Closed
Bug 1236913
Opened 8 years ago
Closed 8 years ago
Assertion failure: script()->isDerivedClassConstructor(), at js/src/vm/Stack.cpp:327 or Assertion failure: type() != NamedLambda && type() != Eval, at vm/ScopeObject-inl.h:138 with ES6 Classes
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
| Tracking | Status | |
|---|---|---|
| firefox46 | --- | wontfix |
People
(Reporter: decoder, Unassigned)
References
Details
(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update])
The following testcase crashes on mozilla-central revision 0771c5eab32f (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --no-threads --disable-oom-functions):
evaluate(`
function base() {}
class willThrow extends base {
constructor() {
base.apply(this, arguments)
}
}
new willThrow
`)
Backtrace:
Program received signal SIGSEGV, Segmentation fault.
0x0000000000af59b6 in js::InterpreterFrame::checkReturn (this=0x7ffff511b160, cx=cx@entry=0x7ffff6907800, thisv=...) at js/src/vm/Stack.cpp:327
#0 0x0000000000af59b6 in js::InterpreterFrame::checkReturn (this=0x7ffff511b160, cx=cx@entry=0x7ffff6907800, thisv=...) at js/src/vm/Stack.cpp:327
#1 0x0000000000a87c99 in Interpret (cx=cx@entry=0x7ffff6907800, state=...) at js/src/vm/Interpreter.cpp:2496
#2 0x0000000000a93bb7 in js::RunScript (cx=cx@entry=0x7ffff6907800, state=...) at js/src/vm/Interpreter.cpp:407
#3 0x0000000000a99511 in js::ExecuteKernel (cx=cx@entry=0x7ffff6907800, script=..., script@entry=..., scopeChainArg=..., newTargetValue=..., type=<optimized out>, evalInFrame=..., evalInFrame@entry=..., result=result@entry=0x7ffff511b0a0) at js/src/vm/Interpreter.cpp:666
#4 0x0000000000a9979e in js::Execute (cx=cx@entry=0x7ffff6907800, script=script@entry=..., scopeChainArg=..., rval=rval@entry=0x7ffff511b0a0) at js/src/vm/Interpreter.cpp:701
#5 0x00000000008c9658 in ExecuteScript (cx=cx@entry=0x7ffff6907800, scope=scope@entry=..., script=script@entry=..., rval=rval@entry=0x7ffff511b0a0) at js/src/jsapi.cpp:4340
#6 0x00000000008c9789 in JS_ExecuteScript (cx=cx@entry=0x7ffff6907800, scriptArg=scriptArg@entry=..., rval=rval@entry=...) at js/src/jsapi.cpp:4366
#7 0x0000000000490f70 in Evaluate (cx=0x7ffff6907800, argc=<optimized out>, vp=0x7ffff511b0a0) at js/src/shell/js.cpp:1399
#8 0x0000000000a9b792 in js::CallJSNative (cx=0x7ffff6907800, native=0x490980 <Evaluate(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235
[...]
#20 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:6885
rax 0x0 0
rbx 0x0 0
rcx 0x7ffff6ca53b0 140737333842864
rdx 0x0 0
rsi 0x7ffff6f7a9d0 140737336814032
rdi 0x7ffff6f791c0 140737336807872
rbp 0x7fffffffc010 140737488338960
rsp 0x7fffffffbfd0 140737488338896
r8 0x7ffff7fe0780 140737354008448
r9 0x6372732f736a2f6c 7165916604736876396
r10 0x7fffffffbd90 140737488338320
r11 0x7ffff6c27960 140737333328224
r12 0x7ffff511b160 140737304965472
r13 0x7ffff6907800 140737330051072
r14 0x7ffff511b1e0 140737304965600
r15 0x7ffff6907818 140737330051096
rip 0xaf59b6 <js::InterpreterFrame::checkReturn(JSContext*, JS::Handle<JS::Value>)+470>
=> 0xaf59b6 <js::InterpreterFrame::checkReturn(JSContext*, JS::Handle<JS::Value>)+470>: movl $0x147,0x0
0xaf59c1 <js::InterpreterFrame::checkReturn(JSContext*, JS::Handle<JS::Value>)+481>: callq 0x4a4ac0 <abort()>
|
||
Updated•8 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
|
|
||
Comment 1•8 years ago
|
||
JSBugMon: Bisection requested, result: === Treeherder Build Bisection Results by autoBisect === The "good" changeset has the timestamp "20151120232833" and the hash "c3aa84cd334c17606ff33284a058064eafd67d28". The "bad" changeset has the timestamp "20151121053534" and the hash "52d7c9292ecfc23a52835c49189dabd561b18675". Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=c3aa84cd334c17606ff33284a058064eafd67d28&tochange=52d7c9292ecfc23a52835c49189dabd561b18675
Jan, is bug 1132183 a likely regressor?
Blocks: 1132183
Flags: needinfo?(jdemooij)
|
|
||
Updated•8 years ago
|
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
|
|
||
Comment 3•8 years ago
|
||
JSBugMon: The testcase found in this bug no longer reproduces (tried revision e0bcd16e1d4b).
|
||
Updated•8 years ago
|
Whiteboard: [jsbugmon:update,ignore] → [jsbugmon:bisectfix]
|
|
||
Updated•8 years ago
|
Whiteboard: [jsbugmon:bisectfix] → [jsbugmon:]
|
|
||
Comment 4•8 years ago
|
||
JSBugMon: Fix Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first good revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/e7fac5cfd89a user: Eric Faust date: Wed Jan 06 14:26:14 2016 -0800 summary: Bug 1234702 - Part 2: Fix up class constructor scripts to allow cloning. (r=Waldo) This iteration took 0.174 seconds to run.
|
||
Comment 5•8 years ago
|
||
This fix seems quite likely. Just forgot to propagate the bit.
Status: NEW → RESOLVED
Closed: 8 years ago
Flags: needinfo?(jdemooij)
Resolution: --- → FIXED
|
|
||
Updated•8 years ago
|
Whiteboard: [jsbugmon:] → [jsbugmon:update]
|
||
Comment 6•8 years ago
|
||
Too late for assertion fixes in 46.
You need to log in
before you can comment on or make changes to this bug.
Description
•