Closed Bug 1233100 Opened 9 years ago Closed 9 years ago

Crash [@ is<js::StaticBlockObject>] or Assertion failure: !done(), at js/src/vm/ScopeObject.cpp:1483 with ES6 Classes

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla46
Tracking Flags:
Tracking Status
firefox46 --- fixed

People

(Reporter: decoder, Assigned: efaust)

References

Details

(4 keywords, Whiteboard: [jsbugmon:update])

Crash Data

Attachments

(1 file)

Fix, with debug info improvement
2.95 KB, patch
shu
: review+
Details | Diff | Splinter Review 
The following testcase crashes on mozilla-central revision 749f9328dd76 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-debug, run with --fuzzing-safe):

class base {}
class derived extends base {
  constructor() {
    try {
      return;
    } catch (e) {
      try {
        return;
      } catch (e) {}
    }
  }
}
new derived;



Backtrace:

Program received signal SIGSEGV, Segmentation fault.
is<js::StaticBlockObject> (this=0x0) at js/src/vm/ScopeObject.h:1315
#0  is<js::StaticBlockObject> (this=0x0) at js/src/vm/ScopeObject.h:1315
#1  type (this=this@entry=0x7fffffffd370) at js/src/vm/ScopeObject-inl.h:152
#2  js::ScopeIter::type (this=this@entry=0x7fffffffd370) at js/src/vm/ScopeObject.cpp:1485
#3  0x0000000000834194 in PopScope (cx=0x7ffff6907400, si=...) at js/src/vm/Interpreter.cpp:925
#4  0x000000000083626b in js::UnwindScope (cx=0x7ffff6907400, si=..., pc=0x7ffff690382e "\206\001\230\310V") at js/src/vm/Interpreter.cpp:953
#5  0x00000000008362f0 in SettleOnTryNote (cx=cx@entry=0x7ffff6907400, tn=tn@entry=0x7ffff698d460, si=..., regs=...) at js/src/vm/Interpreter.cpp:1011
#6  0x000000000084a8cf in ProcessTryNotes (regs=..., si=..., cx=0x7ffff6907400) at js/src/vm/Interpreter.cpp:1070
#7  HandleError (regs=..., cx=0x7ffff6907400) at js/src/vm/Interpreter.cpp:1162
#8  Interpret (cx=cx@entry=0x7ffff6907400, state=...) at js/src/vm/Interpreter.cpp:3908
#9  0x00000000008583ed in js::RunScript (cx=cx@entry=0x7ffff6907400, state=...) at js/src/vm/Interpreter.cpp:391
#10 0x000000000085f35d in js::ExecuteKernel (cx=cx@entry=0x7ffff6907400, script=..., scopeChainArg=..., newTargetValue=..., type=<optimized out>, evalInFrame=..., evalInFrame@entry=..., result=<optimized out>, result@entry=0x0) at js/src/vm/Interpreter.cpp:650
#11 0x000000000085f46c in js::Execute (cx=cx@entry=0x7ffff6907400, script=..., scopeChainArg=..., rval=0x0) at js/src/vm/Interpreter.cpp:685
#12 0x000000000071134d in ExecuteScript (cx=cx@entry=0x7ffff6907400, scope=..., scope@entry=..., script=..., script@entry=..., rval=rval@entry=0x0) at js/src/jsapi.cpp:4410
#13 0x0000000000711495 in JS_ExecuteScript (cx=cx@entry=0x7ffff6907400, scriptArg=scriptArg@entry=...) at js/src/jsapi.cpp:4443
#14 0x000000000042714b in RunFile (compileOnly=false, file=0x7ffff32d6000, filename=<optimized out>, cx=0x7ffff6907400) at js/src/shell/js.cpp:515
#15 Process (cx=cx@entry=0x7ffff6907400, filename=<optimized out>, forceTTY=forceTTY@entry=false, kind=kind@entry=FileScript) at js/src/shell/js.cpp:728
#16 0x0000000000433c96 in ProcessArgs (op=0x7fffffffd9f0, cx=0x7ffff6907400) at js/src/shell/js.cpp:6204
#17 Shell (envp=<optimized out>, op=0x7fffffffd9f0, cx=0x7ffff6907400) at js/src/shell/js.cpp:6516
#18 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:6877
rax	0x0	0
rbx	0x7fffffffd370	140737488343920
rcx	0x17b19a0	24844704
rdx	0x17b19a0	24844704
rsi	0x7fffffffd370	140737488343920
rdi	0x7fffffffd370	140737488343920
rbp	0x7ffff6907400	140737330050048
rsp	0x7fffffffc998	140737488341400
r8	0x0	0
r9	0x1	1
r10	0x7ffff698d440	140737330598976
r11	0x7ffff698d420	140737330598944
r12	0x7ffff6907418	140737330050072
r13	0xbef7c4	12515268
r14	0x7fffffffd3b0	140737488343984
r15	0x7ffff698d460	140737330599008
rip	0x87a09b <js::ScopeIter::type() const+43>
=> 0x87a09b <js::ScopeIter::type() const+43>:	mov    (%rax),%rax
   0x87a09e <js::ScopeIter::type() const+46>:	mov    (%rax),%rdx
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/250cd0bf3ce0
user:        Eric Faust
date:        Fri Oct 09 09:33:57 2015 -0700
summary:     Bug 1105463 - Implement default constructors for ES6 class definitions. (r=jorendorff)

This iteration took 0.839 seconds to run.
Eric, is bug 1105463 a likely regressor?
Flags: needinfo?(efaustbmo)
Hmmm, yeah, it probably is. Looks like the CHECKRETURN interactions going bad, again.
Shu and I looked into the failure, and this seems the easiest way forward.
Assignee: nobody → efaustbmo
Status: NEW → ASSIGNED
Flags: needinfo?(efaustbmo)
Attachment #8699245 - Flags: review?(shu)
Comment on attachment 8699245 [details] [diff] [review]
Fix, with debug info improvement

Review of attachment 8699245 [details] [diff] [review]:
-----------------------------------------------------------------

Commit the test case, please.
Attachment #8699245 - Flags: review?(shu) → review+
https://hg.mozilla.org/mozilla-central/rev/afa0ceb72362
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
status-firefox46: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla46
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: