1212605 - Assertion failure: CheckLexicalNameConflict(cx, lexicalScope, varObj, name), at vm/Interpreter-inl.h

Status: RESOLVED FIXED

(Core :: JavaScript Engine: JIT, defect)

Description

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

s = newGlobal();
evalcx("let NaN = 0;", s);

asserts js debug shell on m-c changeset 1e1fa696e2b6 with --fuzzing-safe --no-threads --ion-eager at Assertion failure: CheckLexicalNameConflict(cx, lexicalScope, varObj, name), at vm/Interpreter-inl.h

Configure options:

CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --disable-threadsafe --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests

python -u ~/funfuzz/js/compileShell.py -b "--enable-debug --enable-more-deterministic" -r 1e1fa696e2b6

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/ac0aa2c21379
user:        Shu-yu Guo
date:        Tue Oct 06 14:00:30 2015 -0700
summary:     Bug 589199 - Implement all-or-nothing redeclaration checks for global and eval scripts. (r=efaust)

Shu-yu, is bug 589199 a likely regressor?

Comment 1

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Attachment: stack

(lldb) bt 5
* thread #1: tid = 0x9cdc3, 0x00000001006c4f05 js-dbg-64-dm-darwin-1e1fa696e2b6`js::DefLexicalOperation(cx=<unavailable>, lexicalScope=<unavailable>, varObj=<unavailable>, name=<unavailable>, attrs=<unavailable>) + 341 at Interpreter-inl.h:441, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
  * frame #0: 0x00000001006c4f05 js-dbg-64-dm-darwin-1e1fa696e2b6`js::DefLexicalOperation(cx=<unavailable>, lexicalScope=<unavailable>, varObj=<unavailable>, name=<unavailable>, attrs=<unavailable>) + 341 at Interpreter-inl.h:441
    frame #1: 0x000000010039d855 js-dbg-64-dm-darwin-1e1fa696e2b6`js::jit::DefGlobalLexical(cx=0x0000000102c45400, dn=js::HandlePropertyName @ r15, attrs=5) + 101 at VMFunctions.cpp:198
    frame #2: 0x0000000101df8aa1
    frame #3: 0x00000001001e3bd7 js-dbg-64-dm-darwin-1e1fa696e2b6`js::jit::IonCannon(JSContext*, js::RunState&) + 361 at Ion.cpp:2669
    frame #4: 0x00000001001e3a6e js-dbg-64-dm-darwin-1e1fa696e2b6`js::jit::IonCannon(cx=0x0000000102c45400, state=0x00007fff5fbfddd8) + 302 at Ion.cpp:2771
(lldb)

Comment 2

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

This blew up jsfunfuzz. Setting [fuzzblocker].

Comment 3

[Christian Holler (:decoder)]

I remember that we hit this assertion during patch testing already. Is this a different issue or did some fixes for fuzzbugs not make it into the patch for the version that landed?

Comment 4

[Shu-yu Guo [:shu]]

(In reply to Christian Holler (:decoder) from comment #3)
> I remember that we hit this assertion during patch testing already. Is this
> a different issue or did some fixes for fuzzbugs not make it into the patch
> for the version that landed?

This is a different issue with the same signature.

Comment 5

[Shu-yu Guo [:shu]]

Attachment: Emit global name conflicts check for Ion scripts regardless of scope chain usage.

Comment 6

[Eric Faust [:efaust]]

Comment on attachment 8671044 [details] [diff] [review]
Emit global name conflicts check for Ion scripts regardless of scope chain usage.

Review of attachment 8671044 [details] [diff] [review]:
-----------------------------------------------------------------

OK.

Comment 7

[Pulsebot]

https://hg.mozilla.org/integration/mozilla-inbound/rev/136ffcc6ad2c

Comment 8

[Fuzzing Team]

JSBugMon: The testcase found in this bug no longer reproduces (tried revision 1f4cf75c8948).

Comment 9

[Carsten Book [:Tomcat]]

https://hg.mozilla.org/mozilla-central/rev/136ffcc6ad2c