Assertion failure: args.rval().isObject() && callee != &args.rval().toObject(), at js/src/jscntxtinlines.h:295 with ES6 Classes

RESOLVED FIXED

Status

()

Core
JavaScript Engine
--
critical
RESOLVED FIXED
2 years ago
2 years ago

People

(Reporter: decoder, Assigned: efaust)

Tracking

(Blocks: 1 bug, {assertion, regression, testcase})

Trunk
x86_64
Linux
assertion, regression, testcase
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox46 wontfix)

Details

(Whiteboard: [jsbugmon:update])

Attachments

(1 attachment)

(Reporter)

Description

2 years ago
The following testcase crashes on mozilla-central revision 749f9328dd76 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --thread-count=2):

new class value extends function() value {};



Backtrace:

Program received signal SIGSEGV, Segmentation fault.
0x0000000000a7d7f2 in js::CallJSNativeConstructor (cx=<optimized out>, native=0xa76150 <js::DefaultDerivedClassConstructor(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:291
#0  0x0000000000a7d7f2 in js::CallJSNativeConstructor (cx=<optimized out>, native=0xa76150 <js::DefaultDerivedClassConstructor(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:291
#1  0x0000000000a75fa6 in InternalConstruct (cx=cx@entry=0x7ffff6907400, args=...) at js/src/vm/Interpreter.cpp:521
#2  0x0000000000a709bf in ConstructFromStack (args=..., cx=0x7ffff6907400) at js/src/vm/Interpreter.cpp:560
#3  Interpret (cx=cx@entry=0x7ffff6907400, state=...) at js/src/vm/Interpreter.cpp:2758
#4  0x0000000000a758c7 in js::RunScript (cx=cx@entry=0x7ffff6907400, state=...) at js/src/vm/Interpreter.cpp:391
#5  0x0000000000a7b281 in js::ExecuteKernel (cx=cx@entry=0x7ffff6907400, script=..., script@entry=..., scopeChainArg=..., newTargetValue=..., type=<optimized out>, evalInFrame=..., evalInFrame@entry=..., result=result@entry=0x0) at js/src/vm/Interpreter.cpp:650
#6  0x0000000000a7b50e in js::Execute (cx=cx@entry=0x7ffff6907400, script=script@entry=..., scopeChainArg=..., rval=rval@entry=0x0) at js/src/vm/Interpreter.cpp:685
#7  0x00000000008acee8 in ExecuteScript (cx=cx@entry=0x7ffff6907400, scope=scope@entry=..., script=script@entry=..., rval=rval@entry=0x0) at js/src/jsapi.cpp:4410
#8  0x00000000008ad0c3 in JS_ExecuteScript (cx=cx@entry=0x7ffff6907400, scriptArg=scriptArg@entry=...) at js/src/jsapi.cpp:4443
#9  0x0000000000429a87 in RunFile (compileOnly=false, file=0x7ffff4510400, filename=0x7fffffffe047 "min.js", cx=0x7ffff6907400) at js/src/shell/js.cpp:515
#10 Process (cx=cx@entry=0x7ffff6907400, filename=0x7fffffffe047 "min.js", forceTTY=forceTTY@entry=false, kind=kind@entry=FileScript) at js/src/shell/js.cpp:728
#11 0x000000000047fe26 in ProcessArgs (op=0x7fffffffdae0, cx=0x7ffff6907400) at js/src/shell/js.cpp:6204
#12 Shell (envp=<optimized out>, op=0x7fffffffdae0, cx=0x7ffff6907400) at js/src/shell/js.cpp:6516
#13 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:6877
rax	0x0	0
rbx	0x7fffffffd130	140737488343344
rcx	0x7ffff6ca53cd	140737333842893
rdx	0x0	0
rsi	0x7ffff6f7a9d0	140737336814032
rdi	0x7ffff6f791c0	140737336807872
rbp	0x7fffffffcd60	140737488342368
rsp	0x7fffffffcd20	140737488342304
r8	0x7ffff7fe0780	140737354008448
r9	0x6372732f736a2f6c	7165916604736876396
r10	0x7fffffffcae0	140737488341728
r11	0x7ffff6c27960	140737333328224
r12	0x1	1
r13	0xa76150	10969424
r14	0x7fffffffcd20	140737488342304
r15	0x7ffff6907418	140737330050072
rip	0xa7d7f2 <js::CallJSNativeConstructor(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&)+226>
=> 0xa7d7f2 <js::CallJSNativeConstructor(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&)+226>:	movl   $0x127,0x0
   0xa7d7fd <js::CallJSNativeConstructor(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&)+237>:	callq  0x4a3db0 <abort()>
(Reporter)

Updated

2 years ago
status-firefox45: affected → ---
status-firefox46: --- → affected

Updated

2 years ago
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]

Comment 1

2 years ago
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/250cd0bf3ce0
user:        Eric Faust
date:        Fri Oct 09 09:33:57 2015 -0700
summary:     Bug 1105463 - Implement default constructors for ES6 class definitions. (r=jorendorff)

This iteration took 281.199 seconds to run.
Eric, is bug 1105463 a likely regressor?
Blocks: 1105463
Flags: needinfo?(efaustbmo)
(Assignee)

Comment 3

2 years ago
Created attachment 8699303 [details] [diff] [review]
Fix bogus assert

meh. The assert means well...
Assignee: nobody → efaustbmo
Status: NEW → ASSIGNED
Flags: needinfo?(efaustbmo)
Attachment #8699303 - Flags: review?(jorendorff)
(Assignee)

Updated

2 years ago
Attachment #8699303 - Flags: review?(jorendorff)
(Assignee)

Comment 4

2 years ago
This bug is moot. The asserting native is removed by bug 1234702.

Updated

2 years ago
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]

Comment 5

2 years ago
JSBugMon: The testcase found in this bug no longer reproduces (tried revision e0bcd16e1d4b).
Whiteboard: [jsbugmon:update,ignore] → [jsbugmon:bisectfix]

Updated

2 years ago
Whiteboard: [jsbugmon:bisectfix] → [jsbugmon:]

Comment 6

2 years ago
JSBugMon: Fix Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first good revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/10d23a474969
user:        Eric Faust
date:        Wed Jan 06 14:26:14 2016 -0800
summary:     Bug 1234702 - Part 3: Self-host default derived class constructor. (r=till)

This iteration took 255.905 seconds to run.
(Assignee)

Comment 7

2 years ago
Indeed, bug 1234702 is a fix for this. It removes the native function which was causing the assert.
Status: ASSIGNED → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → FIXED
Whiteboard: [jsbugmon:] → [jsbugmon:update]
Too late for assertion fixes in 46.
status-firefox46: affected → wontfix
You need to log in before you can comment on or make changes to this bug.