Assertion failure: &i.block() == scope->as<ClonedBlockObject>().staticScope(), at js/src/vm/Stack.cpp:164 with OOM


(Core :: JavaScript Engine, defect)

The following testcase crashes on mozilla-central revision 6020a4cb41a7 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe):

  function x() {
    try {
      eval('let ')
    } catch (ex) {
      (function() {})()


Program received signal SIGSEGV, Segmentation fault.
0x0000000000b01c66 in AssertDynamicScopeMatchesStaticScope (cx=<optimized out>, script=<optimized out>, scope=0x7ffff7e8a0a0) at js/src/vm/Stack.cpp:164
#0  0x0000000000b01c66 in AssertDynamicScopeMatchesStaticScope (cx=<optimized out>, script=<optimized out>, scope=0x7ffff7e8a0a0) at js/src/vm/Stack.cpp:164
#1  0x0000000000b02157 in js::InterpreterFrame::prologue (this=0x7ffff313d140, cx=cx@entry=0x7ffff6907800) at js/src/vm/Stack.cpp:246
#2  0x0000000000a3fcea in Interpret (cx=cx@entry=0x7ffff6907800, state=...) at js/src/vm/Interpreter.cpp:2874
#3  0x0000000000a47187 in js::RunScript (cx=cx@entry=0x7ffff6907800, state=...) at js/src/vm/Interpreter.cpp:424
#4  0x0000000000a474ac in js::Invoke (cx=cx@entry=0x7ffff6907800, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:495
#5  0x0000000000a48da8 in js::Invoke (cx=cx@entry=0x7ffff6907800, thisv=..., fval=..., argc=argc@entry=0, argv=argv@entry=0x0, rval=..., rval@entry=...) at js/src/vm/Interpreter.cpp:529
#6  0x00000000008daee4 in JS_CallFunction (cx=cx@entry=0x7ffff6907800, obj=..., fun=..., fun@entry=..., args=..., rval=..., rval@entry=...) at js/src/jsapi.cpp:2830
#7  0x0000000000a5f44e in OOMTest (cx=0x7ffff6907800, argc=<optimized out>, vp=0x7ffff313d0a0) at js/src/builtin/TestingFunctions.cpp:1196
#8  0x0000000000a4a842 in js::CallJSNative (cx=0x7ffff6907800, native=0xa5f1b0 <OOMTest(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235
#20 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:6918
This probably relates to something about shapes/protos/SavedStacks in the interpreter.
Naveed, can you help find an assignee?
Terrence please take a look and assign appropriately
Passing ni? to shu.
The scope that's mismatching is the static block scope for the catch block. What's going on here is this. In the test,

  function x() {
    try {
      eval('let ')
    } catch (ex) {
      (function() {})()

there are 2 lazy functions created internally, |x| and the anonymous IIFE in the catch block. oomTest causes the compilation of the outer function to fail *after* the IIFE gets successfully delazified. So, the IIFE function now has a JSScript whose enclosing static scope is a StaticBlockScope of the catch block created during the failed compilation. But since the compilation of |x| failed, we try to recompile again, creating a new StaticBlockScope for the catch block. We don't bother re-delazifing the IIFE because it's already delazified. Now the scopes don't match up.
That's a pretty amazing corner case.
Attachment #8731438 - Flags: review?(till) → review+
