Closed
Bug 1214050
Opened 7 years ago
Closed 7 years ago
Assertion failure: pc->sc->isGlobalContext() == pn->pn_u.name.scopeCoord.isFree(), at js/src/frontend/Parser.cpp:2211
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla44
Tracking | Status | |
---|---|---|
firefox44 | --- | fixed |
People
(Reporter: decoder, Unassigned)
Details
(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update])
Attachments
(1 file)
1.62 KB,
patch
|
efaust
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision b235cfd4d8ca (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --no-threads): eval(` with ({}) { with (dept) { var f = function() {}; } } function f() { `); Backtrace: Program received signal SIGSEGV, Segmentation fault. 0x00000000004d3104 in js::frontend::Parser<js::frontend::FullParseHandler>::checkFunctionDefinition (this=this@entry=0x7fffffffbac0, funName=..., pn_=pn_@entry=0x7fffffffabf0, kind=kind@entry=js::frontend::Statement, pbodyProcessed=pbodyProcessed@entry=0x7fffffffabd0) at js/src/frontend/Parser.cpp:2211 #0 0x00000000004d3104 in js::frontend::Parser<js::frontend::FullParseHandler>::checkFunctionDefinition (this=this@entry=0x7fffffffbac0, funName=..., pn_=pn_@entry=0x7fffffffabf0, kind=kind@entry=js::frontend::Statement, pbodyProcessed=pbodyProcessed@entry=0x7fffffffabd0) at js/src/frontend/Parser.cpp:2211 #1 0x0000000000501962 in js::frontend::Parser<js::frontend::FullParseHandler>::functionDef (this=this@entry=0x7fffffffbac0, inHandling=inHandling@entry=js::frontend::InAllowed, yieldHandling=yieldHandling@entry=js::frontend::YieldIsName, funName=funName@entry=..., kind=kind@entry=js::frontend::Statement, generatorKind=generatorKind@entry=js::NotGenerator, invoked=invoked@entry=js::frontend::Parser<js::frontend::FullParseHandler>::PredictUninvoked) at js/src/frontend/Parser.cpp:2488 #2 0x0000000000501df9 in js::frontend::Parser<js::frontend::FullParseHandler>::functionStmt (this=this@entry=0x7fffffffbac0, yieldHandling=yieldHandling@entry=js::frontend::YieldIsName, defaultHandling=defaultHandling@entry=js::frontend::NameRequired) at js/src/frontend/Parser.cpp:2969 #3 0x000000000050095d in js::frontend::Parser<js::frontend::FullParseHandler>::statement (this=this@entry=0x7fffffffbac0, yieldHandling=yieldHandling@entry=js::frontend::YieldIsName, canHaveDirectives=<optimized out>) at js/src/frontend/Parser.cpp:6865 #4 0x0000000000500df9 in js::frontend::Parser<js::frontend::FullParseHandler>::statements (this=this@entry=0x7fffffffbac0, yieldHandling=yieldHandling@entry=js::frontend::YieldIsName) at js/src/frontend/Parser.cpp:3193 #5 0x00000000004d739b in js::frontend::Parser<js::frontend::FullParseHandler>::evalBody (this=0x7fffffffbac0) at js/src/frontend/Parser.cpp:976 #6 0x0000000000a05427 in BytecodeCompiler::compileScript (this=this@entry=0x7fffffffb450, scopeChain=..., scopeChain@entry=..., evalCaller=evalCaller@entry=...) at js/src/frontend/BytecodeCompiler.cpp:604 #7 0x0000000000a058c3 in js::frontend::CompileScript (cx=cx@entry=0x7ffff6907400, alloc=<optimized out>, scopeChain=scopeChain@entry=..., enclosingStaticScope=..., enclosingStaticScope@entry=..., evalCaller=evalCaller@entry=..., options=..., srcBuf=..., source_=0x7ffff7e783e8, extraSct=extraSct@entry=0x0, sourceObjectOut=sourceObjectOut@entry=0x0) at js/src/frontend/BytecodeCompiler.cpp:849 #8 0x00000000005b875a in EvalKernel (cx=cx@entry=0x7ffff6907400, args=..., evalType=evalType@entry=DIRECT_EVAL, caller=..., scopeobj=scopeobj@entry=..., pc=<optimized out>) at js/src/builtin/Eval.cpp:342 #9 0x00000000005b8f63 in js::DirectEval (cx=cx@entry=0x7ffff6907400, args=...) at js/src/builtin/Eval.cpp:479 #10 0x00000000009d2e3d in Interpret (cx=cx@entry=0x7ffff6907400, state=...) at js/src/vm/Interpreter.cpp:3020 #11 0x00000000009dff2b in js::RunScript (cx=cx@entry=0x7ffff6907400, state=...) at js/src/vm/Interpreter.cpp:714 #12 0x00000000009e277c in js::ExecuteKernel (cx=cx@entry=0x7ffff6907400, script=..., script@entry=..., scopeChainArg=..., thisv=..., newTargetValue=..., type=<optimized out>, evalInFrame=..., evalInFrame@entry=..., result=result@entry=0x0) at js/src/vm/Interpreter.cpp:989 #13 0x00000000009e2be9 in js::Execute (cx=cx@entry=0x7ffff6907400, script=script@entry=..., scopeChainArg=..., rval=rval@entry=0x0) at js/src/vm/Interpreter.cpp:1024 #14 0x000000000083b168 in ExecuteScript (cx=cx@entry=0x7ffff6907400, scope=scope@entry=..., script=script@entry=..., rval=rval@entry=0x0) at js/src/jsapi.cpp:4505 #15 0x000000000083b343 in JS_ExecuteScript (cx=cx@entry=0x7ffff6907400, scriptArg=scriptArg@entry=...) at js/src/jsapi.cpp:4538 #16 0x0000000000428861 in RunFile (compileOnly=false, file=0x7ffff6991800, filename=0x7fffffffe04b "min.js", cx=0x7ffff6907400) at js/src/shell/js.cpp:509 #17 Process (cx=cx@entry=0x7ffff6907400, filename=0x7fffffffe04b "min.js", forceTTY=forceTTY@entry=false) at js/src/shell/js.cpp:628 #18 0x000000000048482a in ProcessArgs (op=0x7fffffffdaf0, cx=0x7ffff6907400) at js/src/shell/js.cpp:6011 #19 Shell (envp=<optimized out>, op=0x7fffffffdaf0, cx=0x7ffff6907400) at js/src/shell/js.cpp:6314 #20 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:6677 rax 0x0 0 rbx 0x7fffffffbac0 140737488337600 rcx 0x7ffff6ca53b0 140737333842864 rdx 0x0 0 rsi 0x7ffff6f7a9d0 140737336814032 rdi 0x7ffff6f791c0 140737336807872 rbp 0x7fffffffab70 140737488333680 rsp 0x7fffffffaab0 140737488333488 r8 0x7ffff7fe0780 140737354008448 r9 0x6372732f736a2f6c 7165916604736876396 r10 0x7fffffffa870 140737488332912 r11 0x7ffff6c27960 140737333328224 r12 0x7fffffffabf0 140737488333808 r13 0x7ffff6985280 140737330565760 r14 0x7fffffffabd0 140737488333776 r15 0x1 1 rip 0x4d3104 <js::frontend::Parser<js::frontend::FullParseHandler>::checkFunctionDefinition(JS::Handle<js::PropertyName*>, js::frontend::ParseNode**, js::frontend::FunctionSyntaxKind, bool*)+2148> => 0x4d3104 <js::frontend::Parser<js::frontend::FullParseHandler>::checkFunctionDefinition(JS::Handle<js::PropertyName*>, js::frontend::ParseNode**, js::frontend::FunctionSyntaxKind, bool*)+2148>: movl $0x8a3,0x0 0x4d310f <js::frontend::Parser<js::frontend::FullParseHandler>::checkFunctionDefinition(JS::Handle<js::PropertyName*>, js::frontend::ParseNode**, js::frontend::FunctionSyntaxKind, bool*)+2159>: callq 0x4a51d0 <abort()>
Updated•7 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
Comment 1•7 years ago
|
||
JSBugMon: Bisection requested, result: === Treeherder Build Bisection Results by autoBisect === The "good" changeset has the timestamp "20151006132131" and the hash "d6059530b0317e6f6b141582b611469505256be4". The "bad" changeset has the timestamp "20151006135536" and the hash "cfc1820361f599c55128b29de4332f8d06511e07". Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=d6059530b0317e6f6b141582b611469505256be4&tochange=cfc1820361f599c55128b29de4332f8d06511e07
Comment 2•7 years ago
|
||
Attachment #8672876 -
Flags: review?(efaustbmo)
Comment 3•7 years ago
|
||
Comment on attachment 8672876 [details] [diff] [review] Don't give overwritten non-deoptimized function bindings slots in global scripts. Review of attachment 8672876 [details] [diff] [review]: ----------------------------------------------------------------- r=me. Another nice find for the fuzzers. ::: js/src/frontend/Parser.cpp @@ +360,5 @@ > for (uint32_t i = 0; i < vars_.length(); i++) { > if (vars_[i] == oldDecl) { > // Terribly, deoptimized bindings may be updated with > // optimized bindings due to hoisted function statements, so > // give the new declaration a slot. If you get fresh, you can extend this comment to mention why we exclude bindings in the global context (they can't have a slot anyway) in the comment here.
Attachment #8672876 -
Flags: review?(efaustbmo) → review+
https://hg.mozilla.org/mozilla-central/rev/5d02202eb884
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla44
You need to log in
before you can comment on or make changes to this bug.
Description
•