Closed Bug 1235640 Opened 8 years ago Closed 8 years ago

Assertion failure: !isIndex(&dummy), at js/src/vm/String.h:1411

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla46
Tracking Flags:
Tracking Status
firefox46 --- fixed

People

(Reporter: gkw, Assigned: Waldo)

References

Details

(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update])

Attachments

(1 file)

Patch
10.13 KB, patch
shu
: review+
Details | Diff | Splinter Review 
The following testcase crashes on mozilla-central revision 9ddf0da90fb3 (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --no-threads --ion-eager):

(function() {
    return function() {
        for (b in "0") {}
    }
})()

Backtrace:

0   js-dbg-64-dm-darwin-9ddf0da90fb3	0x000000010007010f js::frontend::SyntaxParseHandler::maybeNameAnyParentheses(js::frontend::SyntaxParseHandler::Node) + 143 (String.h:1411)
1   js-dbg-64-dm-darwin-9ddf0da90fb3	0x00000001000705d7 js::frontend::Parser<js::frontend::SyntaxParseHandler>::reportIfNotValidSimpleAssignmentTarget(js::frontend::SyntaxParseHandler::Node, js::frontend::Parser<js::frontend::SyntaxParseHandler>::AssignmentFlavor) + 39 (Parser.cpp:7646)
2   js-dbg-64-dm-darwin-9ddf0da90fb3	0x000000010006ff5d js::frontend::Parser<js::frontend::SyntaxParseHandler>::checkAndMarkAsAssignmentLhs(js::frontend::SyntaxParseHandler::Node, js::frontend::Parser<js::frontend::SyntaxParseHandler>::AssignmentFlavor) + 77 (Parser.cpp:7459)
3   js-dbg-64-dm-darwin-9ddf0da90fb3	0x000000010006a296 js::frontend::Parser<js::frontend::SyntaxParseHandler>::forStatement(js::frontend::YieldHandling) + 1094 (Parser.cpp:5893)
4   js-dbg-64-dm-darwin-9ddf0da90fb3	0x000000010006876f js::frontend::Parser<js::frontend::SyntaxParseHandler>::statement(js::frontend::YieldHandling, bool) + 575 (Parser.cpp:7147)
5   js-dbg-64-dm-darwin-9ddf0da90fb3	0x000000010006765e js::frontend::Parser<js::frontend::SyntaxParseHandler>::statements(js::frontend::YieldHandling) + 414 (Parser.cpp:3436)
6   js-dbg-64-dm-darwin-9ddf0da90fb3	0x000000010006ca3e js::frontend::Parser<js::frontend::SyntaxParseHandler>::functionBody(js::frontend::InHandling, js::frontend::YieldHandling, js::frontend::FunctionSyntaxKind, js::frontend::Parser<js::frontend::SyntaxParseHandler>::FunctionBodyType) + 190 (Parser.cpp:1312)
7   js-dbg-64-dm-darwin-9ddf0da90fb3	0x000000010006da79 js::frontend::Parser<js::frontend::SyntaxParseHandler>::functionArgsAndBodyGeneric(js::frontend::InHandling, js::frontend::YieldHandling, js::frontend::SyntaxParseHandler::Node, JS::Handle<JSFunction*>, js::frontend::FunctionSyntaxKind) + 617 (Parser.cpp:3089)
8   js-dbg-64-dm-darwin-9ddf0da90fb3	0x0000000100042620 js::frontend::Parser<js::frontend::FullParseHandler>::functionArgsAndBody(js::frontend::InHandling, js::frontend::ParseNode*, JS::Handle<JSFunction*>, js::frontend::FunctionSyntaxKind, js::GeneratorKind, js::frontend::Directives, js::frontend::Directives*) + 416 (Parser.cpp:2857)
9   js-dbg-64-dm-darwin-9ddf0da90fb3	0x000000010005767f js::frontend::Parser<js::frontend::FullParseHandler>::functionDef(js::frontend::InHandling, js::frontend::YieldHandling, JS::Handle<js::PropertyName*>, js::frontend::FunctionSyntaxKind, js::GeneratorKind, js::frontend::Parser<js::frontend::FullParseHandler>::InvokedPrediction, js::frontend::ParseNode**) + 735 (Parser.cpp:2726)
10  js-dbg-64-dm-darwin-9ddf0da90fb3	0x0000000100057e2f js::frontend::Parser<js::frontend::FullParseHandler>::functionExpr(js::frontend::Parser<js::frontend::FullParseHandler>::InvokedPrediction) + 447 (Parser.cpp:3245)
11  js-dbg-64-dm-darwin-9ddf0da90fb3	0x000000010005bd7b js::frontend::Parser<js::frontend::FullParseHandler>::primaryExpr(js::frontend::YieldHandling, js::frontend::TripledotHandling, js::frontend::TokenKind, js::frontend::Parser<js::frontend::FullParseHandler>::InvokedPrediction) + 1227 (Parser.cpp:9696)
12  js-dbg-64-dm-darwin-9ddf0da90fb3	0x000000010005e157 js::frontend::Parser<js::frontend::FullParseHandler>::memberExpr(js::frontend::YieldHandling, js::frontend::TripledotHandling, js::frontend::TokenKind, bool, js::frontend::Parser<js::frontend::FullParseHandler>::InvokedPrediction) + 807 (Parser.cpp:8951)
13  js-dbg-64-dm-darwin-9ddf0da90fb3	0x000000010005da95 js::frontend::Parser<js::frontend::FullParseHandler>::unaryExpr(js::frontend::YieldHandling, js::frontend::TripledotHandling, js::frontend::Parser<js::frontend::FullParseHandler>::InvokedPrediction) + 821 (Parser.cpp:7849)
14  js-dbg-64-dm-darwin-9ddf0da90fb3	0x000000010005d3ec js::frontend::Parser<js::frontend::FullParseHandler>::orExpr1(js::frontend::InHandling, js::frontend::YieldHandling, js::frontend::TripledotHandling, js::frontend::Parser<js::frontend::FullParseHandler>::InvokedPrediction) + 92 (Parser.cpp:7368)
15  js-dbg-64-dm-darwin-9ddf0da90fb3	0x000000010005d1cf js::frontend::Parser<js::frontend::FullParseHandler>::condExpr1(js::frontend::InHandling, js::frontend::YieldHandling, js::frontend::TripledotHandling, js::frontend::Parser<js::frontend::FullParseHandler>::InvokedPrediction) + 31 (Parser.cpp:7420)
16  js-dbg-64-dm-darwin-9ddf0da90fb3	0x0000000100054f0c js::frontend::Parser<js::frontend::FullParseHandler>::assignExpr(js::frontend::InHandling, js::frontend::YieldHandling, js::frontend::TripledotHandling, js::frontend::Parser<js::frontend::FullParseHandler>::InvokedPrediction) + 732 (Parser.cpp:7535)
17  js-dbg-64-dm-darwin-9ddf0da90fb3	0x000000010004d1b2 js::frontend::Parser<js::frontend::FullParseHandler>::expr(js::frontend::InHandling, js::frontend::YieldHandling, js::frontend::TripledotHandling, js::frontend::Parser<js::frontend::FullParseHandler>::InvokedPrediction) + 34 (Parser.cpp:7236)
18  js-dbg-64-dm-darwin-9ddf0da90fb3	0x0000000100051534 js::frontend::Parser<js::frontend::FullParseHandler>::returnStatement(js::frontend::YieldHandling) + 372 (Parser.cpp:6221)
19  js-dbg-64-dm-darwin-9ddf0da90fb3	0x000000010004df97 js::frontend::Parser<js::frontend::FullParseHandler>::statement(js::frontend::YieldHandling, bool) + 1607 (Parser.cpp:7169)
20  js-dbg-64-dm-darwin-9ddf0da90fb3	0x000000010004bb1c js::frontend::Parser<js::frontend::FullParseHandler>::statements(js::frontend::YieldHandling) + 572 (Parser.cpp:3436)
21  js-dbg-64-dm-darwin-9ddf0da90fb3	0x0000000100054633 js::frontend::Parser<js::frontend::FullParseHandler>::functionBody(js::frontend::InHandling, js::frontend::YieldHandling, js::frontend::FunctionSyntaxKind, js::frontend::Parser<js::frontend::FullParseHandler>::FunctionBodyType) + 307 (Parser.cpp:1312)
22  js-dbg-64-dm-darwin-9ddf0da90fb3	0x0000000100055cac js::frontend::Parser<js::frontend::FullParseHandler>::functionArgsAndBodyGeneric(js::frontend::InHandling, js::frontend::YieldHandling, js::frontend::ParseNode*, JS::Handle<JSFunction*>, js::frontend::FunctionSyntaxKind) + 604 (Parser.cpp:3088)
23  js-dbg-64-dm-darwin-9ddf0da90fb3	0x0000000100042775 js::frontend::Parser<js::frontend::FullParseHandler>::functionArgsAndBody(js::frontend::InHandling, js::frontend::ParseNode*, JS::Handle<JSFunction*>, js::frontend::FunctionSyntaxKind, js::GeneratorKind, js::frontend::Directives, js::frontend::Directives*) + 757 (Parser.cpp:2893)
24  js-dbg-64-dm-darwin-9ddf0da90fb3	0x000000010005767f js::frontend::Parser<js::frontend::FullParseHandler>::functionDef(js::frontend::InHandling, js::frontend::YieldHandling, JS::Handle<js::PropertyName*>, js::frontend::FunctionSyntaxKind, js::GeneratorKind, js::frontend::Parser<js::frontend::FullParseHandler>::InvokedPrediction, js::frontend::ParseNode**) + 735 (Parser.cpp:2726)
25  js-dbg-64-dm-darwin-9ddf0da90fb3	0x0000000100057e2f js::frontend::Parser<js::frontend::FullParseHandler>::functionExpr(js::frontend::Parser<js::frontend::FullParseHandler>::InvokedPrediction) + 447 (Parser.cpp:3245)
26  js-dbg-64-dm-darwin-9ddf0da90fb3	0x000000010005bd7b js::frontend::Parser<js::frontend::FullParseHandler>::primaryExpr(js::frontend::YieldHandling, js::frontend::TripledotHandling, js::frontend::TokenKind, js::frontend::Parser<js::frontend::FullParseHandler>::InvokedPrediction) + 1227 (Parser.cpp:9696)
27  js-dbg-64-dm-darwin-9ddf0da90fb3	0x000000010005e157 js::frontend::Parser<js::frontend::FullParseHandler>::memberExpr(js::frontend::YieldHandling, js::frontend::TripledotHandling, js::frontend::TokenKind, bool, js::frontend::Parser<js::frontend::FullParseHandler>::InvokedPrediction) + 807 (Parser.cpp:8951)
28  js-dbg-64-dm-darwin-9ddf0da90fb3	0x000000010005da95 js::frontend::Parser<js::frontend::FullParseHandler>::unaryExpr(js::frontend::YieldHandling, js::frontend::TripledotHandling, js::frontend::Parser<js::frontend::FullParseHandler>::InvokedPrediction) + 821 (Parser.cpp:7849)
29  js-dbg-64-dm-darwin-9ddf0da90fb3	0x000000010005d3ec js::frontend::Parser<js::frontend::FullParseHandler>::orExpr1(js::frontend::InHandling, js::frontend::YieldHandling, js::frontend::TripledotHandling, js::frontend::Parser<js::frontend::FullParseHandler>::InvokedPrediction) + 92 (Parser.cpp:7368)
30  js-dbg-64-dm-darwin-9ddf0da90fb3	0x000000010005d1cf js::frontend::Parser<js::frontend::FullParseHandler>::condExpr1(js::frontend::InHandling, js::frontend::YieldHandling, js::frontend::TripledotHandling, js::frontend::Parser<js::frontend::FullParseHandler>::InvokedPrediction) + 31 (Parser.cpp:7420)
31  js-dbg-64-dm-darwin-9ddf0da90fb3	0x0000000100054f0c js::frontend::Parser<js::frontend::FullParseHandler>::assignExpr(js::frontend::InHandling, js::frontend::YieldHandling, js::frontend::TripledotHandling, js::frontend::Parser<js::frontend::FullParseHandler>::InvokedPrediction) + 732 (Parser.cpp:7535)
32  js-dbg-64-dm-darwin-9ddf0da90fb3	0x000000010004d1b2 js::frontend::Parser<js::frontend::FullParseHandler>::expr(js::frontend::InHandling, js::frontend::YieldHandling, js::frontend::TripledotHandling, js::frontend::Parser<js::frontend::FullParseHandler>::InvokedPrediction) + 34 (Parser.cpp:7236)
33  js-dbg-64-dm-darwin-9ddf0da90fb3	0x000000010005a02a js::frontend::Parser<js::frontend::FullParseHandler>::exprInParens(js::frontend::InHandling, js::frontend::YieldHandling, js::frontend::TripledotHandling) + 74 (Parser.cpp:9867)
34  js-dbg-64-dm-darwin-9ddf0da90fb3	0x000000010005bee6 js::frontend::Parser<js::frontend::FullParseHandler>::primaryExpr(js::frontend::YieldHandling, js::frontend::TripledotHandling, js::frontend::TokenKind, js::frontend::Parser<js::frontend::FullParseHandler>::InvokedPrediction) + 1590 (Parser.cpp:9737)
35  js-dbg-64-dm-darwin-9ddf0da90fb3	0x000000010005e157 js::frontend::Parser<js::frontend::FullParseHandler>::memberExpr(js::frontend::YieldHandling, js::frontend::TripledotHandling, js::frontend::TokenKind, bool, js::frontend::Parser<js::frontend::FullParseHandler>::InvokedPrediction) + 807 (Parser.cpp:8951)
36  js-dbg-64-dm-darwin-9ddf0da90fb3	0x000000010005da95 js::frontend::Parser<js::frontend::FullParseHandler>::unaryExpr(js::frontend::YieldHandling, js::frontend::TripledotHandling, js::frontend::Parser<js::frontend::FullParseHandler>::InvokedPrediction) + 821 (Parser.cpp:7849)
37  js-dbg-64-dm-darwin-9ddf0da90fb3	0x000000010005d3ec js::frontend::Parser<js::frontend::FullParseHandler>::orExpr1(js::frontend::InHandling, js::frontend::YieldHandling, js::frontend::TripledotHandling, js::frontend::Parser<js::frontend::FullParseHandler>::InvokedPrediction) + 92 (Parser.cpp:7368)
38  js-dbg-64-dm-darwin-9ddf0da90fb3	0x000000010005d1cf js::frontend::Parser<js::frontend::FullParseHandler>::condExpr1(js::frontend::InHandling, js::frontend::YieldHandling, js::frontend::TripledotHandling, js::frontend::Parser<js::frontend::FullParseHandler>::InvokedPrediction) + 31 (Parser.cpp:7420)
39  js-dbg-64-dm-darwin-9ddf0da90fb3	0x0000000100054f0c js::frontend::Parser<js::frontend::FullParseHandler>::assignExpr(js::frontend::InHandling, js::frontend::YieldHandling, js::frontend::TripledotHandling, js::frontend::Parser<js::frontend::FullParseHandler>::InvokedPrediction) + 732 (Parser.cpp:7535)
40  js-dbg-64-dm-darwin-9ddf0da90fb3	0x000000010004d1b2 js::frontend::Parser<js::frontend::FullParseHandler>::expr(js::frontend::InHandling, js::frontend::YieldHandling, js::frontend::TripledotHandling, js::frontend::Parser<js::frontend::FullParseHandler>::InvokedPrediction) + 34 (Parser.cpp:7236)
41  js-dbg-64-dm-darwin-9ddf0da90fb3	0x000000010004e8f3 js::frontend::Parser<js::frontend::FullParseHandler>::expressionStatement(js::frontend::YieldHandling, js::frontend::Parser<js::frontend::FullParseHandler>::InvokedPrediction) + 83 (Parser.cpp:5468)
42  js-dbg-64-dm-darwin-9ddf0da90fb3	0x000000010004df77 js::frontend::Parser<js::frontend::FullParseHandler>::statement(js::frontend::YieldHandling, bool) + 1575 (Parser.cpp:7076)
43  js-dbg-64-dm-darwin-9ddf0da90fb3	0x000000010004bb1c js::frontend::Parser<js::frontend::FullParseHandler>::statements(js::frontend::YieldHandling) + 572 (Parser.cpp:3436)
44  js-dbg-64-dm-darwin-9ddf0da90fb3	0x000000010004599d js::frontend::Parser<js::frontend::FullParseHandler>::globalBody() + 77 (Parser.cpp:1054)
45  js-dbg-64-dm-darwin-9ddf0da90fb3	0x00000001008cbd54 BytecodeCompiler::compileScript(JS::Handle<JSObject*>, JS::Handle<JSScript*>) + 820 (BytecodeCompiler.cpp:527)
46  js-dbg-64-dm-darwin-9ddf0da90fb3	0x00000001008cdc0d js::frontend::CompileScript(js::ExclusiveContext*, js::LifoAlloc*, JS::Handle<JSObject*>, JS::Handle<js::ScopeObject*>, JS::Handle<JSScript*>, JS::ReadOnlyCompileOptions const&, JS::SourceBufferHolder&, JSString*, js::SourceCompressionTask*, js::ScriptSourceObject**) + 189 (BytecodeCompiler.cpp:738)
47  js-dbg-64-dm-darwin-9ddf0da90fb3	0x000000010052d3d4 Compile(JSContext*, JS::ReadOnlyCompileOptions const&, SyntacticScopeOption, JS::SourceBufferHolder&, JS::MutableHandle<JSScript*>) + 404 (RootingAPI.h:481)
48  js-dbg-64-dm-darwin-9ddf0da90fb3	0x000000010052d75b Compile(JSContext*, JS::ReadOnlyCompileOptions const&, SyntacticScopeOption, char const*, unsigned long, JS::MutableHandle<JSScript*>) + 267 (jsapi.cpp:3932)
49  js-dbg-64-dm-darwin-9ddf0da90fb3	0x000000010052d8ac JS::Compile(JSContext*, JS::ReadOnlyCompileOptions const&, __sFILE*, JS::MutableHandle<JSScript*>) + 108 (jsapi.cpp:3958)
50  js-dbg-64-dm-darwin-9ddf0da90fb3	0x000000010001e99a Process(JSContext*, char const*, bool, FileKind) + 3098 (js.cpp:508)
51  js-dbg-64-dm-darwin-9ddf0da90fb3	0x0000000100005181 main + 11825 (js.cpp:6207)
52  js-dbg-64-dm-darwin-9ddf0da90fb3	0x0000000100001744 start + 52
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/8b834fb9e739
user:        Jeff Walden
date:        Fri Dec 18 02:24:46 2015 -0500
summary:     Bug 1233249 - Refactor for-loop head parsing so that declaration-parsing code is responsible for detecting for-in/of behavior when a loop declaration is used.  This makes declaration parsing slightly fuglier, but it simplifies for-loop parsing, makes it more amenable to future changes, and fixes a few bugs that were otherwise pretty hard to fix.  r=shu

Waldo, is bug 1233249 a likely regressor?
Blocks: 1233249
Flags: needinfo?(jwalden+bmo)
Simpler testcase:

  function f() { for (x in "0"); }

The problem is when we checkAndMarkAsAssignmentLhs on |x|, in the syntax parser, we check that |x| isn't |arguments| or |eval| using the syntax parse handler's |lastAtom|.  That was "x" at one point, but parsing |"0"| overwrote it, with a non-PropertyName name.

My first thought is that instead of NodeUnparenthesizedName, we split that up to encapsulate arguments/eval as well, as those are what we're actually testing for.  But I need to think a little bit more before doing that -- might be there's something simpler to do.
Flags: needinfo?(jwalden+bmo)
Oh wait, we already have that name-splitup.  Just need to rejigger things to not trust lastAtom here.  Fortunately we don't actually *need* it, except to know whether it's arguments/eval.  Patch shortly.
Attached patch PatchSplinter Review 

        Attachment #8702733 -
        Flags: review?(shu)

    
  
Assignee: nobody → jwalden+bmo
Status: NEW → ASSIGNED

    
    

    
  
Comment on attachment 8702733 [details] [diff] [review]
Patch

Review of attachment 8702733 [details] [diff] [review]:
-----------------------------------------------------------------

Nice catch.

::: js/src/frontend/FullParseHandler.h
@@ +880,5 @@
>      bool isConstant(ParseNode* pn) {
>          return pn->isConstant();
>      }
>  
> +    bool maybeUnparenthesizedName(ParseNode* node) {

"maybe" is a misnomer now that these return bool. isUnparenthesizedName?

@@ +886,3 @@
>      }
>  
> +    bool maybeNameAnyParentheses(ParseNode* node) {

Ditto, isNameAnyParentheses

@@ +897,5 @@
> +    }
> +
> +    const char* nameIsArgumentsEvalAnyParentheses(ParseNode* node, ExclusiveContext* cx) {
> +        MOZ_ASSERT(maybeNameAnyParentheses(node),
> +                   "must only call this function on known names");

This assert is redundant since nameIsEvalAnyParentheses is called below. Fine with me if you keep it though.

::: js/src/frontend/SyntaxParseHandler.h
@@ +576,5 @@
> +                   node == NodeParenthesizedName ||
> +                   node == NodeUnparenthesizedArgumentsName ||
> +                   node == NodeParenthesizedArgumentsName ||
> +                   node == NodeUnparenthesizedEvalName ||
> +                   node == NodeParenthesizedEvalName,

MOZ_ASSERT(maybeNameAnyParentheses(node)) ?

        Attachment #8702733 -
        Flags: review?(shu) → review+

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/efc63f7cf995
Status: ASSIGNED → RESOLVED
Closed: 8 years ago

          status-firefox46:
          affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla46

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: