0x7ffffd97eda8	140737447980456
rip	0x4d39d7 <js::frontend::ParseNode::functionIsHoisted() const+135>
=> 0x4d39d7 <js::frontend::ParseNode::functionIsHoisted() const+135>:	movl   $0x315,0x0
   0x4d39e2 <js::frontend::ParseNode::functionIsHoisted() const+146>:	callq  0x49b160 <abort()>


Marking as fuzzblocker, happens all the time.

Comment 1

[Christian Holler (:decoder)]

Needinfo from efaust, because this looks related to ES6 Classes.

This is a big blocker, caused about 170 crashes in one night.

Comment 2

[Eric Faust [:efaust]]

This is also fixed by the patch in 1199172. Marking it duplicate.