1199172 - Assertion failure: pn->functionIsHoisted(), at js/src/frontend/BytecodeEmitter.cpp:5779

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

The following testcase crashes on mozilla-central revision f61c3cc0eb8b (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --target=i686-pc-linux-gnu --disable-tests --enable-debug, run with --fuzzing-safe --thread-count=2 --baseline-eager --ion-eager --ion-extra-checks):

class get {
  static constructor() {};
  constructor() {}
}


Backtrace:

Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x0829394d in js::frontend::BytecodeEmitter::emitFunction (this=this@entry=0xff8bf730, pn=pn@entry=0xf71825d8, needsProto=needsProto@entry=false) at js/src/frontend/BytecodeEmitter.cpp:5779
#1  0x0828e7c9 in js::frontend::BytecodeEmitter::emitTree (this=this@entry=0xff8bf730, pn=0xf71825d8) at js/src/frontend/BytecodeEmitter.cpp:7570
#2  0x0829bb6c in js::frontend::BytecodeEmitter::emitPropertyList (this=this@entry=0xff8bf730, pn=pn@entry=0xf7182588, objp=..., objp@entry=..., type=type@entry=js::frontend::ClassBody) at js/src/frontend/BytecodeEmitter.cpp:7096
#3  0x0829d791 in js::frontend::BytecodeEmitter::emitClass (this=this@entry=0xff8bf730, pn=pn@entry=0xf7182868) at js/src/frontend/BytecodeEmitter.cpp:7522
#4  0x0828e9dc in js::frontend::BytecodeEmitter::emitTree (this=this@entry=0xff8bf730, pn=pn@entry=0xf7182868) at js/src/frontend/BytecodeEmitter.cpp:8058
#5  0x0829a6f3 in js::frontend::BytecodeEmitter::emitStatementList (this=this@entry=0xff8bf730, pn=pn@entry=0xf71821e0, top=top@entry=0) at js/src/frontend/BytecodeEmitter.cpp:6373
#6  0x0828e67a in js::frontend::BytecodeEmitter::emitTree (this=this@entry=0xff8bf730, pn=pn@entry=0xf71821e0) at js/src/frontend/BytecodeEmitter.cpp:7728
#7  0x0828f153 in js::frontend::BytecodeEmitter::emitTree (this=this@entry=0xff8bf730, pn=0xf71821b8) at js/src/frontend/BytecodeEmitter.cpp:7658
#8  0x08291db2 in js::frontend::BytecodeEmitter::emitFunctionScript (this=0xff8bf730, body=0xf71821b8) at js/src/frontend/BytecodeEmitter.cpp:3437
#9  0x08293563 in js::frontend::BytecodeEmitter::emitFunction (this=this@entry=0xff8bfbe0, pn=pn@entry=0xf7182138, needsProto=needsProto@entry=false) at js/src/frontend/BytecodeEmitter.cpp:5838
#10 0x0828e7c9 in js::frontend::BytecodeEmitter::emitTree (this=this@entry=0xff8bfbe0, pn=pn@entry=0xf7182138) at js/src/frontend/BytecodeEmitter.cpp:7570
#11 0x0828eea1 in js::frontend::BytecodeEmitter::emitTree (this=this@entry=0xff8bfbe0, pn=0xf71820e8) at js/src/frontend/BytecodeEmitter.cpp:7653
#12 0x08291db2 in js::frontend::BytecodeEmitter::emitFunctionScript (this=0xff8bfbe0, body=0xf71820e8) at js/src/frontend/BytecodeEmitter.cpp:3437
#13 0x08293563 in js::frontend::BytecodeEmitter::emitFunction (this=this@entry=0xff8c0cac, pn=pn@entry=0xf7182068, needsProto=needsProto@entry=false) at js/src/frontend/BytecodeEmitter.cpp:5838
#14 0x0828e7c9 in js::frontend::BytecodeEmitter::emitTree (this=this@entry=0xff8c0cac, pn=pn@entry=0xf7182068) at js/src/frontend/BytecodeEmitter.cpp:7570
#15 0x0829cc8e in js::frontend::BytecodeEmitter::emitCallOrNew (this=0xff8c0cac, pn=0xf4fd00e0) at js/src/frontend/BytecodeEmitter.cpp:6746
#16 0x0828e6be in js::frontend::BytecodeEmitter::emitTree (this=this@entry=0xff8c0cac, pn=pn@entry=0xf4fd00e0) at js/src/frontend/BytecodeEmitter.cpp:7900
#17 0x0829a84b in js::frontend::BytecodeEmitter::emitStatement (this=this@entry=0xff8c0cac, pn=pn@entry=0xf4fd0108) at js/src/frontend/BytecodeEmitter.cpp:6431
#18 0x0828eac9 in js::frontend::BytecodeEmitter::emitTree (this=0xff8c0cac, pn=0xf4fd0108) at js/src/frontend/BytecodeEmitter.cpp:7732
#19 0x0828f3c5 in BytecodeCompiler::prepareAndEmitTree (this=this@entry=0xff8c0308, ppn=ppn@entry=0xff8c00d0) at js/src/frontend/BytecodeCompiler.cpp:371
#20 0x0828f879 in BytecodeCompiler::compileScript (this=this@entry=0xff8c0308, scopeChain=scopeChain@entry=..., evalCaller=evalCaller@entry=...) at js/src/frontend/BytecodeCompiler.cpp:578
#21 0x0828fcf2 in js::frontend::CompileScript (cx=cx@entry=0xf71033d0, alloc=0xf7129190, scopeChain=scopeChain@entry=..., enclosingStaticScope=enclosingStaticScope@entry=..., evalCaller=evalCaller@entry=..., options=..., srcBuf=..., source_=0xf505f2f0, extraSct=extraSct@entry=0x0) at js/src/frontend/BytecodeCompiler.cpp:770
#22 0x08216bb2 in js::DirectEvalStringFromIon (cx=0xf71033d0, scopeobj=..., callerScript=..., thisValue=..., newTargetValue=..., str=..., pc=0xf7143d14 "{", vp=...) at js/src/builtin/Eval.cpp:422
#23 0xf76e8fe6 in ?? ()
eax	0x0	0
ebx	0x97a342c	159003692
ecx	0xf754c88c	-145438580
edx	0x0	0
esi	0x200	512
edi	0xff8bf730	-7604432
ebp	0xff8bf198	4287361432
esp	0xff8bee70	4287360624
eip	0x829394d <js::frontend::BytecodeEmitter::emitFunction(js::frontend::ParseNode*, bool)+2925>
=> 0x829394d <js::frontend::BytecodeEmitter::emitFunction(js::frontend::ParseNode*, bool)+2925>:	movl   $0x1693,0x0
   0x8293957 <js::frontend::BytecodeEmitter::emitFunction(js::frontend::ParseNode*, bool)+2935>:	call   0x80f3500 <abort()>


Yet another fuzzblocker for ES6 Classes.

Comment 1

[Christian Holler (:decoder)]

Needinfo from efaust :)

Comment 2

[Eric Faust [:efaust]]

Attachment: Fix

This is so stupid.

Comment 3

[Shu-yu Guo [:shu]]

Comment on attachment 8653756 [details] [diff] [review]
Fix

Review of attachment 8653756 [details] [diff] [review]:
-----------------------------------------------------------------

lol

Comment 4

[Pulsebot]

https://hg.mozilla.org/integration/mozilla-inbound/rev/1af3359b7d57

Comment 6

[Ryan VanderMeulen [:RyanVM]]

https://hg.mozilla.org/mozilla-central/rev/1af3359b7d57