Closed Bug 1233100 Opened 10 years ago Closed 10 years ago

Crash [@ is<js::StaticBlockObject>] or Assertion failure: !done(), at js/src/vm/ScopeObject.cpp:1483 with ES6 Classes

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla46
Tracking Flags:
Tracking Status
firefox46 --- fixed

People

(Reporter: decoder, Assigned: efaust)

References

Details

(4 keywords, Whiteboard: [jsbugmon:update])

Crash Data

Attachments

(1 file)

Fix, with debug info improvement
2.95 KB, patch
shu
: review+
Details | Diff | Splinter Review
The following testcase crashes on mozilla-central revision 749f9328dd76 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-debug, run with --fuzzing-safe): class base {} class derived extends base { constructor() { try { return; } catch (e) { try { return; } catch (e) {} } } } new derived; Backtrace: Program received signal SIGSEGV, Segmentation fault. is<js::StaticBlockObject> (this=0x0) at js/src/vm/ScopeObject.h:1315 #0 is<js::StaticBlockObject> (this=0x0) at js/src/vm/ScopeObject.h:1315 #1 type (this=this@entry=0x7fffffffd370) at js/src/vm/ScopeObject-inl.h:152 #2 js::ScopeIter::type (this=this@entry=0x7fffffffd370) at js/src/vm/ScopeObject.cpp:1485 #3 0x0000000000834194 in PopScope (cx=0x7ffff6907400, si=...) at js/src/vm/Interpreter.cpp:925 #4 0x000000000083626b in js::UnwindScope (cx=0x7ffff6907400, si=..., pc=0x7ffff690382e "\206\001\230\310V") at js/src/vm/Interpreter.cpp:953 #5 0x00000000008362f0 in SettleOnTryNote (cx=cx@entry=0x7ffff6907400, tn=tn@entry=0x7ffff698d460, si=..., regs=...) at js/src/vm/Interpreter.cpp:1011 #6 0x000000000084a8cf in ProcessTryNotes (regs=..., si=..., cx=0x7ffff6907400) at js/src/vm/Interpreter.cpp:1070 #7 HandleError (regs=..., cx=0x7ffff6907400) at js/src/vm/Interpreter.cpp:1162 #8 Interpret (cx=cx@entry=0x7ffff6907400, state=...) at js/src/vm/Interpreter.cpp:3908 #9 0x00000000008583ed in js::RunScript (cx=cx@entry=0x7ffff6907400, state=...) at js/src/vm/Interpreter.cpp:391 #10 0x000000000085f35d in js::ExecuteKernel (cx=cx@entry=0x7ffff6907400, script=..., scopeChainArg=..., newTargetValue=..., type=<optimized out>, evalInFrame=..., evalInFrame@entry=..., result=<optimized out>, result@entry=0x0) at js/src/vm/Interpreter.cpp:650 #11 0x000000000085f46c in js::Execute (cx=cx@entry=0x7ffff6907400, script=..., scopeChainArg=..., rval=0x0) at js/src/vm/Interpreter.cpp:685 #12 0x000000000071134d in ExecuteScript (cx=cx@entry=0x7ffff6907400, scope=..., scope@entry=..., script=..., script@entry=..., rval=rval@entry=0x0) at js/src/jsapi.cpp:4410 #13 0x0000000000711495 in JS_ExecuteScript (cx=cx@entry=0x7ffff6907400, scriptArg=scriptArg@entry=...) at js/src/jsapi.cpp:4443 #14 0x000000000042714b in RunFile (compileOnly=false, file=0x7ffff32d6000, filename=<optimized out>, cx=0x7ffff6907400) at js/src/shell/js.cpp:515 #15 Process (cx=cx@entry=0x7ffff6907400, filename=<optimized out>, forceTTY=forceTTY@entry=false, kind=kind@entry=FileScript) at js/src/shell/js.cpp:728 #16 0x0000000000433c96 in ProcessArgs (op=0x7fffffffd9f0, cx=0x7ffff6907400) at js/src/shell/js.cpp:6204 #17 Shell (envp=<optimized out>, op=0x7fffffffd9f0, cx=0x7ffff6907400) at js/src/shell/js.cpp:6516 #18 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:6877 rax 0x0 0 rbx 0x7fffffffd370 140737488343920 rcx 0x17b19a0 24844704 rdx 0x17b19a0 24844704 rsi 0x7fffffffd370 140737488343920 rdi 0x7fffffffd370 140737488343920 rbp 0x7ffff6907400 140737330050048 rsp 0x7fffffffc998 140737488341400 r8 0x0 0 r9 0x1 1 r10 0x7ffff698d440 140737330598976 r11 0x7ffff698d420 140737330598944 r12 0x7ffff6907418 140737330050072 r13 0xbef7c4 12515268 r14 0x7fffffffd3b0 140737488343984 r15 0x7ffff698d460 140737330599008 rip 0x87a09b <js::ScopeIter::type() const+43> => 0x87a09b <js::ScopeIter::type() const+43>: mov (%rax),%rax 0x87a09e <js::ScopeIter::type() const+46>: mov (%rax),%rdx
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/250cd0bf3ce0 user: Eric Faust date: Fri Oct 09 09:33:57 2015 -0700 summary: Bug 1105463 - Implement default constructors for ES6 class definitions. (r=jorendorff) This iteration took 0.839 seconds to run.
Eric, is bug 1105463 a likely regressor?
Flags: needinfo?(efaustbmo)
Hmmm, yeah, it probably is. Looks like the CHECKRETURN interactions going bad, again.
Shu and I looked into the failure, and this seems the easiest way forward.
Assignee: nobody → efaustbmo
Status: NEW → ASSIGNED
Flags: needinfo?(efaustbmo)
Attachment #8699245 - Flags: review?(shu)
Comment on attachment 8699245 [details] [diff] [review] Fix, with debug info improvement Review of attachment 8699245 [details] [diff] [review]: ----------------------------------------------------------------- Commit the test case, please.
Attachment #8699245 - Flags: review?(shu) → review+
https://hg.mozilla.org/mozilla-central/rev/afa0ceb72362
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
status-firefox46: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla46
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: