1216107 - Assertion failure: !target->isClassConstructor(), at js/src/jit/Lowering.cpp:482

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect, critical)

Description

[Christian Holler (:decoder)]

The following testcase crashes on mozilla-central revision d1a89632277f (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --disable-oom-functions --ion-eager --baseline-eager --no-threads):

function test(fun) fun()
test(function() {})
class foo {}
try {
    test(foo)
} catch (TypeError) {}



Backtrace:

Program received signal SIGSEGV, Segmentation fault.
0x00000000006da0be in js::jit::LIRGenerator::visitCall (this=0x7fffffffb750, call=0x7ffff52f4e80) at js/src/jit/Lowering.cpp:482
#0  0x00000000006da0be in js::jit::LIRGenerator::visitCall (this=0x7fffffffb750, call=0x7ffff52f4e80) at js/src/jit/Lowering.cpp:482
#1  0x00000000006fe4c4 in js::jit::LIRGenerator::visitInstruction (this=0x7fffffffb750, ins=0x7ffff52f4e80) at js/src/jit/Lowering.cpp:4328
#2  0x00000000006fe654 in js::jit::LIRGenerator::visitBlock (this=this@entry=0x7fffffffb750, block=block@entry=0x7ffff52f4c00) at js/src/jit/Lowering.cpp:4388
#3  0x00000000006fea6b in js::jit::LIRGenerator::generate (this=this@entry=0x7fffffffb750) at js/src/jit/Lowering.cpp:4458
#4  0x0000000000673212 in js::jit::GenerateLIR (mir=mir@entry=0x7ffff52f21a8) at js/src/jit/Ion.cpp:1880
#5  0x0000000000676af5 in js::jit::CompileBackEnd (mir=mir@entry=0x7ffff52f21a8) at js/src/jit/Ion.cpp:1975
#6  0x00000000006888e4 in js::jit::IonCompile (cx=cx@entry=0x7ffff6907400, script=script@entry=0x7ffff7e65230, baselineFrame=baselineFrame@entry=0x0, osrPc=<optimized out>, constructing=<optimized out>, recompile=<optimized out>, optimizationLevel=optimizationLevel@entry=js::jit::Optimization_Normal) at js/src/jit/Ion.cpp:2245
#7  0x00000000006890ba in js::jit::Compile (cx=cx@entry=0x7ffff6907400, script=..., script@entry=..., osrFrame=osrFrame@entry=0x0, osrPc=osrPc@entry=0x0, constructing=<optimized out>, forceRecompile=forceRecompile@entry=false) at js/src/jit/Ion.cpp:2414
#8  0x000000000068953b in js::jit::CanEnter (cx=cx@entry=0x7ffff6907400, state=...) at js/src/jit/Ion.cpp:2576
#9  0x00000000009da5e4 in Interpret (cx=cx@entry=0x7ffff6907400, state=...) at js/src/vm/Interpreter.cpp:3133
#10 0x00000000009e135b in js::RunScript (cx=cx@entry=0x7ffff6907400, state=...) at js/src/vm/Interpreter.cpp:725
#11 0x00000000009e3ddc in js::ExecuteKernel (cx=cx@entry=0x7ffff6907400, script=..., script@entry=..., scopeChainArg=..., thisv=..., newTargetValue=..., type=<optimized out>, evalInFrame=..., evalInFrame@entry=..., result=result@entry=0x0) at js/src/vm/Interpreter.cpp:1000
#12 0x00000000009e4249 in js::Execute (cx=cx@entry=0x7ffff6907400, script=script@entry=..., scopeChainArg=..., rval=rval@entry=0x0) at js/src/vm/Interpreter.cpp:1035
#13 0x000000000083b6b8 in ExecuteScript (cx=cx@entry=0x7ffff6907400, scope=scope@entry=..., script=script@entry=..., rval=rval@entry=0x0) at js/src/jsapi.cpp:4598
#14 0x000000000083b893 in JS_ExecuteScript (cx=cx@entry=0x7ffff6907400, scriptArg=scriptArg@entry=...) at js/src/jsapi.cpp:4631
#15 0x000000000042885f in RunFile (compileOnly=false, file=0x7ffff52e4c00, filename=0x7fffffffe025 "min.js", cx=0x7ffff6907400) at js/src/shell/js.cpp:509
#16 Process (cx=cx@entry=0x7ffff6907400, filename=0x7fffffffe025 "min.js", forceTTY=forceTTY@entry=false) at js/src/shell/js.cpp:628
#17 0x0000000000484c4a in ProcessArgs (op=0x7fffffffda90, cx=0x7ffff6907400) at js/src/shell/js.cpp:5994
#18 Shell (envp=<optimized out>, op=0x7fffffffda90, cx=0x7ffff6907400) at js/src/shell/js.cpp:6297
#19 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:6654
rax	0x0	0
rbx	0x7ffff7e7b140	140737352544576
rcx	0x7ffff6ca53b0	140737333842864
rdx	0x0	0
rsi	0x7ffff6f7a9d0	140737336814032
rdi	0x7ffff6f791c0	140737336807872
rbp	0x7fffffffb620	140737488336416
rsp	0x7fffffffb5c0	140737488336320
r8	0x7ffff7fe0780	140737354008448
r9	0x6372732f736a2f6c	7165916604736876396
r10	0x7fffffffb380	140737488335744
r11	0x7ffff6c27960	140737333328224
r12	0x7ffff52f4e80	140737306906240
r13	0x7fffffffb750	140737488336720
r14	0x7ffff52d8700	140737306789632
r15	0x7ffff52f21a8	140737306894760
rip	0x6da0be <js::jit::LIRGenerator::visitCall(js::jit::MCall*)+1102>
=> 0x6da0be <js::jit::LIRGenerator::visitCall(js::jit::MCall*)+1102>:	movl   $0x1e2,0x0
   0x6da0c9 <js::jit::LIRGenerator::visitCall(js::jit::MCall*)+1113>:	callq  0x4a56f0 <abort()>

Comment 1

[Fuzzing Team]

JSBugMon: Bisection requested, result:
=== Treeherder Build Bisection Results by autoBisect ===

The "good" changeset has the timestamp "20151017004230" and the hash "dd07e888b4f5ab9296c171184840724c90adba35".
The "bad" changeset has the timestamp "20151017005428" and the hash "9b9fcad543f3c41cab2ca42516315ee42c06cb64".

Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=dd07e888b4f5ab9296c171184840724c90adba35&tochange=9b9fcad543f3c41cab2ca42516315ee42c06cb64

Comment 2

[Benjamin Bouvier [:bbouvier]]

needinfo eric based on comment 1

Comment 3

[Eric Faust [:efaust]]

Looks like a bogus assertion from making default class constructors marked ClassConstructor. I'll look into it.

Comment 4

[Eric Faust [:efaust]]

Attachment: Fix

Opps. Missed this assert when I marked default class constructors isClassConstructor()

Comment 5

[Tooru Fujisawa [:arai]]

Comment on attachment 8675836 [details] [diff] [review]
Fix

Review of attachment 8675836 [details] [diff] [review]:
-----------------------------------------------------------------

looks good :)

Comment 6

[Pulsebot]

https://hg.mozilla.org/integration/mozilla-inbound/rev/2f0a99d19d09

Comment 7

[Carsten Book [:Tomcat]]

https://hg.mozilla.org/mozilla-central/rev/2f0a99d19d09

Comment 8

[Carsten Book [:Tomcat]]

https://hg.mozilla.org/mozilla-central/rev/2f0a99d19d09