Rewrite the frontend: bindings

RESOLVED FIXED in Firefox 51

Status

()

RESOLVED FIXED
3 years ago
2 months ago

People

(Reporter: shu, Assigned: shu)

Tracking

(Depends on: 2 bugs, Blocks: 4 bugs)

unspecified
mozilla51
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox51 fixed)

Details

Attachments

(8 attachments, 19 obsolete attachments)

8.70 KB, patch
njn
: review+
Details | Diff | Splinter Review
30.89 KB, patch
Waldo
: review+
Details | Diff | Splinter Review
2.48 MB, patch
jorendorff
: review+
Waldo
: review+
Details | Diff | Splinter Review
9.49 KB, text/plain
Details
2.53 MB, patch
decoder
: feedback+
Details | Diff | Splinter Review
34.44 KB, patch
Waldo
: review+
Details | Diff | Splinter Review
5.05 KB, patch
jorendorff
: review+
Details | Diff | Splinter Review
303.47 KB, application/pdf
Details
(Assignee)

Description

3 years ago
Deficit spending doesn't extend to software engineering. It is
time to rewrite the frontend. This bug is phase 1: bindings.

The broad strokes of the idea are:

- Remove use-def analysis from the Parser and only note what
  names are declared and used in each scope.

  Concretely, things like isDefn() and isUse() on ParseNodes are
  going away. Lexical dependencies are going away. Body-level
  names and block-level names will be treated uniformly.

- During BCE, right before we start emitting a scope, the sets of
  names the Parser tracked will be packed and StaticScope objects
  will be allocated. Aliased-ness and slots will be computed at
  this time.

  All name-to-slot resolution will be done using the static scope
  chain as the single source of truth.

- Both function and block scopes will use something like a packed
  Bindings structure as a record of all its bindings regardless
  of aliased-ness.

- Both functions and block scopes will have a Shape for the
  environment (if one is needed), which will contain only aliased
  names.

Details that I'm worried about and haven't thought about yet:

- How to retain some kind of simplified dominance analysis to
  skip emitting TDZ checks.

- Annex B synthesized scope weirdness.
(Assignee)

Updated

3 years ago
Assignee: nobody → shu
Status: NEW → ASSIGNED
\o/ !

Will this also make syntax parsing faster, since we're moving work from the parser to BCE?
In Rust? \o/ (only half joking really)
(Assignee)

Comment 3

3 years ago
(In reply to Jan de Mooij [:jandem] from comment #1)
> \o/ !
> 
> Will this also make syntax parsing faster, since we're moving work from the
> parser to BCE?

Syntax parsing currently just bails if there are any block-scoped bindings. I'm not sure if this will make syntax parsing faster, but it should make it applicable to more scripts and more future-proof.
(In reply to Jan de Mooij [:jandem] from comment #1)
> Will this also make syntax parsing faster, since we're moving work from the
> parser to BCE?

Somewhat.  |var| probably can be, but let/const bindings are unavoidably difficult to syntax-parse because their redeclaration is an early error.  You *must* track scopes' bindings to implement that, using hash tables or complicated/slow data structures.

Bail on let/const, and you can not keep binding info *at all* during syntax-parsing -- faster for non-let/const-using code.  But if you handle them, non-let/const code becomes slower.  It's not clear we've made the wrong tradeoff here, while let/const are uncommon in the wild.

Simplifying all this should IMO make evaluating that tradeoff easier.

(In reply to Tom Schuster [:evilpie] from comment #2)
> In Rust? \o/ (only half joking really)

:-)  Responding to the half-serious part, I don't think we're at a point where critical new projects can consider Rust.  It'd be nice to start using something Rust, if the build system support is there (I don't believe it is yet).  But something smaller, easier, not with major implications/interactions across the board.
(Assignee)

Comment 5

3 years ago
(In reply to Jeff Walden [:Waldo] (remove +bmo to email) from comment #4)
> (In reply to Jan de Mooij [:jandem] from comment #1)
> > Will this also make syntax parsing faster, since we're moving work from the
> > parser to BCE?
> 
> Somewhat.  |var| probably can be, but let/const bindings are unavoidably
> difficult to syntax-parse because their redeclaration is an early error. 
> You *must* track scopes' bindings to implement that, using hash tables or
> complicated/slow data structures.
> 
> Bail on let/const, and you can not keep binding info *at all* during
> syntax-parsing -- faster for non-let/const-using code.  But if you handle
> them, non-let/const code becomes slower.  It's not clear we've made the
> wrong tradeoff here, while let/const are uncommon in the wild.
> 
> Simplifying all this should IMO make evaluating that tradeoff easier.
> 

The future will be more likely than not full of lets and consts. I don't think there's a tradeoff: we'll have to syntax parse lets and consts.
Eventually.  Right now, tracking bindings info for let/const, versus just aborting early, probably wins on the web.
(Assignee)

Comment 7

3 years ago
Created attachment 8753643 [details] [diff] [review]
snapshot

This totally doesn't work and is about half done. Just doing a dump here so there's something to show for progress.
(Assignee)

Comment 8

3 years ago
Created attachment 8762245 [details] [diff] [review]
snapshot.patch

Update snapshot.
Attachment #8753643 - Attachment is obsolete: true
No longer blocks: 1276469
Depends on: 1276469
Blocks: 1276469
No longer depends on: 1276469
(Assignee)

Updated

3 years ago
Blocks: 1175174
(Assignee)

Updated

3 years ago
Blocks: 1233767
(Assignee)

Updated

3 years ago
Blocks: 1282976
Blocks: 694100
No longer blocks: 694100
(Assignee)

Updated

3 years ago
Blocks: 1284719
(Assignee)

Updated

3 years ago
Blocks: 1285068
Blocks: 1285710
As discussed I started looking into performance issues a bit. One thing I noticed is that several Sunspider tests are slower, for tofte at least that's because we now emit JSOP_IMPLICITTHIS for calls inside certain evals. See the micro-benchmark below.

Emitting JSOP_UNDEFINED instead "fixes" this. The old code only emitted this op inside |with| I think.

function g() {};
function f() {
    var x = 0;
    var t = new Date;
    eval("for (var i=0; i<10000000; i++) { g(); }");
    print(new Date - t);
}
f();
Flags: needinfo?(shu)
Blocks: 755099
(Assignee)

Comment 10

3 years ago
(In reply to Jan de Mooij [:jandem] from comment #9)
> As discussed I started looking into performance issues a bit. One thing I
> noticed is that several Sunspider tests are slower, for tofte at least
> that's because we now emit JSOP_IMPLICITTHIS for calls inside certain evals.
> See the micro-benchmark below.
> 
> Emitting JSOP_UNDEFINED instead "fixes" this. The old code only emitted this
> op inside |with| I think.
> 
> function g() {};
> function f() {
>     var x = 0;
>     var t = new Date;
>     eval("for (var i=0; i<10000000; i++) { g(); }");
>     print(new Date - t);
> }
> f();

Good catch, fixed in the branch.
(Assignee)

Updated

3 years ago
Flags: needinfo?(shu)
(Assignee)

Comment 11

3 years ago
Here are the current performance numbers off of [1], where scope numbering and
a single hash table is used to track name uses instead of stacks-of-hash
tables to try to unregress octane-codeload. It got about a 1500 point win on
octane-codeload, but there is still about a 6% regression from tip.

I reckon the scope numbering needs to be extended to tracking declared names
as well to get more wins. I'll devote a day or two to this when I get back
from Europe, but no more.

There are still a small number of correctness bugs left in js-tests, then it's
off to the fuzzers and try builds.

[1] https://github.com/syg/gecko-dev/tree/purgatio-scope-numbering2


SunSpider:

                 REWRITE
============================================
RESULTS (means and 95% confidence intervals)
--------------------------------------------
Total:                 242.2ms +/- 2.7%
--------------------------------------------

  3d:                   33.3ms +/- 5.9%
    cube:               12.5ms +/- 5.6%
    morph:               5.4ms +/- 9.3%
    raytrace:           15.4ms +/- 12.2%

  access:               16.4ms +/- 9.0%
    binary-trees:        3.1ms +/- 13.1%
    fannkuch:            7.0ms +/- 15.2%
    nbody:               3.4ms +/- 17.7%
    nsieve:              2.9ms +/- 18.2%

  bitops:               13.1ms +/- 11.6%
    3bit-bits-in-byte:   1.5ms +/- 33.7%
    bits-in-byte:        3.3ms +/- 20.5%
    bitwise-and:         3.1ms +/- 13.1%
    nsieve-bits:         5.2ms +/- 8.7%

  controlflow:           3.1ms +/- 20.2%
    recursive:           3.1ms +/- 20.2%

  crypto:               23.8ms +/- 10.1%
    aes:                15.5ms +/- 13.6%
    md5:                 4.1ms +/- 5.5%
    sha1:                4.2ms +/- 22.4%

  date:                 27.0ms +/- 9.6%
    format-tofte:       12.2ms +/- 12.3%
    format-xparb:       14.8ms +/- 10.4%

  math:                 16.1ms +/- 6.8%
    cordic:              2.9ms +/- 14.0%
    partial-sums:       10.5ms +/- 9.2%
    spectral-norm:       2.7ms +/- 17.9%

  regexp:               15.1ms +/- 9.6%
    dna:                15.1ms +/- 9.6%

  string:               94.3ms +/- 3.5%
    base64:              6.6ms +/- 13.7%
    fasta:               8.3ms +/- 15.2%
    tagcloud:           27.2ms +/- 5.1%
    unpack-code:        40.9ms +/- 3.1%
    validate-input:     11.3ms +/- 11.9%


                 MASTER
============================================
RESULTS (means and 95% confidence intervals)
--------------------------------------------
Total:                 246.7ms +/- 2.1%
--------------------------------------------

  3d:                   33.0ms +/- 5.0%
    cube:               12.4ms +/- 3.0%
    morph:               5.5ms +/- 9.2%
    raytrace:           15.1ms +/- 10.3%

  access:               17.0ms +/- 14.8%
    binary-trees:        2.9ms +/- 18.2%
    fannkuch:            7.3ms +/- 16.0%
    nbody:               3.8ms +/- 17.3%
    nsieve:              3.0ms +/- 25.1%

  bitops:               12.5ms +/- 12.1%
    3bit-bits-in-byte:   1.3ms +/- 26.6%
    bits-in-byte:        2.8ms +/- 16.1%
    bitwise-and:         2.6ms +/- 29.5%
    nsieve-bits:         5.8ms +/- 14.0%

  controlflow:           3.4ms +/- 10.9%
    recursive:           3.4ms +/- 10.9%

  crypto:               23.5ms +/- 7.5%
    aes:                15.5ms +/- 10.9%
    md5:                 4.1ms +/- 5.5%
    sha1:                3.9ms +/- 10.4%

  date:                 28.7ms +/- 5.6%
    format-tofte:       15.3ms +/- 9.1%
    format-xparb:       13.4ms +/- 6.3%

  math:                 17.3ms +/- 9.9%
    cordic:              2.8ms +/- 16.1%
    partial-sums:       12.0ms +/- 12.9%
    spectral-norm:       2.5ms +/- 15.1%

  regexp:               15.5ms +/- 9.5%
    dna:                15.5ms +/- 9.5%

  string:               95.8ms +/- 2.7%
    base64:              6.3ms +/- 5.5%
    fasta:               8.7ms +/- 17.3%
    tagcloud:           26.4ms +/- 4.3%
    unpack-code:        41.3ms +/- 3.2%
    validate-input:     13.1ms +/- 19.0%


Octane:

                 REWRITE
============================================
Richards: 30391
DeltaBlue: 58210
Crypto: 27168
RayTrace: 102932
EarleyBoyer: 28736
RegExp: 3705
Splay: 17046
SplayLatency: 19404
NavierStokes: 34987
Mandreel: 27330
MandreelLatency: 37483
Gameboy: 44424
CodeLoad: 16406
Box2D: 54436
zlib: 76907
Typescript: 26957
----
Score (version 9): 30333


                 MASTER
============================================
Richards: 30109
DeltaBlue: 60610
Crypto: 27334
RayTrace: 101970
EarleyBoyer: 29028
RegExp: 3773
Splay: 16820
SplayLatency: 20231
NavierStokes: 35022
Mandreel: 28557
MandreelLatency: 35356
Gameboy: 44690
CodeLoad: 17172
Box2D: 52332
zlib: 77453
Typescript: 27117
----
Score (version 9): 30516
Blocks: 1288459
Blocks: 1288460
(Assignee)

Updated

3 years ago
Blocks: 1289918
(Assignee)

Comment 12

3 years ago
I fixed the octane regressions:

Richards: 30215
DeltaBlue: 61761
Crypto: 28094
RayTrace: 101304
EarleyBoyer: 29862
RegExp: 3720
Splay: 16355
SplayLatency: 18863
NavierStokes: 35284
Mandreel: 29160
MandreelLatency: 39565
Gameboy: 46391
CodeLoad: 17654
Box2D: 48016
zlib: 77453
Typescript: 25932
----
Score (version 9): 30581
Blocks: 1287344
(Assignee)

Comment 13

3 years ago
Created attachment 8776227 [details] [diff] [review]
0001-PVGARTIO.patch

This is unreviewable, but read what you can, I suppose.

jorendorff, Waldo, efaust, and mrrrgn for the frontend stuff.

jorendorff and Waldo for the VM stuff.

terrence for the new GC kind and GC changes.
Attachment #8776227 - Flags: review?(winter2718)
Attachment #8776227 - Flags: review?(terrence)
Attachment #8776227 - Flags: review?(jwalden+bmo)
Attachment #8776227 - Flags: review?(jorendorff)
Attachment #8776227 - Flags: review?(efaustbmo)
(Assignee)

Updated

3 years ago
Attachment #8762245 - Attachment is obsolete: true
(Assignee)

Comment 14

3 years ago
Created attachment 8776230 [details] [diff] [review]
Rewrite the frontend: bindings.

Spelled purgatio wrong, also accidentally committed a TODO file.
Attachment #8776230 - Flags: review?(winter2718)
Attachment #8776230 - Flags: review?(terrence)
Attachment #8776230 - Flags: review?(jwalden+bmo)
Attachment #8776230 - Flags: review?(jorendorff)
Attachment #8776230 - Flags: review?(efaustbmo)
(Assignee)

Updated

3 years ago
Attachment #8776227 - Attachment is obsolete: true
Attachment #8776227 - Flags: review?(winter2718)
Attachment #8776227 - Flags: review?(terrence)
Attachment #8776227 - Flags: review?(jwalden+bmo)
Attachment #8776227 - Flags: review?(jorendorff)
Attachment #8776227 - Flags: review?(efaustbmo)
Comment on attachment 8776230 [details] [diff] [review]
Rewrite the frontend: bindings.

Review of attachment 8776230 [details] [diff] [review]:
-----------------------------------------------------------------

::: js/public/GCHashTable.h
@@ +236,5 @@
>  namespace JS {
>  
>  // A GCHashSet is a HashSet with an additional trace method that knows
>  // be traced to be kept alive will generally want to use this GCHashSet
> +// specialization in lieu of HashSet.

Heh. Thanks!

::: js/src/jsgc.cpp
@@ +279,5 @@
>  #define EXPAND_THING_SIZE(allocKind, traceKind, type, sizedType) \
>      sizeof(sizedType),
>  FOR_EACH_ALLOCKIND(EXPAND_THING_SIZE)
>  #undef EXPAND_THING_SIZE
> +};

D'oh!

::: js/src/vm/HelperThreads.cpp
@@ -264,5 @@
>  ScriptParseTask::parse()
>  {
>      SourceBufferHolder srcBuf(chars, length, SourceBufferHolder::NoOwnership);
> -
> -    // ! WARNING WARNING WARNING !

Wow.
Attachment #8776230 - Flags: review?(terrence) → review+
(Assignee)

Comment 16

3 years ago
Created attachment 8777200 [details] [diff] [review]
Report memory metrics for Scopes.
Attachment #8777200 - Flags: review?(n.nethercote)
Comment on attachment 8777200 [details] [diff] [review]
Report memory metrics for Scopes.

Review of attachment 8777200 [details] [diff] [review]:
-----------------------------------------------------------------

All looks good except for one thing. In JSReporter::CollectReports() you are missing a REPORT_BYTES call for rtStats.zTotals.unusedGCThings.scope. Do you get an assertion when you run the memory reporter? I tried to make the assertions so tight that you couldn't fail to add one of the various REPORT calls without getting a failure.

(BTW, I found that missing case by grepping for all occurrences of \<objectGroup\> and \<objectGroupsGCHeap\> and \<objectGroupsMallocHeap\> and making sure you had corresponding code for scopes. That was the only missing case I found, but it wouldn't hurt for you to double-check it yourself.)
Attachment #8777200 - Flags: review?(n.nethercote) → review+
(Assignee)

Updated

3 years ago
Depends on: 1291569
(Assignee)

Comment 18

3 years ago
(In reply to Nicholas Nethercote [:njn] from comment #17)
> Comment on attachment 8777200 [details] [diff] [review]
> Report memory metrics for Scopes.
> 
> Review of attachment 8777200 [details] [diff] [review]:
> -----------------------------------------------------------------
> 
> All looks good except for one thing. In JSReporter::CollectReports() you are
> missing a REPORT_BYTES call for rtStats.zTotals.unusedGCThings.scope. Do you
> get an assertion when you run the memory reporter? I tried to make the
> assertions so tight that you couldn't fail to add one of the various REPORT
> calls without getting a failure.

I did not get an assertion when dumping memory without the REPORT_BYTES.
(Assignee)

Updated

3 years ago
Depends on: 1291854
(Assignee)

Comment 19

3 years ago
Created attachment 8777702 [details] [diff] [review]
Rollup for fuzzing

Please fuzz.
Attachment #8777702 - Flags: feedback?(gary)
Attachment #8777702 - Flags: feedback?(choller)
(Assignee)

Comment 20

3 years ago
(In reply to Shu-yu Guo [:shu] from comment #19)
> Created attachment 8777702 [details] [diff] [review]
> Rollup for fuzzing
> 
> Please fuzz.

Should apply on top of changeset 1576e7bc1bec.
Comment on attachment 8777702 [details] [diff] [review]
Rollup for fuzzing

(function() {
    "use asm";
    function f() {
        try {} catch (e) {}
        try {} catch (e) {}
    }
    return f
})()

$ ./js-dbg-64-dm-clang-intlDisabled-darwin-1263355-c19-mc-1576e7bc1bec-3d118bd9c426-1576e7bc1bec --fuzzing-safe --no-threads --no-baseline --no-ion testcase.js
Assertion failure: p && p->value()->kind() == DeclarationKind::SimpleCatchParameter, at /Users/skywalker/trees/mozilla-central/js/src/frontend/Parser.cpp:226


Full configuration command with needed environment variables is:
CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin14.5.0 --disable-jemalloc --enable-debug --enable-more-deterministic --without-intl-api --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests
Attachment #8777702 - Flags: feedback?(gary) → feedback-
for (let b in [0]) {
    let b = b ? 0 : 1
}

Run with --fuzzing-safe --no-threads --no-baseline --no-ion:

Assertion failure: script->isDerivedClassConstructor(), at vm/Interpreter.cpp:3361

eval();
try {} catch (abc) {};

Run with --fuzzing-safe --no-threads --no-baseline --no-ion -D:

Assertion failure: isAllocAllowed(), at gc/Allocator.cpp:201
Please also rebase to m-c tip again when these issues are fixed, assuming the fix for fuzzblocker bug 1291887 lands on m-c. Thanks!
f = ([a = class b extends b {}, b] = [void 0]) => {};
f()

Assertion failure: *scopeForUsedNamesStack_ == overrideScope_, at /home/andre/hg/mozilla-central/js/src/frontend/Parser.h:274



function f(a = (eval("var b"))) {}
f()

Assertion failure: cx->interpreterRegs().pc == frame.script()->code(), at /home/andre/hg/mozilla-central/js/src/vm/EnvironmentObject.cpp:272



new class extends Object { constructor(a = (()=>{delete super[super()]})()) { } }

Hit MOZ_CRASH(unexpected env chain for GetSuperEnvFunction) at /home/andre/hg/mozilla-central/js/src/vm/Interpreter.cpp:1513
(new class extends Array {constructor(a=()=>eval("super()")){ var f = ()=>super(); f() }})(0)

Assertion failure: loc.environmentCoordinate().hops() == 0, at /home/andre/hg/mozilla-central/js/src/frontend/BytecodeEmitter.cpp:3058
let a;
for(let {a = new class extends Array { constructor(){super(a)} }} of [[]]) {
}

Assertion failure: loc.kind() == NameLocation::Kind::Dynamic, at /home/andre/hg/mozilla-central/js/src/frontend/BytecodeEmitter.cpp:3970



let a;
for(let {a = new class extends Array { constructor(){super[a]} }} of [[]]) {
}

Assertion failure: sc->thisBinding() == ThisBinding::Function, at /home/andre/hg/mozilla-central/js/src/frontend/BytecodeEmitter.cpp:6831



let a;
for(let {a = new class extends Array { constructor(b = (a = eval("()=>super()"))){} }} of [[]]) {
}

Assertion failure: hasDefaultsScope, at /home/andre/hg/mozilla-central/js/src/frontend/BytecodeEmitter.cpp:8471
function f(m, k = class C extends Array { }, p = m()) { }
f()

Assertion failure: !parser->usedNames.hasUse(hasUseExactlyInScope), at /home/andre/hg/mozilla-central/js/src/frontend/Parser.cpp:194
> function f(a = (eval("var b"))) {}
> f()

I'll look at this today.
I'll take a look at as many of the classes related bugs as I can.
(Assignee)

Comment 30

3 years ago
Thanks anba :)
(In reply to Shu-yu Guo [:shu] from comment #30)
> Thanks anba :)

\o/



function assertNotSame(expected, actual, message = "") { }
function g3(h = () => arguments) {
  function arguments() { }
  assertNotSame(arguments, h());
}
g3();

Assertion failure: !script()->functionNonDelazifying()->needsDefaultsEnvironment(), at /home/andre/hg/mozilla-central/js/src/jit/IonBuilder.cpp:2154



syntaxParse(`
if (scriptArgs.length === 0) { }
var file = scriptArgs[0];
`);

Assertion failure: collection_, at /home/andre/hg/mozilla-central/js/src/frontend/NameCollections.h:312
Andre, that's a nice fuzzer you're using to find all these!
// jsfunfuzz-generated
gczeal(9);
for (var i in function(){});
s = newGlobal();
aa = f();
function f(x) {
    evalcx(x, s)
}
function h(x) {
    f(x)
}
// Adapted from randomly chosen test: js/src/jit-test/tests/debug/resumption-05.js
h("\
    var g = newGlobal();\
    g.debuggeeGlobal = this;\
    g.eval(\"(\" + function() {\
        var dbg = Debugger(debuggeeGlobal);\
        dbg.onDebuggerStatement = function(frame) {\
            frame.eval(\"f\")\
        }\
    } + \")()\");\
    debugger;\
");
z;

Run with --fuzzing-safe --no-threads --no-baseline --no-ion:

Assertion failure: false (IsAboutToBeFinalized(&scope_)), at vm/EnvironmentObject.cpp:1231
Depends on: 1292365
Comment on attachment 8777702 [details] [diff] [review]
Rollup for fuzzing

I'm clearing the feedback request here until the issues already found have been fixed. Shu, can you please feedback? me again once you have a new patch for testing? Thanks!
Attachment #8777702 - Flags: feedback?(choller)
function g() {
    for (var j = 0; j < 999; ++j) {
        try {
            k
        } catch (e) {
            try {
                r
            } catch (e) {}
        }
    }
}
function h(code) {
    try {
        f = Function(code)
    } catch (r) {};
    try {
        f()
    } catch (r) {}
    eval("")
}
h("m=function(){};g(m,[,])")
h("=")
h("=")
h("=")
h("startgc(1,'shrinking')")
h("gcparam(\"maxBytes\",gcparam(\"gcBytes\")+4);for(r;;i++){}")

Run with --fuzzing-safe --no-threads --no-baseline --no-ion:

Crash [@ JSScript::isForEval]
// Adapted from randomly chosen test: js/src/jit-test/tests/parser/yield-in-formal-destructuring.js
function f({
    [e]: {}
}) {}

Run with --fuzzing-safe --no-threads --no-baseline --no-ion:

Assertion failure: funbox->hasDefaultsScope && funbox->defaultsScopeBindings(), at js/src/frontend/BytecodeEmitter.cpp:938
(Assignee)

Comment 37

3 years ago
Created attachment 8778618 [details] [diff] [review]
Stop cloning LHS for for-in/of loops.

One of anba's fuzz tests,

let a;
for(let {a = new class extends Array { constructor(){super(a)} }} of [[]]) {
}

is caused by the stupid LHS cloning of for-in/of targets. Since the default
expression in the destructuring contains a function, the cloning didn't
clone bindings correctly when cloning the FunctionBox.

I think I removed all other uses of cloning except this one already, so this
kills all cloning.
Attachment #8778618 - Flags: review?(jwalden+bmo)
(Assignee)

Comment 38

3 years ago
Created attachment 8778736 [details] [diff] [review]
Rollup for fuzzing v2

Applies on top of m-c 763fe887c37c
Attachment #8777702 - Attachment is obsolete: true
Attachment #8778736 - Flags: feedback?(gary)
Attachment #8778736 - Flags: feedback?(choller)
This is an automated crash issue comment:

Summary: Assertion failure: NameIsOnEnvironment(si.scope(), name), at js/src/frontend/BytecodeEmitter.cpp:636
Build version: mozilla-central revision e78975b53563+
Build flags: --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug --enable-optimize
Runtime options: --fuzzing-safe --ion-offthread-compile=off

Testcase:

let m = parseModule(`
var i = 0;
addThis();
function addThis()
  statusmessages[i] = Number;
`);
m.declarationInstantiation();
m.evaluation();

Backtrace:

 received signal SIGSEGV, Segmentation fault.
0x0000000000cadf38 in js::frontend::BytecodeEmitter::EmitterScope::searchInEnclosingScope (name=name@entry=0x7fffef700a00, scope=<optimized out>, hops=hops@entry=0 '\000') at js/src/frontend/BytecodeEmitter.cpp:636
#0  0x0000000000cadf38 in js::frontend::BytecodeEmitter::EmitterScope::searchInEnclosingScope (name=name@entry=0x7fffef700a00, scope=<optimized out>, hops=hops@entry=0 '\000') at js/src/frontend/BytecodeEmitter.cpp:636
#1  0x0000000000cbc31e in js::frontend::BytecodeEmitter::EmitterScope::searchAndCache (this=this@entry=0x7fffffffbad0, bce=<optimized out>, bce@entry=0x7fffffffbe30, name=name@entry=0x7fffef700a00) at js/src/frontend/BytecodeEmitter.cpp:766
#2  0x0000000000ce4d0e in js::frontend::BytecodeEmitter::EmitterScope::lookup (this=0x7fffffffbad0, bce=bce@entry=0x7fffffffbe30, name=name@entry=0x7fffef700a00) at js/src/frontend/BytecodeEmitter.cpp:508
#3  0x0000000000ce69e7 in js::frontend::BytecodeEmitter::lookupName (name=<optimized out>, this=<optimized out>) at js/src/frontend/BytecodeEmitter.cpp:1523
#4  js::frontend::BytecodeEmitter::emitGetName (this=0x7fffffffbe30, name=0x7fffef700a00, callContext=<optimized out>) at js/src/frontend/BytecodeEmitter.h:534
#5  0x0000000000cc39c5 in js::frontend::BytecodeEmitter::emitGetName (callContext=false, pn=0x7ffff69a5138, this=0x7fffffffbe30) at js/src/frontend/BytecodeEmitter.cpp:3009
#6  js::frontend::BytecodeEmitter::emitTree (this=this@entry=0x7fffffffbe30, pn=0x7ffff69a5138, emitLineNote=emitLineNote@entry=js::frontend::BytecodeEmitter::EMIT_LINENOTE) at js/src/frontend/BytecodeEmitter.cpp:9135
#7  0x0000000000cc4633 in js::frontend::BytecodeEmitter::emitElemOperands (this=0x7fffffffbe30, pn=0x7ffff69a5168, opts=js::frontend::BytecodeEmitter::EmitElemOption::Get) at js/src/frontend/BytecodeEmitter.cpp:3400
#8  0x0000000000cd247b in js::frontend::BytecodeEmitter::emitAssignment (this=this@entry=0x7fffffffbe30, lhs=0x7ffff69a5168, op=JSOP_NOP, rhs=0x7ffff69a5198) at js/src/frontend/BytecodeEmitter.cpp:4851
#9  0x0000000000cc3810 in js::frontend::BytecodeEmitter::emitTree (this=this@entry=0x7fffffffbe30, pn=0x7ffff69a51c8, emitLineNote=emitLineNote@entry=js::frontend::BytecodeEmitter::EMIT_LINENOTE) at js/src/frontend/BytecodeEmitter.cpp:8939
#10 0x0000000000cccb68 in js::frontend::BytecodeEmitter::emitReturn (this=0x7fffffffbe30, pn=0x7ffff69a51f8) at js/src/frontend/BytecodeEmitter.cpp:6964
#11 0x0000000000cc3e8b in js::frontend::BytecodeEmitter::emitTree (this=0x7fffffffbe30, pn=pn@entry=0x7ffff69a51f8, emitLineNote=js::frontend::BytecodeEmitter::EMIT_LINENOTE) at js/src/frontend/BytecodeEmitter.cpp:8887
#12 0x0000000000cc9e23 in js::frontend::BytecodeEmitter::emitLexicalScopeBody (this=<optimized out>, body=body@entry=0x7ffff69a51f8, emitLineNote=emitLineNote@entry=js::frontend::BytecodeEmitter::EMIT_LINENOTE) at js/src/frontend/BytecodeEmitter.cpp:5556
#13 0x0000000000cd427a in js::frontend::BytecodeEmitter::emitLexicalScope (this=this@entry=0x7fffffffbe30, pn=pn@entry=0x7ffff69a5228) at js/src/frontend/BytecodeEmitter.cpp:5570
#14 0x0000000000cc3fcb in js::frontend::BytecodeEmitter::emitTree (this=this@entry=0x7fffffffbe30, pn=pn@entry=0x7ffff69a5228, emitLineNote=emitLineNote@entry=js::frontend::BytecodeEmitter::EMIT_LINENOTE) at js/src/frontend/BytecodeEmitter.cpp:9062
#15 0x0000000000cd18fb in js::frontend::BytecodeEmitter::emitFunctionBody (this=0x7fffffffbe30, funBody=0x7ffff69a5228) at js/src/frontend/BytecodeEmitter.cpp:8623
#16 0x0000000000cc30e2 in js::frontend::BytecodeEmitter::emitFunctionFormalParametersAndBody (this=this@entry=0x7fffffffbe30, pn=pn@entry=0x7ffff69a50d8) at js/src/frontend/BytecodeEmitter.cpp:8485
#17 0x0000000000cc3cbb in js::frontend::BytecodeEmitter::emitTree (this=this@entry=0x7fffffffbe30, pn=pn@entry=0x7ffff69a50d8, emitLineNote=emitLineNote@entry=js::frontend::BytecodeEmitter::EMIT_LINENOTE) at js/src/frontend/BytecodeEmitter.cpp:8822
#18 0x0000000000cc50e2 in js::frontend::BytecodeEmitter::emitFunctionScript (this=this@entry=0x7fffffffbe30, body=0x7ffff69a50d8) at js/src/frontend/BytecodeEmitter.cpp:4156
#19 0x0000000000cc78d1 in js::frontend::CompileLazyFunction (cx=cx@entry=0x7ffff693f000, lazy=..., lazy@entry=..., chars=<optimized out>, length=<optimized out>) at js/src/frontend/BytecodeCompiler.cpp:674
#20 0x000000000090338c in JSFunction::createScriptForLazilyInterpretedFunction (cx=0x7ffff693f000, fun=fun@entry=...) at js/src/jsfun.cpp:1505
#21 0x00000000004647d4 in JSFunction::getOrCreateScript (this=<optimized out>, cx=<optimized out>) at js/src/jsfun.h:397
#22 0x0000000000acb1de in Interpret (cx=0x7ffff693f000, state=...) at js/src/vm/Interpreter.cpp:2919
#23 0x0000000000ad6c35 in js::RunScript (cx=cx@entry=0x7ffff693f000, state=...) at js/src/vm/Interpreter.cpp:400
#24 0x0000000000adf601 in js::ExecuteKernel (cx=cx@entry=0x7ffff693f000, script=..., script@entry=..., envChainArg=..., newTargetValue=..., evalInFrame=..., evalInFrame@entry=..., result=result@entry=0x7fffef307140) at js/src/vm/Interpreter.cpp:681
#25 0x0000000000adfa48 in js::Execute (cx=cx@entry=0x7ffff693f000, script=..., script@entry=..., envChainArg=..., rval=rval@entry=0x7fffef307140) at js/src/vm/Interpreter.cpp:714
#26 0x0000000000c1babf in js::ModuleObject::evaluate (cx=cx@entry=0x7ffff693f000, self=..., self@entry=..., rval=rval@entry=...) at js/src/builtin/ModuleObject.cpp:915
#27 0x0000000000b2fc64 in intrinsic_EvaluateModule (cx=cx@entry=0x7ffff693f000, argc=<optimized out>, vp=0x7fffef307140) at js/src/vm/SelfHosting.cpp:2201
#28 0x0000000000ae6a4b in js::CallJSNative (cx=cx@entry=0x7ffff693f000, native=0xb2fbd0 <intrinsic_EvaluateModule(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235
[...]
#45 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:7523
This is an automated crash issue comment:

Summary: Assertion failure: loc->kind() != NameLocation::Kind::FrameSlot, at js/src/frontend/BytecodeEmitter.cpp:773
Build version: mozilla-central revision e78975b53563+
Build flags: --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug --enable-optimize
Runtime options: --fuzzing-safe

Testcase:

let m = parseModule(`
  var expect = '';
  var [ ... of  ]  = ( ... of  ) => expect;
`);

Backtrace:

 received signal SIGSEGV, Segmentation fault.
0x0000000000cbc62e in js::frontend::BytecodeEmitter::EmitterScope::searchAndCache (this=this@entry=0x7fffffffb950, bce=<optimized out>, bce@entry=0x7fffffffbc40, name=name@entry=0x7fffef791e20) at js/src/frontend/BytecodeEmitter.cpp:773
#0  0x0000000000cbc62e in js::frontend::BytecodeEmitter::EmitterScope::searchAndCache (this=this@entry=0x7fffffffb950, bce=<optimized out>, bce@entry=0x7fffffffbc40, name=name@entry=0x7fffef791e20) at js/src/frontend/BytecodeEmitter.cpp:773
#1  0x0000000000ce4d0e in js::frontend::BytecodeEmitter::EmitterScope::lookup (this=0x7fffffffb950, bce=bce@entry=0x7fffffffbc40, name=name@entry=0x7fffef791e20) at js/src/frontend/BytecodeEmitter.cpp:508
#2  0x0000000000ce69e7 in js::frontend::BytecodeEmitter::lookupName (name=<optimized out>, this=<optimized out>) at js/src/frontend/BytecodeEmitter.cpp:1523
#3  js::frontend::BytecodeEmitter::emitGetName (this=0x7fffffffbc40, name=0x7fffef791e20, callContext=<optimized out>) at js/src/frontend/BytecodeEmitter.h:534
#4  0x0000000000cc39c5 in js::frontend::BytecodeEmitter::emitGetName (callContext=false, pn=0x7ffff69a5318, this=0x7fffffffbc40) at js/src/frontend/BytecodeEmitter.cpp:3009
#5  js::frontend::BytecodeEmitter::emitTree (this=this@entry=0x7fffffffbc40, pn=0x7ffff69a5318, emitLineNote=emitLineNote@entry=js::frontend::BytecodeEmitter::EMIT_LINENOTE) at js/src/frontend/BytecodeEmitter.cpp:9135
#6  0x0000000000cccb68 in js::frontend::BytecodeEmitter::emitReturn (this=0x7fffffffbc40, pn=0x7ffff69a5348) at js/src/frontend/BytecodeEmitter.cpp:6964
#7  0x0000000000cc3e8b in js::frontend::BytecodeEmitter::emitTree (this=0x7fffffffbc40, pn=pn@entry=0x7ffff69a5348, emitLineNote=js::frontend::BytecodeEmitter::EMIT_LINENOTE) at js/src/frontend/BytecodeEmitter.cpp:8887
#8  0x0000000000cc9e23 in js::frontend::BytecodeEmitter::emitLexicalScopeBody (this=<optimized out>, body=body@entry=0x7ffff69a5348, emitLineNote=emitLineNote@entry=js::frontend::BytecodeEmitter::EMIT_LINENOTE) at js/src/frontend/BytecodeEmitter.cpp:5556
#9  0x0000000000cd427a in js::frontend::BytecodeEmitter::emitLexicalScope (this=this@entry=0x7fffffffbc40, pn=pn@entry=0x7ffff69a5378) at js/src/frontend/BytecodeEmitter.cpp:5570
#10 0x0000000000cc3fcb in js::frontend::BytecodeEmitter::emitTree (this=this@entry=0x7fffffffbc40, pn=pn@entry=0x7ffff69a5378, emitLineNote=emitLineNote@entry=js::frontend::BytecodeEmitter::EMIT_LINENOTE) at js/src/frontend/BytecodeEmitter.cpp:9062
#11 0x0000000000cd18fb in js::frontend::BytecodeEmitter::emitFunctionBody (this=0x7fffffffbc40, funBody=0x7ffff69a5378) at js/src/frontend/BytecodeEmitter.cpp:8623
#12 0x0000000000cc30e2 in js::frontend::BytecodeEmitter::emitFunctionFormalParametersAndBody (this=this@entry=0x7fffffffbc40, pn=pn@entry=0x7ffff69a52b8) at js/src/frontend/BytecodeEmitter.cpp:8485
#13 0x0000000000cc3cbb in js::frontend::BytecodeEmitter::emitTree (this=this@entry=0x7fffffffbc40, pn=pn@entry=0x7ffff69a52b8, emitLineNote=emitLineNote@entry=js::frontend::BytecodeEmitter::EMIT_LINENOTE) at js/src/frontend/BytecodeEmitter.cpp:8822
#14 0x0000000000cc50e2 in js::frontend::BytecodeEmitter::emitFunctionScript (this=this@entry=0x7fffffffbc40, body=0x7ffff69a52b8) at js/src/frontend/BytecodeEmitter.cpp:4156
#15 0x0000000000cc5c18 in js::frontend::BytecodeEmitter::emitFunction (this=this@entry=0x7fffffffc508, pn=pn@entry=0x7ffff69a5200, needsProto=needsProto@entry=false) at js/src/frontend/BytecodeEmitter.cpp:6643
#16 0x0000000000cc38dd in js::frontend::BytecodeEmitter::emitTree (this=this@entry=0x7fffffffc508, pn=0x7ffff69a5200, emitLineNote=emitLineNote@entry=js::frontend::BytecodeEmitter::EMIT_LINENOTE) at js/src/frontend/BytecodeEmitter.cpp:8817
#17 0x0000000000ccc8c4 in js::frontend::BytecodeEmitter::emitDeclarationList (this=this@entry=0x7fffffffc508, declList=declList@entry=0x7ffff69a5110) at js/src/frontend/BytecodeEmitter.cpp:4721
#18 0x0000000000cc37c3 in js::frontend::BytecodeEmitter::emitTree (this=this@entry=0x7fffffffc508, pn=pn@entry=0x7ffff69a5110, emitLineNote=emitLineNote@entry=js::frontend::BytecodeEmitter::EMIT_LINENOTE) at js/src/frontend/BytecodeEmitter.cpp:9068
#19 0x0000000000ccd74e in js::frontend::BytecodeEmitter::emitStatementList (this=0x7fffffffc508, pn=<optimized out>) at js/src/frontend/BytecodeEmitter.cpp:7234
#20 0x0000000000cc3a3b in js::frontend::BytecodeEmitter::emitTree (this=this@entry=0x7fffffffc508, pn=pn@entry=0x7ffff69a5050, emitLineNote=emitLineNote@entry=js::frontend::BytecodeEmitter::EMIT_LINENOTE) at js/src/frontend/BytecodeEmitter.cpp:8907
#21 0x0000000000cd70ad in js::frontend::BytecodeEmitter::emitScript (this=0x7fffffffc508, body=body@entry=0x7ffff69a5050) at js/src/frontend/BytecodeEmitter.cpp:4098
#22 0x0000000000cd8425 in BytecodeCompiler::compileModule (this=this@entry=0x7fffffffc940) at js/src/frontend/BytecodeCompiler.cpp:414
#23 0x0000000000cd897d in js::frontend::CompileModule (cx=cx@entry=0x7ffff693f000, optionsInput=..., srcBuf=..., alloc=..., sourceObjectOut=sourceObjectOut@entry=0x0) at js/src/frontend/BytecodeCompiler.cpp:602
#24 0x0000000000cd8b69 in js::frontend::CompileModule (cx=cx@entry=0x7ffff693f000, options=..., srcBuf=...) at js/src/frontend/BytecodeCompiler.cpp:613
#25 0x0000000000453239 in ParseModule (cx=cx@entry=0x7ffff693f000, argc=<optimized out>, vp=0x7fffef307090) at js/src/shell/js.cpp:3610
#26 0x0000000000ae6a4b in js::CallJSNative (cx=cx@entry=0x7ffff693f000, native=0x452f20 <ParseModule(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235
[...]
#39 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:7523
Comment on attachment 8778736 [details] [diff] [review]
Rollup for fuzzing v2

Feedback- based on last comment. Unfortunately, these two crashes occur very frequently (> 2x per minute with only 2 machines), so I have to stop testing until they have been fixed.

Please feedback? again with new patch once you have it. I'll be glad to give it another round of testing then :)
Attachment #8778736 - Flags: feedback?(choller) → feedback-
Depends on: 1293246
function f14(g = 0) {
  { function g() { return "g" } }
}
f14();

Assertion failure: lhsLoc->bindingKind() == BindingKind::Var || lhsLoc->bindingKind() == BindingKind::FormalParameter, at /home/andre/hg/mozilla-central/js/src/frontend/BytecodeEmitter.cpp:6578
(function(p = null){
  var q;
  (function() { q })();
})();

Assertion failure: this->is<T>(), at /home/andre/hg/mozilla-central/js/src/jsobj.h:562
{ function c() {} }
class c { }

Assertion failure: !pc->sc()->strict(), at /home/andre/hg/mozilla-central/js/src/frontend/Parser.cpp:155
(Assignee)

Comment 45

3 years ago
Created attachment 8779069 [details] [diff] [review]
0001-Bug-1263355-Rewrite-the-frontend-bindings.patch

Round 3.
Attachment #8778736 - Attachment is obsolete: true
Attachment #8778736 - Flags: feedback?(gary)
Attachment #8779069 - Flags: feedback?(gary)
Attachment #8779069 - Flags: feedback?(choller)
(Assignee)

Comment 46

3 years ago
Created attachment 8779082 [details] [diff] [review]
Rewrite the frontend: bindings.

New version with fixes for fuzz tests incorporated.
Attachment #8779082 - Flags: review?(winter2718)
Attachment #8779082 - Flags: review?(jwalden+bmo)
Attachment #8779082 - Flags: review?(jorendorff)
Attachment #8779082 - Flags: review?(efaustbmo)
(Assignee)

Updated

3 years ago
Attachment #8776230 - Attachment is obsolete: true
Attachment #8776230 - Flags: review?(winter2718)
Attachment #8776230 - Flags: review?(jwalden+bmo)
Attachment #8776230 - Flags: review?(jorendorff)
Attachment #8776230 - Flags: review?(efaustbmo)
Are we adding the found fuzzer test cases to the test suite?
Flags: needinfo?(shu)
(In reply to Shu-yu Guo [:shu] from comment #45)
> Created attachment 8779069 [details] [diff] [review]
> 0001-Bug-1263355-Rewrite-the-frontend-bindings.patch
> 
> Round 3.

This applies to m-c rev e78975b53563.
Comment on attachment 8778618 [details] [diff] [review]
Stop cloning LHS for for-in/of loops.

Review of attachment 8778618 [details] [diff] [review]:
-----------------------------------------------------------------

Hm, I guess this is totally doable now that we don't need a separate node to record the binding's existence, that can't be a definition.  Woo!

::: js/src/frontend/BytecodeEmitter.cpp
@@ +6338,5 @@
>      int loopDepth = this->stackDepth;
>  #endif
>  
>      // Emit code to assign result.value to the iteration variable.
> +    if (!emit1(JSOP_DUP))                                      // ITER RESULT RESULT

If the emitAssignment can't be so aligned, I would modify its alignment *only* -- or put the annotation on the return-line.  Wouldn't bother realigning the entire function, it's not something we've done before for this sort of thing -- and we've aligned this stuff consistently across function bodies, believe it or not.

::: js/src/frontend/FullParseHandler.h
@@ +580,5 @@
>      ParseNode* newForHead(ParseNodeKind kind, ParseNode* pn1, ParseNode* pn2, ParseNode* pn3,
>                            const TokenPos& pos)
>      {
>          MOZ_ASSERT(kind == PNK_FORIN || kind == PNK_FOROF || kind == PNK_FORHEAD);
> +        MOZ_ASSERT_IF(kind == PNK_FORIN || kind == PNK_FOROF, !pn2);

With newForHead split in two per Parser.cpp comments, this assert doesn't need to exist because the argument can just be removed.

::: js/src/frontend/ParseNode.cpp
@@ +356,2 @@
>        // the for-loop (and null if not).  The second child is the expression or
>        // pattern assigned every loop, and the third child is the expression

This "second child" bit needs changing, and in the rest of the comment below.

::: js/src/frontend/ParseNode.h
@@ +248,5 @@
>   *                          pn_right: body
>   * PNK_COMPREHENSIONFOR     pn_left: either PNK_FORIN or PNK_FOROF
>   *              binary      pn_right: body
> + * PNK_FORIN    ternary     pn_kid1: declaration or expression to left of 'in'
> + *                          pn_kid2: null

At least file a bug to remove this mandatory-null kid in the future, please (same for PNK_FOROF).

::: js/src/frontend/Parser.cpp
@@ +5220,5 @@
>  
>          // Parser::declaration consumed everything up to the closing ')'.  That
>          // token follows an {Assignment,}Expression, so the next token must be
>          // consumed as if an operator continued the expression, i.e. as None.
>          modifier = TokenStream::None;

Effectively at this point, outside the block we have MUST_MATCH_TOKEN(')') and then newForHead.  Both the if-block and the else-block set |modifier| so the shared MMT has the right modifier.  So we have two assignments and one MMT.

But we could instead have two MMT directly using the |modifier| assignment RHS.  This would be more compact, and because of the lack of indirection through a name, it would be more readable.  And with that change made, we could have newForHead for for(;;) loops, and we could have newForInOfHead (accepting only two kids) for for(...in/of...) loops, and perform each in the proper block.  This eliminates the confusion of the pn{1,2,3} names and having to share them between both blocks, which is a huge readability stumbling block.

So please do all this while you're changing this.
Attachment #8778618 - Flags: review?(jwalden+bmo) → review+
(Assignee)

Comment 50

3 years ago
(In reply to Ryan VanderMeulen [:RyanVM] from comment #47)
> Are we adding the found fuzzer test cases to the test suite?

Yes, I've been adding them to jit-tests as they pop up.
Flags: needinfo?(shu)
(Assignee)

Comment 51

3 years ago
Created attachment 8779153 [details] [diff] [review]
Rollup for fuzzing v4

Applies on top of m-c 720b5d2c84d5
Attachment #8779153 - Flags: feedback?(gary)
Attachment #8779153 - Flags: feedback?(choller)
(Assignee)

Updated

3 years ago
Attachment #8779069 - Attachment is obsolete: true
Attachment #8779069 - Flags: feedback?(gary)
Attachment #8779069 - Flags: feedback?(choller)
Comment on attachment 8779153 [details] [diff] [review]
Rollup for fuzzing v4

// Adapted from randomly chosen test: js/src/jit-test/tests/debug/bug1272908.js
g = newGlobal();
g.parent = this;
g.eval("(" + function() {
    Debugger(parent).onExceptionUnwind = function(frame)
    frame.eval("")
} + ")()");
function ERROR(msg) {
    throw new Error("boom");
}
var dbg = new Debugger;
dbg.onNewGlobalObject = ERROR;
oomTest(function() {
    newGlobal();
})

Run with --fuzzing-safe --no-threads --no-baseline --no-ion:

Assertion failure: !cx->isExceptionPending(), at js/src/vm/Debugger.cpp:2009
Attachment #8779153 - Flags: feedback?(gary) → feedback-
Created attachment 8779188 [details]
OOM_VERBOSE=1 stack from m-c rev 720b5d2c84d5

with patch v4
(function() {
    "use asm";
    var [] = 0;
})()

Run with --fuzzing-safe --no-threads --no-baseline --no-ion:

Assertion failure: isKind(PNK_FUNCTION) || isKind(PNK_NAME), at js/src/frontend/ParseNode-inl.h:20
(Assignee)

Comment 55

3 years ago
Created attachment 8779243 [details] [diff] [review]
Rollup for fuzzing v5

Still on top of m-c 720b5d2c84d5
Attachment #8779153 - Attachment is obsolete: true
Attachment #8779153 - Flags: feedback?(choller)
Attachment #8779243 - Flags: feedback?(gary)
Attachment #8779243 - Flags: feedback?(choller)
Comment on attachment 8779243 [details] [diff] [review]
Rollup for fuzzing v5

// Adapted from randomly chosen test: js/src/jit-test/tests/debug/Frame-onPop-error-scope-unwind-02.js
var g = newGlobal();
var dbg = new Debugger(g);
dbg.onEnterFrame = function(f) {
    (f.environment.getVariable("e") == 0);
};
g.eval("" + function f() {
    try {
        throw 42;
    } catch (e) {
        noSuchFn(e);
    }
});
g.eval("f();");


Run with --fuzzing-safe --no-threads --no-baseline --no-ion:

Assertion failure: maybecx->isThrowingOutOfMemory(), at js/src/jscntxt.cpp:901
Attachment #8779243 - Flags: feedback?(gary) → feedback-
This is an automated crash issue comment:

Summary: Assertion failure: script->isDerivedClassConstructor(), at js/src/vm/Interpreter.cpp:3366
Build version: mozilla-central revision 720b5d2c84d5+
Build flags: --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug --enable-optimize
Runtime options: --fuzzing-safe --ion-offthread-compile=off

Testcase:

let m = parseModule(`
  const root = newGlobal();
  minorgc();
  root.eval();
`);
m.declarationInstantiation();
m.evaluation();

Backtrace:

 received signal SIGSEGV, Segmentation fault.
0x0000000000ad5243 in Interpret (cx=0x7ffff693f000, state=...) at js/src/vm/Interpreter.cpp:3366
#0  0x0000000000ad5243 in Interpret (cx=0x7ffff693f000, state=...) at js/src/vm/Interpreter.cpp:3366
#1  0x0000000000ad5f45 in js::RunScript (cx=cx@entry=0x7ffff693f000, state=...) at js/src/vm/Interpreter.cpp:400
#2  0x0000000000ade911 in js::ExecuteKernel (cx=cx@entry=0x7ffff693f000, script=..., script@entry=..., envChainArg=..., newTargetValue=..., evalInFrame=..., evalInFrame@entry=..., result=result@entry=0x7fffef307140) at js/src/vm/Interpreter.cpp:681
#3  0x0000000000aded58 in js::Execute (cx=cx@entry=0x7ffff693f000, script=..., script@entry=..., envChainArg=..., rval=rval@entry=0x7fffef307140) at js/src/vm/Interpreter.cpp:714
#4  0x0000000000c1b41f in js::ModuleObject::evaluate (cx=cx@entry=0x7ffff693f000, self=..., self@entry=..., rval=rval@entry=...) at js/src/builtin/ModuleObject.cpp:915
#5  0x0000000000b2f574 in intrinsic_EvaluateModule (cx=cx@entry=0x7ffff693f000, argc=<optimized out>, vp=0x7fffef307140) at js/src/vm/SelfHosting.cpp:2201
#6  0x0000000000ae5d5b in js::CallJSNative (cx=cx@entry=0x7ffff693f000, native=0xb2f4e0 <intrinsic_EvaluateModule(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235
[...]
This is an automated crash issue comment:

Summary: Assertion failure: lookupName(name).hasKnownSlot(), at js/src/frontend/BytecodeEmitter.cpp:4005
Build version: mozilla-central revision 720b5d2c84d5+
Build flags: --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug --enable-optimize
Runtime options: --fuzzing-safe

Testcase:

function TestFunction_4(get, b, [] = status, d, e) {
    var arguments = "FAIL";
}

Backtrace:

 received signal SIGSEGV, Segmentation fault.
0x0000000000cbed30 in js::frontend::BytecodeEmitter::emitInitializeFunctionSpecialName (this=this@entry=0x7fffffffc9c0, name=..., initialOp=initialOp@entry=JSOP_ARGUMENTS) at js/src/frontend/BytecodeEmitter.cpp:4005
#0  0x0000000000cbed30 in js::frontend::BytecodeEmitter::emitInitializeFunctionSpecialName (this=this@entry=0x7fffffffc9c0, name=..., initialOp=initialOp@entry=JSOP_ARGUMENTS) at js/src/frontend/BytecodeEmitter.cpp:4005
#1  0x0000000000cbef6f in js::frontend::BytecodeEmitter::emitInitializeFunctionSpecialNames (this=0x7fffffffc9c0) at js/src/frontend/BytecodeEmitter.cpp:8622
#2  0x0000000000cc4d6f in js::frontend::BytecodeEmitter::emitFunctionFormalParametersAndBody (this=this@entry=0x7fffffffc9c0, pn=pn@entry=0x7ffff69a5190) at js/src/frontend/BytecodeEmitter.cpp:8424
#3  0x0000000000cc5bfb in js::frontend::BytecodeEmitter::emitTree (this=this@entry=0x7fffffffc9c0, pn=pn@entry=0x7ffff69a5190, emitLineNote=emitLineNote@entry=js::frontend::BytecodeEmitter::EMIT_LINENOTE) at js/src/frontend/BytecodeEmitter.cpp:8841
#4  0x0000000000cc6fe2 in js::frontend::BytecodeEmitter::emitFunctionScript (this=this@entry=0x7fffffffc9c0, body=0x7ffff69a5190) at js/src/frontend/BytecodeEmitter.cpp:4166
#5  0x0000000000cc7aa8 in js::frontend::BytecodeEmitter::emitFunction (this=this@entry=0x7fffffffced8, pn=pn@entry=0x7ffff69a5050, needsProto=needsProto@entry=false) at js/src/frontend/BytecodeEmitter.cpp:6662
#6  0x0000000000cc581d in js::frontend::BytecodeEmitter::emitTree (this=this@entry=0x7fffffffced8, pn=pn@entry=0x7ffff69a5050, emitLineNote=emitLineNote@entry=js::frontend::BytecodeEmitter::EMIT_LINENOTE) at js/src/frontend/BytecodeEmitter.cpp:8836
#7  0x0000000000cd13ce in js::frontend::BytecodeEmitter::emitStatementList (this=0x7fffffffced8, pn=<optimized out>) at js/src/frontend/BytecodeEmitter.cpp:7253
#8  0x0000000000cc597b in js::frontend::BytecodeEmitter::emitTree (this=this@entry=0x7fffffffced8, pn=pn@entry=0x7ffff69a5020, emitLineNote=emitLineNote@entry=js::frontend::BytecodeEmitter::EMIT_LINENOTE) at js/src/frontend/BytecodeEmitter.cpp:8926
#9  0x0000000000ccbf1d in js::frontend::BytecodeEmitter::emitScript (this=0x7fffffffced8, body=body@entry=0x7ffff69a5020) at js/src/frontend/BytecodeEmitter.cpp:4108
#10 0x0000000000ccc64f in BytecodeCompiler::compileScript (this=this@entry=0x7fffffffd280, environment=environment@entry=..., sc=sc@entry=0x7fffffffd230) at js/src/frontend/BytecodeCompiler.cpp:349
#11 0x0000000000cccc74 in BytecodeCompiler::compileGlobalScript (scopeKind=<optimized out>, this=0x7fffffffd280) at js/src/frontend/BytecodeCompiler.cpp:376
#12 js::frontend::CompileGlobalScript (cx=cx@entry=0x7ffff693f000, alloc=..., scopeKind=scopeKind@entry=js::ScopeKind::Global, options=..., srcBuf=..., extraSct=extraSct@entry=0x0, sourceObjectOut=0x0) at js/src/frontend/BytecodeCompiler.cpp:568
#13 0x00000000008b3f65 in Compile (cx=cx@entry=0x7ffff693f000, options=..., scopeKind=scopeKind@entry=js::ScopeKind::Global, srcBuf=..., script=..., script@entry=...) at js/src/jsapi.cpp:3891
[...]
This is an automated crash issue comment:

Summary: Assertion failure: kind_ != Kind::Dynamic, at js/src/frontend/NameAnalysisTypes.h:323
Build version: mozilla-central revision 720b5d2c84d5+
Build flags: --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug --enable-optimize
Runtime options: --fuzzing-safe --ion-offthread-compile=off

Testcase:

var lfLogBuffer = `
function testcase( []  = (function() { return x++; }), get, target, ... f1)  {
        return function () {
        } ( ... 2 || (this)  ? (yield)  : (yield)) ;
    }
`;
lfLogBuffer = lfLogBuffer.split('\n');
var lfCodeBuffer = "";
while (true) {
    var line = lfLogBuffer.shift();
    if (line == null) {
        break;
    } else {
        lfCodeBuffer += line + "\n";
    }
}
if (lfCodeBuffer) loadFile(lfCodeBuffer);
function loadFile(lfVarx) {
    eval(lfVarx);
}

Backtrace:

 received signal SIGSEGV, Segmentation fault.
0x0000000000cdc3cc in js::frontend::NameLocation::bindingKind (this=<optimized out>) at js/src/frontend/NameAnalysisTypes.h:323
#0  0x0000000000cdc3cc in js::frontend::NameLocation::bindingKind (this=<optimized out>) at js/src/frontend/NameAnalysisTypes.h:323
#1  0x0000000000cd208f in js::frontend::BytecodeEmitter::isRestParameter (result=0x7fffffffb27f, pn=0x7ffff69a5660, this=<optimized out>) at js/src/frontend/BytecodeEmitter.cpp:7573
#2  js::frontend::BytecodeEmitter::emitOptimizeSpread (this=0x7fffffffba10, arg0=0x7ffff69a5660, jmp=0x7fffffffb310, emitted=0x7fffffffb30f) at js/src/frontend/BytecodeEmitter.cpp:7599
#3  0x0000000000cd43c4 in js::frontend::BytecodeEmitter::emitCallOrNew (this=this@entry=0x7fffffffba10, pn=pn@entry=0x7ffff69a5570) at js/src/frontend/BytecodeEmitter.cpp:7781
#4  0x0000000000cc5923 in js::frontend::BytecodeEmitter::emitTree (this=this@entry=0x7fffffffba10, pn=0x7ffff69a5570, emitLineNote=emitLineNote@entry=js::frontend::BytecodeEmitter::EMIT_LINENOTE) at js/src/frontend/BytecodeEmitter.cpp:9076
#5  0x0000000000cd07e8 in js::frontend::BytecodeEmitter::emitReturn (this=0x7fffffffba10, pn=0x7ffff69a5720) at js/src/frontend/BytecodeEmitter.cpp:6983
#6  0x0000000000cc5dcb in js::frontend::BytecodeEmitter::emitTree (this=this@entry=0x7fffffffba10, pn=pn@entry=0x7ffff69a5720, emitLineNote=emitLineNote@entry=js::frontend::BytecodeEmitter::EMIT_LINENOTE) at js/src/frontend/BytecodeEmitter.cpp:8906
#7  0x0000000000cd13ce in js::frontend::BytecodeEmitter::emitStatementList (this=0x7fffffffba10, pn=<optimized out>) at js/src/frontend/BytecodeEmitter.cpp:7253
#8  0x0000000000cc597b in js::frontend::BytecodeEmitter::emitTree (this=0x7fffffffba10, pn=pn@entry=0x7ffff69a5488, emitLineNote=js::frontend::BytecodeEmitter::EMIT_LINENOTE) at js/src/frontend/BytecodeEmitter.cpp:8926
#9  0x0000000000ccbd93 in js::frontend::BytecodeEmitter::emitLexicalScopeBody (this=<optimized out>, body=body@entry=0x7ffff69a5488, emitLineNote=emitLineNote@entry=js::frontend::BytecodeEmitter::EMIT_LINENOTE) at js/src/frontend/BytecodeEmitter.cpp:5566
#10 0x0000000000cd7e1a in js::frontend::BytecodeEmitter::emitLexicalScope (this=this@entry=0x7fffffffba10, pn=pn@entry=0x7ffff69a5750) at js/src/frontend/BytecodeEmitter.cpp:5580
#11 0x0000000000cc5f0b in js::frontend::BytecodeEmitter::emitTree (this=this@entry=0x7fffffffba10, pn=pn@entry=0x7ffff69a5750, emitLineNote=emitLineNote@entry=js::frontend::BytecodeEmitter::EMIT_LINENOTE) at js/src/frontend/BytecodeEmitter.cpp:9081
#12 0x0000000000cd549b in js::frontend::BytecodeEmitter::emitFunctionBody (this=0x7fffffffba10, funBody=0x7ffff69a5750) at js/src/frontend/BytecodeEmitter.cpp:8642
#13 0x0000000000cc53f3 in js::frontend::BytecodeEmitter::emitFunctionFormalParametersAndBody (this=this@entry=0x7fffffffba10, pn=pn@entry=0x7ffff69a5190) at js/src/frontend/BytecodeEmitter.cpp:8473
#14 0x0000000000cc5bfb in js::frontend::BytecodeEmitter::emitTree (this=this@entry=0x7fffffffba10, pn=pn@entry=0x7ffff69a5190, emitLineNote=emitLineNote@entry=js::frontend::BytecodeEmitter::EMIT_LINENOTE) at js/src/frontend/BytecodeEmitter.cpp:8841
#15 0x0000000000cc6fe2 in js::frontend::BytecodeEmitter::emitFunctionScript (this=this@entry=0x7fffffffba10, body=0x7ffff69a5190) at js/src/frontend/BytecodeEmitter.cpp:4166
#16 0x0000000000cc7aa8 in js::frontend::BytecodeEmitter::emitFunction (this=this@entry=0x7fffffffc028, pn=pn@entry=0x7ffff69a5050, needsProto=needsProto@entry=false) at js/src/frontend/BytecodeEmitter.cpp:6662
#17 0x0000000000cc581d in js::frontend::BytecodeEmitter::emitTree (this=this@entry=0x7fffffffc028, pn=pn@entry=0x7ffff69a5050, emitLineNote=emitLineNote@entry=js::frontend::BytecodeEmitter::EMIT_LINENOTE) at js/src/frontend/BytecodeEmitter.cpp:8836
#18 0x0000000000ccac55 in js::frontend::BytecodeEmitter::emitHoistedFunctionsInList (this=0x7fffffffc028, list=list@entry=0x7ffff69a5020) at js/src/frontend/BytecodeEmitter.cpp:5546
#19 0x0000000000ccbda6 in js::frontend::BytecodeEmitter::emitLexicalScopeBody (this=0x7fffffffc028, body=body@entry=0x7ffff69a5020, emitLineNote=emitLineNote@entry=js::frontend::BytecodeEmitter::EMIT_LINENOTE) at js/src/frontend/BytecodeEmitter.cpp:5561
#20 0x0000000000cd7e1a in js::frontend::BytecodeEmitter::emitLexicalScope (this=this@entry=0x7fffffffc028, pn=pn@entry=0x7ffff69a57c0) at js/src/frontend/BytecodeEmitter.cpp:5580
#21 0x0000000000cc5f0b in js::frontend::BytecodeEmitter::emitTree (this=this@entry=0x7fffffffc028, pn=pn@entry=0x7ffff69a57c0, emitLineNote=emitLineNote@entry=js::frontend::BytecodeEmitter::EMIT_LINENOTE) at js/src/frontend/BytecodeEmitter.cpp:9081
#22 0x0000000000ccbf1d in js::frontend::BytecodeEmitter::emitScript (this=0x7fffffffc028, body=body@entry=0x7ffff69a57c0) at js/src/frontend/BytecodeEmitter.cpp:4108
#23 0x0000000000ccc64f in BytecodeCompiler::compileScript (this=this@entry=0x7fffffffc400, environment=environment@entry=..., sc=sc@entry=0x7fffffffc390) at js/src/frontend/BytecodeCompiler.cpp:349
#24 0x0000000000ccca67 in BytecodeCompiler::compileEvalScript (enclosingScope=..., environment=..., this=0x7fffffffc400) at js/src/frontend/BytecodeCompiler.cpp:384
#25 js::frontend::CompileEvalScript (cx=cx@entry=0x7ffff693f000, alloc=..., environment=environment@entry=..., enclosingScope=enclosingScope@entry=..., options=..., srcBuf=..., extraSct=0x0, sourceObjectOut=0x0) at js/src/frontend/BytecodeCompiler.cpp:583
#26 0x00000000009ef535 in EvalKernel (cx=cx@entry=0x7ffff693f000, v=..., v@entry=..., evalType=evalType@entry=DIRECT_EVAL, caller=..., env=env@entry=..., pc=<optimized out>, vp=...) at js/src/builtin/Eval.cpp:318
#27 0x00000000009efcd1 in js::DirectEval (cx=0x7ffff693f000, v=..., vp=...) at js/src/builtin/Eval.cpp:438
[...]
This is an automated crash issue comment:

Summary: Assertion failure: is<T>(), at js/src/vm/Scope.h:222
Build version: mozilla-central revision 720b5d2c84d5+
Build flags: --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug --enable-optimize
Runtime options: --fuzzing-safe --ion-offthread-compile=off

Testcase:

let m = parseModule(`
  gczeal(4,1);
  class base {}
  class derived extends base {}
`);
m.declarationInstantiation();
m.evaluation();

Backtrace:

 received signal SIGSEGV, Segmentation fault.
0x0000000000ab3888 in js::Scope::as<js::LexicalScope> (this=<optimized out>) at js/src/vm/Scope.h:222
#0  0x0000000000ab3888 in js::Scope::as<js::LexicalScope> (this=<optimized out>) at js/src/vm/Scope.h:222
#1  js::ReportRuntimeLexicalError (cx=0x7ffff693f000, errorNumber=71, script=..., pc=<optimized out>) at js/src/vm/Interpreter.cpp:4992
#2  0x0000000000ad3d65 in js::ReportUninitializedLexical (pc=<optimized out>, script=..., cx=<optimized out>) at js/src/vm/Interpreter-inl.h:111
#3  js::CheckUninitializedLexical (val=..., pc=<optimized out>, script=..., cx=<optimized out>) at js/src/vm/Interpreter-inl.h:129
#4  Interpret (cx=0x7ffff693f000, state=...) at js/src/vm/Interpreter.cpp:3292
#5  0x0000000000ad5f45 in js::RunScript (cx=cx@entry=0x7ffff693f000, state=...) at js/src/vm/Interpreter.cpp:400
#6  0x0000000000ade911 in js::ExecuteKernel (cx=cx@entry=0x7ffff693f000, script=..., script@entry=..., envChainArg=..., newTargetValue=..., evalInFrame=..., evalInFrame@entry=..., result=result@entry=0x7fffef307140) at js/src/vm/Interpreter.cpp:681
#7  0x0000000000aded58 in js::Execute (cx=cx@entry=0x7ffff693f000, script=..., script@entry=..., envChainArg=..., rval=rval@entry=0x7fffef307140) at js/src/vm/Interpreter.cpp:714
#8  0x0000000000c1b41f in js::ModuleObject::evaluate (cx=cx@entry=0x7ffff693f000, self=..., self@entry=..., rval=rval@entry=...) at js/src/builtin/ModuleObject.cpp:915
#9  0x0000000000b2f574 in intrinsic_EvaluateModule (cx=cx@entry=0x7ffff693f000, argc=<optimized out>, vp=0x7fffef307140) at js/src/vm/SelfHosting.cpp:2201
#10 0x0000000000ae5d5b in js::CallJSNative (cx=cx@entry=0x7ffff693f000, native=0xb2f4e0 <intrinsic_EvaluateModule(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235
[...]
This is an automated crash issue comment:

Summary: Hit MOZ_CRASH(No binding) at js/src/jsopcode.cpp:1375
Build version: mozilla-central revision 720b5d2c84d5+
Build flags: --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug --enable-optimize
Runtime options: --fuzzing-safe

Testcase:

function test(a, b, c, d, e, {} = "zmi") {
    var r = 0
    r += Math.min(a, b, c, r.script.getLineOffsets(g.line0 + 3), e);
}
test();

Backtrace:

 received signal SIGSEGV, Segmentation fault.
0x000000000096d122 in (anonymous namespace)::ExpressionDecompiler::getLocal (pc=<optimized out>, local=<optimized out>, this=<optimized out>) at js/src/jsopcode.cpp:1375
#0  0x000000000096d122 in (anonymous namespace)::ExpressionDecompiler::getLocal (pc=<optimized out>, local=<optimized out>, this=<optimized out>) at js/src/jsopcode.cpp:1375
#1  (anonymous namespace)::ExpressionDecompiler::decompilePC (this=this@entry=0x7fffffffd200, pc=<optimized out>) at js/src/jsopcode.cpp:1187
#2  0x000000000097054b in (anonymous namespace)::ExpressionDecompiler::decompilePCForStackOperand (this=this@entry=0x7fffffffd200, pc=<optimized out>, pc@entry=0x7fffef4cffb1 "5", i=i@entry=-1) at js/src/jsopcode.cpp:1140
#3  0x000000000096cbdb in (anonymous namespace)::ExpressionDecompiler::decompilePC (this=this@entry=0x7fffffffd200, pc=0x7fffef4cffb1 "5") at js/src/jsopcode.cpp:1200
#4  0x000000000096efe6 in DecompileExpressionFromStack (cx=cx@entry=0x7ffff693f000, spindex=<optimized out>, skipStackHits=skipStackHits@entry=0, v=..., v@entry=..., res=res@entry=0x7fffffffd758) at js/src/jsopcode.cpp:1492
#5  0x000000000096f1db in js::DecompileValueGenerator (cx=cx@entry=0x7ffff693f000, spindex=spindex@entry=1, v=v@entry=..., fallbackArg=..., skipStackHits=skipStackHits@entry=0) at js/src/jsopcode.cpp:1505
#6  0x00000000008c5809 in js::ReportIsNullOrUndefined (cx=cx@entry=0x7ffff693f000, spindex=spindex@entry=1, v=..., v@entry=..., fallback=..., fallback@entry=...) at js/src/jscntxt.cpp:806
#7  0x000000000096bfb7 in js::ToObjectSlow (cx=0x7ffff693f000, val=..., reportScanStack=<optimized out>) at js/src/jsobj.cpp:3195
#8  0x0000000000ada74c in js::GetProperty (cx=0x7ffff693f000, v=..., name=..., vp=...) at js/src/vm/Interpreter.cpp:4211
#9  0x0000000000acac90 in GetPropertyOperation (vp=..., lval=..., pc=<optimized out>, script=..., fp=<optimized out>, cx=<optimized out>) at js/src/vm/Interpreter.cpp:190
#10 Interpret (cx=0x7ffff693f000, state=...) at js/src/vm/Interpreter.cpp:2624
[...]
This is an automated crash issue comment:

Summary: Assertion failure: v.isUndefined(), at js/src/jsnum.cpp:1607
Build version: mozilla-central revision 720b5d2c84d5+
Build flags: --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug --enable-optimize
Runtime options: --fuzzing-safe

Testcase:

let m = parseModule(`
  try {
    var z = (gczeal(9));
  } catch (z) {}
  const HALF_COUNT = 7500;
  for (var i = 0; i < HALF_COUNT; i++)
  var handler = {
    ownKeys(t) {}
  };
`);
m.declarationInstantiation();
m.evaluation();

Backtrace:

 received signal SIGSEGV, Segmentation fault.
0x000000000095c3ca in js::ToNumberSlow (cx=0x7ffff693f000, v=..., out=0x7fffffffc060) at js/src/jsnum.cpp:1607
#0  0x000000000095c3ca in js::ToNumberSlow (cx=0x7ffff693f000, v=..., out=0x7fffffffc060) at js/src/jsnum.cpp:1607
#1  0x000000000080f9df in js::LessThanOperation (res=0x7fffffffc0df, rhs=..., lhs=..., cx=0x7ffff693f000) at js/src/vm/Interpreter-inl.h:681
#2  js::jit::LessThan (cx=cx@entry=0x7ffff693f000, lhs=lhs@entry=..., rhs=rhs@entry=..., res=res@entry=0x7fffffffc0df) at js/src/jit/VMFunctions.cpp:270
#3  0x00000000007eee3e in js::jit::DoCompareFallback (cx=0x7ffff693f000, payload=<optimized out>, stub_=<optimized out>, lhs=..., rhs=..., ret=...) at js/src/jit/SharedIC.cpp:1615
#4  0x00007ffff7e40c3a in ?? ()
[...]
#24 0x0000000000000000 in ?? ()
This is an automated crash issue comment:

Summary: Assertion failure: !isExtensible() && v.isPrivateGCThing(), at js/src/vm/EnvironmentObject.h:427
Build version: mozilla-central revision 720b5d2c84d5+
Build flags: --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug --enable-optimize
Runtime options: --fuzzing-safe --ion-offthread-compile=off

Testcase:

const libdir = "/srv/repos/mozilla-central/js/src/jit-test/lib/";
load(libdir + "evalInFrame.js");
evalInFrame(1, "a = 43");
let a = 42;

Backtrace:

 received signal SIGSEGV, Segmentation fault.
0x0000000000a6a7c0 in js::LexicalEnvironmentObject::scope (this=0x7fffef776040) at js/src/vm/EnvironmentObject.h:427
#0  0x0000000000a6a7c0 in js::LexicalEnvironmentObject::scope (this=0x7fffef776040) at js/src/vm/EnvironmentObject.h:427
#1  0x0000000000a2d4f4 in js::DebugEnvironmentProxy::isOptimizedOut (this=0x7fffef778180) at js/src/vm/EnvironmentObject.cpp:2255
#2  0x0000000000a463b2 in (anonymous namespace)::DebugEnvironmentProxyHandler::set (this=<optimized out>, cx=0x7ffff693f000, proxy=..., id=..., v=..., receiver=..., result=...) at js/src/vm/EnvironmentObject.cpp:2029
#3  0x00000000009c161c in js::Proxy::set (cx=0x7ffff693f000, proxy=..., id=..., v=..., receiver_=..., result=...) at js/src/proxy/Proxy.cpp:334
#4  0x000000000094957f in JSObject::nonNativeSetProperty (cx=cx@entry=0x7ffff693f000, obj=..., id=..., v=..., receiver=..., result=...) at js/src/jsobj.cpp:1042
#5  0x0000000000afcc2e in js::SetProperty (cx=cx@entry=0x7ffff693f000, obj=..., id=..., id@entry=..., v=..., v@entry=..., receiver=..., receiver@entry=..., result=...) at js/src/vm/NativeObject.h:1494
#6  0x0000000000afd4dc in js::SetNameOperation (cx=0x7ffff693f000, script=<optimized out>, pc=<optimized out>, env=..., val=...) at js/src/vm/Interpreter-inl.h:289
#7  0x0000000000aca9d1 in Interpret (cx=0x7ffff693f000, state=...) at js/src/vm/Interpreter.cpp:2683
#8  0x0000000000ad5f45 in js::RunScript (cx=cx@entry=0x7ffff693f000, state=...) at js/src/vm/Interpreter.cpp:400
#9  0x0000000000ade911 in js::ExecuteKernel (cx=cx@entry=0x7ffff693f000, script=..., script@entry=..., envChainArg=..., newTargetValue=..., evalInFrame=..., result=result@entry=0x7fffffffcaa0) at js/src/vm/Interpreter.cpp:681
#10 0x0000000000a57799 in EvaluateInEnv (rval=..., lineno=<optimized out>, filename=<optimized out>, pc=<optimized out>, frame=..., env=..., cx=0x7ffff693f000, chars=...) at js/src/vm/Debugger.cpp:7906
#11 DebuggerGenericEval (cx=cx@entry=0x7ffff693f000, bindings=..., bindings@entry=..., options=..., vp=..., dbg=0x7ffff6985800, scope=..., iter=0x7fffffffcf38, chars=...) at js/src/vm/Debugger.cpp:7991
#12 0x0000000000a5870d in DebuggerFrame_eval (cx=cx@entry=0x7ffff693f000, argc=<optimized out>, vp=<optimized out>) at js/src/vm/Debugger.cpp:8013
#13 0x0000000000ae5d5b in js::CallJSNative (cx=cx@entry=0x7ffff693f000, native=0xa582d0 <DebuggerFrame_eval(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235
#14 0x0000000000ad60f3 in js::InternalCallOrConstruct (cx=cx@entry=0x7ffff693f000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:454
#15 0x0000000000ad6446 in InternalCall (cx=cx@entry=0x7ffff693f000, args=...) at js/src/vm/Interpreter.cpp:499
#16 0x0000000000ad659e in js::Call (cx=cx@entry=0x7ffff693f000, fval=..., fval@entry=..., thisv=..., args=..., rval=...) at js/src/vm/Interpreter.cpp:518
#17 0x0000000000a03dab in js::Wrapper::call (this=this@entry=0x1d9b860 <js::CrossCompartmentWrapper::singleton>, cx=cx@entry=0x7ffff693f000, proxy=..., proxy@entry=..., args=...) at js/src/proxy/Wrapper.cpp:165
#18 0x00000000009c6e43 in js::CrossCompartmentWrapper::call (this=0x1d9b860 <js::CrossCompartmentWrapper::singleton>, cx=0x7ffff693f000, wrapper=..., args=...) at js/src/proxy/CrossCompartmentWrapper.cpp:329
#19 0x00000000009c1803 in js::Proxy::call (cx=cx@entry=0x7ffff693f000, proxy=proxy@entry=..., args=...) at js/src/proxy/Proxy.cpp:401
#20 0x00000000009c1908 in js::proxy_Call (cx=cx@entry=0x7ffff693f000, argc=<optimized out>, vp=<optimized out>) at js/src/proxy/Proxy.cpp:690
#21 0x0000000000ae5d5b in js::CallJSNative (cx=cx@entry=0x7ffff693f000, native=0x9c1870 <js::proxy_Call(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235
#22 0x0000000000ad62f7 in js::InternalCallOrConstruct (cx=0x7ffff693f000, args=..., construct=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:442
#23 0x0000000000ad1268 in js::CallFromStack (args=..., cx=<optimized out>) at js/src/vm/Interpreter.cpp:505
#24 Interpret (cx=0x7ffff693f000, state=...) at js/src/vm/Interpreter.cpp:2907
#25 0x0000000000ad5f45 in js::RunScript (cx=cx@entry=0x7ffff693f000, state=...) at js/src/vm/Interpreter.cpp:400

This test requires evalInFrame.js from the tree to reproduce. I normally reduce these further manually by inlining the included library, but I guess in this case that would be unnecessary additional work.
for (var i = 0; i < 1; i++) {
    L: break;
}

Run with --fuzzing-safe --no-threads --ion-eager:

Assertion failure: found, at js/src/jit/IonBuilder.cpp:3002
This is an automated crash issue comment:

Summary: Assertion failure: !IsUninitializedLexical((activation.regs()).fp()->unaliasedLocal(i)), at js/src/vm/Interpreter.cpp:3387
Build version: mozilla-central revision 720b5d2c84d5+
Build flags: --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug --enable-optimize
Runtime options: --fuzzing-safe min.js

Testcase:

let m = parseModule(`
  gczeal(2);
  let i8Array = new Int8Array(4);
  let i8Iterator = i8Array[Symbol.iterator]();
  i8Array = new Int8Array();
`);
 m.declarationInstantiation();
 m.evaluation();

Backtrace:

 received signal SIGSEGV, Segmentation fault.
0x0000000000ad3b1e in Interpret (cx=0x7ffff693f000, state=...) at js/src/vm/Interpreter.cpp:3387
#0  0x0000000000ad3b1e in Interpret (cx=0x7ffff693f000, state=...) at js/src/vm/Interpreter.cpp:3387
#1  0x0000000000ad5f45 in js::RunScript (cx=cx@entry=0x7ffff693f000, state=...) at js/src/vm/Interpreter.cpp:400
#2  0x0000000000ade911 in js::ExecuteKernel (cx=cx@entry=0x7ffff693f000, script=..., script@entry=..., envChainArg=..., newTargetValue=..., evalInFrame=..., evalInFrame@entry=..., result=result@entry=0x7fffef307140) at js/src/vm/Interpreter.cpp:681
#3  0x0000000000aded58 in js::Execute (cx=cx@entry=0x7ffff693f000, script=..., script@entry=..., envChainArg=..., rval=rval@entry=0x7fffef307140) at js/src/vm/Interpreter.cpp:714
#4  0x0000000000c1b41f in js::ModuleObject::evaluate (cx=cx@entry=0x7ffff693f000, self=..., self@entry=..., rval=rval@entry=...) at js/src/builtin/ModuleObject.cpp:915
#5  0x0000000000b2f574 in intrinsic_EvaluateModule (cx=cx@entry=0x7ffff693f000, argc=<optimized out>, vp=0x7fffef307140) at js/src/vm/SelfHosting.cpp:2201
#6  0x0000000000ae5d5b in js::CallJSNative (cx=cx@entry=0x7ffff693f000, native=0xb2f4e0 <intrinsic_EvaluateModule(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235
[...]
This is an automated crash issue comment:

Summary: Assertion failure: data.s.payload.why == why, at jsshell-build/dist/include/js/Value.h:1212
Build version: mozilla-central revision 720b5d2c84d5+
Build flags: --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug --enable-optimize
Runtime options: --fuzzing-safe

Testcase:

const libdir = "/srv/repos/mozilla-central/js/src/jit-test/lib/";
let m = parseModule(`
load(libdir + "asserts.js");
const constructors = [
    Int8Array,
    Uint8Array,
    Uint8ClampedArray,
    Int16Array,
    Uint16Array,
    Int32Array,
    Uint32Array,
    Float32Array,
    Float64Array
];
for (var constructor of constructors) {
    for (var constructor2 of constructors) {
        var modifiedConstructor = new constructor(2);
        modifiedConstructor.constructor = constructor2;
        assertDeepEq(modifiedConstructor.slice(1), new constructor2(1));
    }
}
`);
m.declarationInstantiation();
m.evaluation();

Backtrace:

 received signal SIGSEGV, Segmentation fault.
0x0000000000e169cc in JS::Value::isMagic (this=this@entry=0x7fffffffc240, why=why@entry=JS_OPTIMIZED_ARGUMENTS) at jsshell-build/dist/include/js/Value.h:1212
#0  0x0000000000e169cc in JS::Value::isMagic (this=this@entry=0x7fffffffc240, why=why@entry=JS_OPTIMIZED_ARGUMENTS) at jsshell-build/dist/include/js/Value.h:1212
#1  0x0000000000e5216d in JS::Value::isMagic (why=JS_OPTIMIZED_ARGUMENTS, this=<optimized out>) at js/src/vm/Interpreter-inl.h:510
#2  js::ValueOperations<JS::Handle<JS::Value> >::isMagic (why=JS_OPTIMIZED_ARGUMENTS, this=<synthetic pointer>) at jsshell-build/dist/include/js/Value.h:1771
#3  js::jit::DoGetElemFallback (cx=0x7ffff693f000, frame=0x7fffffffc298, stub_=<optimized out>, lhs=..., rhs=..., res=...) at js/src/jit/BaselineIC.cpp:1540
#4  0x00007ffff7e3d76a in ?? ()
[...]
#26 0x0000000000000000 in ?? ()

Test requires a copy of jit-test's asserts.js libary in the right place.
Attachment #8779188 - Attachment is obsolete: true
Created attachment 8779519 [details]
OOM_VERBOSE=1 stack from m-c rev 720b5d2c84d5 with patch in comment 55

oomTest(function() {
    eval("\"use strict\";");
});

Run with --fuzzing-safe --no-threads --no-baseline --no-ion -D:

Assertion failure: this->is<T>(), at js/src/jsobj.h:562
Comment on attachment 8779243 [details] [diff] [review]
Rollup for fuzzing v5

I stopped testing for now because apparently, some of these issues might be dups to each other and I don't want to cause more noise. Please feedback? me again once a new patch is ready and I'll be glad to give it more testing :)
Attachment #8779243 - Flags: feedback?(choller) → feedback-
(Assignee)

Comment 71

3 years ago
Created attachment 8779579 [details] [diff] [review]
Rollup for fuzzing v6

Applies on top of m-c 6cf0089510fa
Attachment #8779579 - Flags: feedback?(gary)
Attachment #8779579 - Flags: feedback?(choller)
(Assignee)

Updated

3 years ago
Attachment #8779243 - Attachment is obsolete: true
@shu: Should I also report spec compliance bugs/regressions here, or do you want to tackle those later?
This is an automated crash issue comment:

Summary: Assertion failure: script->isDerivedClassConstructor(), at js/src/vm/Interpreter.cpp:3366
Build version: mozilla-central revision 6cf0089510fa+
Build flags: --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug --enable-optimize
Runtime options: --fuzzing-safe

Testcase:

{
    for (var x = 0; i < 100; i++) a >>= i;
    let i = 1;
}

Backtrace:

 received signal SIGSEGV, Segmentation fault.
0x0000000000ad5ef8 in Interpret (cx=0x7ffff693f000, state=...) at js/src/vm/Interpreter.cpp:3366
#0  0x0000000000ad5ef8 in Interpret (cx=0x7ffff693f000, state=...) at js/src/vm/Interpreter.cpp:3366
#1  0x0000000000ad6f75 in js::RunScript (cx=cx@entry=0x7ffff693f000, state=...) at js/src/vm/Interpreter.cpp:400
#2  0x0000000000adfaaa in js::ExecuteKernel (cx=cx@entry=0x7ffff693f000, script=..., script@entry=..., envChainArg=..., newTargetValue=..., evalInFrame=..., evalInFrame@entry=..., result=result@entry=0x0) at js/src/vm/Interpreter.cpp:681
#3  0x0000000000adfea8 in js::Execute (cx=cx@entry=0x7ffff693f000, script=..., script@entry=..., envChainArg=..., rval=rval@entry=0x0) at js/src/vm/Interpreter.cpp:714
[...]
This is an automated crash issue comment:

Summary: Assertion failure: env_->is<GlobalObject>() || IsGlobalLexicalEnvironment(env_), at js/src/vm/EnvironmentObject.cpp:1261
Build version: mozilla-central revision 6cf0089510fa+
Build flags: --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug --enable-optimize
Runtime options: --fuzzing-safe --ion-offthread-compile=off --ion-eager

Testcase:

var g = newGlobal("same-compartment");
var dbg = new Debugger;
g.toggle = function toggle(d) {
    if (d) {
        dbg.addDebuggee(g);
        frame1.onPop = function() {
            onPopExecuted = setJitCompilerOption('offthread-compilation.enable', 0) >> toggle('#2: x = null; x ^= true; x === 1. Actual: ' + (getObjectMetadata)) + (this);
        };
    }
};
g.eval("" + function f(d) {
    toggle(d);
});
g.eval("(" + function test() {
    for (var i = 0; i < 5; i++) f(false);
    f(true);
} + ")();");

Backtrace:

 received signal SIGSEGV, Segmentation fault.
0x0000000000a2566c in js::EnvironmentIter::settle (this=this@entry=0x7fffffff9d50) at js/src/vm/EnvironmentObject.cpp:1261
#0  0x0000000000a2566c in js::EnvironmentIter::settle (this=this@entry=0x7fffffff9d50) at js/src/vm/EnvironmentObject.cpp:1261
#1  0x0000000000ab9fe1 in js::EnvironmentIter::operator++ (this=0x7fffffff9d50) at js/src/vm/EnvironmentObject.h:611
#2  js::UnwindAllEnvironmentsInFrame (cx=cx@entry=0x7ffff693f000, ei=...) at js/src/vm/Interpreter.cpp:1059
#3  0x00000000008118ab in js::jit::DebugEpilogue (cx=cx@entry=0x7ffff693f000, frame=frame@entry=0x7fffffffa4e8, pc=0x7fffef322756 "\232", ok=<optimized out>, ok@entry=false) at js/src/jit/VMFunctions.cpp:709
#4  0x00000000006d8b14 in js::jit::OnLeaveBaselineFrame (frameOk=false, rfe=0x7fffffffa478, pc=<optimized out>, frame=..., cx=0x7ffff693f000) at js/src/jit/JitFrames.cpp:463
#5  js::jit::HandleExceptionBaseline (pc=0x7fffef322756 "\232", rfe=<optimized out>, frame=..., cx=0x7ffff693f000) at js/src/jit/JitFrames.cpp:696
#6  js::jit::HandleException (rfe=<optimized out>) at js/src/jit/JitFrames.cpp:837
#7  0x00007ffff7e3b646 in ?? ()
#8  0x0000000000000000 in ?? ()
This is an automated crash issue comment:

Summary: Assertion failure: loc.environmentCoordinate().hops() == 0 || name == cx->names().dotThis, at js/src/frontend/BytecodeEmitter.cpp:3146
Build version: mozilla-central revision 6cf0089510fa+
Build flags: --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug --enable-optimize
Runtime options: --fuzzing-safe

Testcase:

    try {
        eval('"use strict"; var x = "a\\4";');
    } catch (e) {
        var e = '';
        let arguments = parseFloat.int32(TypedObject.objectType); {}
    }

Backtrace:

 received signal SIGSEGV, Segmentation fault.
0x0000000000ccb08e in js::frontend::BytecodeEmitter::emitSetOrInitializeNameAtLocation<js::frontend::BytecodeEmitter::emitSingleDeclaration(js::frontend::ParseNode*, js::frontend::ParseNode*, js::frontend::ParseNode*)::<lambda(js::frontend::BytecodeEmitter*, const js::frontend::NameLocation&, bool)> > (initialize=true, emitRhs=..., loc=..., name=..., this=0x7fffffffced8) at js/src/frontend/BytecodeEmitter.cpp:3145
#0  0x0000000000ccb08e in js::frontend::BytecodeEmitter::emitSetOrInitializeNameAtLocation<js::frontend::BytecodeEmitter::emitSingleDeclaration(js::frontend::ParseNode*, js::frontend::ParseNode*, js::frontend::ParseNode*)::<lambda(js::frontend::BytecodeEmitter*, const js::frontend::NameLocation&, bool)> > (initialize=true, emitRhs=..., loc=..., name=..., this=0x7fffffffced8) at js/src/frontend/BytecodeEmitter.cpp:3145
#1  js::frontend::BytecodeEmitter::emitSetOrInitializeName<js::frontend::BytecodeEmitter::emitSingleDeclaration(js::frontend::ParseNode*, js::frontend::ParseNode*, js::frontend::ParseNode*)::<lambda(js::frontend::BytecodeEmitter*, const js::frontend::NameLocation&, bool)> > (initialize=true, initialize=true, emitRhs=..., name=..., this=0x7fffffffced8) at js/src/frontend/BytecodeEmitter.h:545
#2  js::frontend::BytecodeEmitter::emitInitializeName<js::frontend::BytecodeEmitter::emitSingleDeclaration(js::frontend::ParseNode*, js::frontend::ParseNode*, js::frontend::ParseNode*)::<lambda(js::frontend::BytecodeEmitter*, const js::frontend::NameLocation&, bool)> > (emitRhs=..., name=..., this=0x7fffffffced8) at js/src/frontend/BytecodeEmitter.h:563
#3  js::frontend::BytecodeEmitter::emitInitializeName<js::frontend::BytecodeEmitter::emitSingleDeclaration(js::frontend::ParseNode*, js::frontend::ParseNode*, js::frontend::ParseNode*)::<lambda(js::frontend::BytecodeEmitter*, const js::frontend::NameLocation&, bool)> > (emitRhs=..., pn=<optimized out>, this=0x7fffffffced8) at js/src/frontend/BytecodeEmitter.h:559
#4  js::frontend::BytecodeEmitter::emitSingleDeclaration (this=0x7fffffffced8, declList=<optimized out>, decl=<optimized out>, initializer=<optimized out>) at js/src/frontend/BytecodeEmitter.cpp:4769
#5  0x0000000000cd1461 in js::frontend::BytecodeEmitter::emitDeclarationList (this=this@entry=0x7fffffffced8, declList=declList@entry=0x7ffff69a5200) at js/src/frontend/BytecodeEmitter.cpp:4741
#6  0x0000000000cc6593 in js::frontend::BytecodeEmitter::emitTree (this=this@entry=0x7fffffffced8, pn=pn@entry=0x7ffff69a5200, emitLineNote=emitLineNote@entry=js::frontend::BytecodeEmitter::EMIT_LINENOTE) at js/src/frontend/BytecodeEmitter.cpp:9094
#7  0x0000000000cd224e in js::frontend::BytecodeEmitter::emitStatementList (this=0x7fffffffced8, pn=<optimized out>) at js/src/frontend/BytecodeEmitter.cpp:7256
#8  0x0000000000cc680b in js::frontend::BytecodeEmitter::emitTree (this=this@entry=0x7fffffffced8, pn=pn@entry=0x7ffff69a51d0, emitLineNote=js::frontend::BytecodeEmitter::SUPPRESS_LINENOTE) at js/src/frontend/BytecodeEmitter.cpp:8933
#9  0x0000000000cccc23 in js::frontend::BytecodeEmitter::emitLexicalScopeBody (this=this@entry=0x7fffffffced8, body=body@entry=0x7ffff69a51d0, emitLineNote=emitLineNote@entry=js::frontend::BytecodeEmitter::SUPPRESS_LINENOTE) at js/src/frontend/BytecodeEmitter.cpp:5566
#10 0x0000000000cd8d4b in js::frontend::BytecodeEmitter::emitLexicalScope (this=this@entry=0x7fffffffced8, pn=pn@entry=0x7ffff69a5458) at js/src/frontend/BytecodeEmitter.cpp:5615
#11 0x0000000000cc6d9b in js::frontend::BytecodeEmitter::emitTree (this=this@entry=0x7fffffffced8, pn=0x7ffff69a5458, emitLineNote=emitLineNote@entry=js::frontend::BytecodeEmitter::EMIT_LINENOTE) at js/src/frontend/BytecodeEmitter.cpp:9088
#12 0x0000000000cd1312 in js::frontend::BytecodeEmitter::emitCatch (this=this@entry=0x7fffffffced8, pn=pn@entry=0x7ffff69a54d0) at js/src/frontend/BytecodeEmitter.cpp:5243
#13 0x0000000000cc6ba3 in js::frontend::BytecodeEmitter::emitTree (this=this@entry=0x7fffffffced8, pn=pn@entry=0x7ffff69a54d0, emitLineNote=js::frontend::BytecodeEmitter::SUPPRESS_LINENOTE) at js/src/frontend/BytecodeEmitter.cpp:8903
#14 0x0000000000cccc23 in js::frontend::BytecodeEmitter::emitLexicalScopeBody (this=this@entry=0x7fffffffced8, body=body@entry=0x7ffff69a54d0, emitLineNote=emitLineNote@entry=js::frontend::BytecodeEmitter::SUPPRESS_LINENOTE) at js/src/frontend/BytecodeEmitter.cpp:5566
#15 0x0000000000cd8d4b in js::frontend::BytecodeEmitter::emitLexicalScope (this=this@entry=0x7fffffffced8, pn=pn@entry=0x7ffff69a54a0) at js/src/frontend/BytecodeEmitter.cpp:5615
#16 0x0000000000cc6d9b in js::frontend::BytecodeEmitter::emitTree (this=this@entry=0x7fffffffced8, pn=pn@entry=0x7ffff69a54a0, emitLineNote=emitLineNote@entry=js::frontend::BytecodeEmitter::EMIT_LINENOTE) at js/src/frontend/BytecodeEmitter.cpp:9088
#17 0x0000000000ccb303 in js::frontend::BytecodeEmitter::emitTry (this=this@entry=0x7fffffffced8, pn=pn@entry=0x7ffff69a5500) at js/src/frontend/BytecodeEmitter.cpp:5344
[...]
#34 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:7523
This is an automated crash issue comment:

Summary: Assertion failure: this->is<T>(), at js/src/vm/Scope.h:222
Build version: mozilla-central revision 6cf0089510fa+
Build flags: --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug --enable-optimize
Runtime options: --fuzzing-safe --ion-offthread-compile=off

Testcase:

f = ([a = class target extends b {}, b] = [void 0]) => {};
f()

Backtrace:

 received signal SIGSEGV, Segmentation fault.
0x0000000000ab45c8 in js::Scope::as<js::LexicalScope> (this=<optimized out>) at js/src/vm/Scope.h:222
#0  0x0000000000ab45c8 in js::Scope::as<js::LexicalScope> (this=<optimized out>) at js/src/vm/Scope.h:222
#1  js::ReportRuntimeLexicalError (cx=0x7ffff693f000, errorNumber=71, script=..., pc=<optimized out>) at js/src/vm/Interpreter.cpp:4992
#2  0x0000000000ad4ecc in js::ReportUninitializedLexical (pc=<optimized out>, script=..., cx=<optimized out>) at js/src/vm/Interpreter-inl.h:111
#3  js::CheckUninitializedLexical (val=..., pc=<optimized out>, script=..., cx=<optimized out>) at js/src/vm/Interpreter-inl.h:129
#4  Interpret (cx=0x7ffff693f000, state=...) at js/src/vm/Interpreter.cpp:3292
#5  0x0000000000ad6f75 in js::RunScript (cx=cx@entry=0x7ffff693f000, state=...) at js/src/vm/Interpreter.cpp:400
#6  0x0000000000ad7228 in js::InternalCallOrConstruct (cx=0x7ffff693f000, args=..., construct=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:472
#7  0x0000000000ad20c0 in js::CallFromStack (args=..., cx=<optimized out>) at js/src/vm/Interpreter.cpp:505
[...]
#18 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:7523
This is an automated crash issue comment:

Summary: Assertion failure: this->is<T>(), at js/src/vm/Scope.h:222
Build version: mozilla-central revision 6cf0089510fa+
Build flags: --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug --enable-optimize
Runtime options: --fuzzing-safe

Testcase:

let m = parseModule(`
  const count = 1024;
  let s = "";
  for (let i = 0; i < count; i++)
    s += "export let e" + ++count + " = " + (i * i) + ";\\n";
`);
m.declarationInstantiation();
m.evaluation();

Backtrace:

 received signal SIGSEGV, Segmentation fault.
0x0000000000ab45c8 in js::Scope::as<js::LexicalScope> (this=<optimized out>) at js/src/vm/Scope.h:222
#0  0x0000000000ab45c8 in js::Scope::as<js::LexicalScope> (this=<optimized out>) at js/src/vm/Scope.h:222
#1  js::ReportRuntimeLexicalError (cx=0x7ffff693f000, errorNumber=72, script=..., pc=<optimized out>) at js/src/vm/Interpreter.cpp:4992
#2  0x0000000000accc95 in js::ReportRuntimeConstAssignment (pc=<optimized out>, script=..., cx=<optimized out>) at js/src/vm/Interpreter-inl.h:144
#3  Interpret (cx=0x7ffff693f000, state=...) at js/src/vm/Interpreter.cpp:3283
#4  0x0000000000ad6f75 in js::RunScript (cx=cx@entry=0x7ffff693f000, state=...) at js/src/vm/Interpreter.cpp:400
#5  0x0000000000adfaaa in js::ExecuteKernel (cx=cx@entry=0x7ffff693f000, script=..., script@entry=..., envChainArg=..., newTargetValue=..., evalInFrame=..., evalInFrame@entry=..., result=result@entry=0x7fffef324140) at js/src/vm/Interpreter.cpp:681
#6  0x0000000000adfea8 in js::Execute (cx=cx@entry=0x7ffff693f000, script=..., script@entry=..., envChainArg=..., rval=rval@entry=0x7fffef324140) at js/src/vm/Interpreter.cpp:714
#7  0x0000000000c1c26f in js::ModuleObject::evaluate (cx=cx@entry=0x7ffff693f000, self=..., self@entry=..., rval=rval@entry=...) at js/src/builtin/ModuleObject.cpp:915
#8  0x0000000000b30294 in intrinsic_EvaluateModule (cx=cx@entry=0x7ffff693f000, argc=<optimized out>, vp=0x7fffef324140) at js/src/vm/SelfHosting.cpp:2201
#9  0x0000000000ae6b1b in js::CallJSNative (cx=cx@entry=0x7ffff693f000, native=0xb30200 <intrinsic_EvaluateModule(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235
[...]
(Assignee)

Comment 78

3 years ago
(In reply to André Bargull from comment #72)
> @shu: Should I also report spec compliance bugs/regressions here, or do you
> want to tackle those later?

If they are regressions from earlier versions, definitely.
Or if they're bugs in newly-added functionality.  Like, I think we want to know if there's some spec compliance issue with the TDZ for parameter defaults, even tho that's new code and such a problem might not be a regression.
This is an automated crash issue comment:

Summary: Assertion failure: (detail::IsInBounds<From, To>(aFrom)), at jsshell-build/dist/include/mozilla/Casting.h:237
Build version: mozilla-central revision 6cf0089510fa+
Build flags: --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug --enable-optimize
Runtime options: --fuzzing-safe --ion-offthread-compile=off

Testcase:

var lfLogBuffer = `
if (lfCodeBuffer) loadFile(lfCodeBuffer);
function loadFile(await ) {
    eval(lfVarx);
}
`;
lfLogBuffer = lfLogBuffer.split('\n');
var lfCodeBuffer = "";
while (true) {
    var line = lfLogBuffer.shift();
    if (line == null) {
        break;
    } else {
        lfCodeBuffer += line + "\n";
    }
}
if (lfCodeBuffer) loadFile(lfCodeBuffer);
function loadFile(lfVarx) {
    eval(lfVarx);
}

Backtrace:

 received signal SIGSEGV, Segmentation fault.
0x0000000000cddc78 in mozilla::AssertedCast<unsigned char, unsigned int> (aFrom=<optimized out>) at jsshell-build/dist/include/mozilla/Casting.h:237
#0  0x0000000000cddc78 in mozilla::AssertedCast<unsigned char, unsigned int> (aFrom=<optimized out>) at jsshell-build/dist/include/mozilla/Casting.h:237
#1  js::frontend::BytecodeEmitter::EmitterScope::checkEnvironmentChainLength (this=this@entry=0x7ffffff01b10, bce=<optimized out>, bce@entry=0x7ffffff01e70) at js/src/frontend/BytecodeEmitter.cpp:375
#2  0x0000000000cbe04f in js::frontend::BytecodeEmitter::EmitterScope::enterFunction (this=this@entry=0x7ffffff01b10, bce=bce@entry=0x7ffffff01e70, funbox=<optimized out>) at js/src/frontend/BytecodeEmitter.cpp:1116
#3  0x0000000000cc5697 in js::frontend::BytecodeEmitter::EmitterScope::enterFunction (this=<optimized out>, bce=0x7ffffff01e70, funbox=<optimized out>) at js/src/frontend/NameCollections.h:306
#4  0x0000000000cc5ae4 in js::frontend::BytecodeEmitter::emitFunctionFormalParametersAndBody (this=this@entry=0x7ffffff01e70, pn=pn@entry=0x7ffff69a50d8) at js/src/frontend/BytecodeEmitter.cpp:8501
#5  0x0000000000cc6a8b in js::frontend::BytecodeEmitter::emitTree (this=this@entry=0x7ffffff01e70, pn=pn@entry=0x7ffff69a50d8, emitLineNote=emitLineNote@entry=js::frontend::BytecodeEmitter::EMIT_LINENOTE) at js/src/frontend/BytecodeEmitter.cpp:8848
#6  0x0000000000cc7e72 in js::frontend::BytecodeEmitter::emitFunctionScript (this=this@entry=0x7ffffff01e70, body=0x7ffff69a50d8) at js/src/frontend/BytecodeEmitter.cpp:4166
#7  0x0000000000cca6d1 in js::frontend::CompileLazyFunction (cx=cx@entry=0x7ffff693f000, lazy=..., lazy@entry=..., chars=<optimized out>, length=<optimized out>) at js/src/frontend/BytecodeCompiler.cpp:674
#8  0x00000000009043bc in JSFunction::createScriptForLazilyInterpretedFunction (cx=0x7ffff693f000, fun=fun@entry=...) at js/src/jsfun.cpp:1505
#9  0x0000000000464db4 in JSFunction::getOrCreateScript (this=<optimized out>, cx=<optimized out>) at js/src/jsfun.h:397
#10 0x0000000000acb2be in Interpret (cx=0x7ffff693f000, state=...) at js/src/vm/Interpreter.cpp:2919
[...]
#127 0x0000000000adfaaa in js::ExecuteKernel (cx=<optimized out>, script=..., envChainArg=..., newTargetValue=..., evalInFrame=..., result=<optimized out>) at js/src/vm/Interpreter.cpp:681
rax	0x0	0
rbx	0x7ffffff01b10	140737487313680
rcx	0x7ffff6c28a2d	140737333332525
rdx	0x0	0
rsi	0x7ffff6ef7770	140737336276848
rdi	0x7ffff6ef6540	140737336272192
rbp	0x7ffffff01800	140737487312896
rsp	0x7ffffff017f0	140737487312880
r8	0x7ffff6ef7770	140737336276848
r9	0x7ffff7fe4740	140737354024768
r10	0x58	88
r11	0x7ffff6b9f750	140737332770640
r12	0x7ffffff01e70	140737487314544
r13	0x7ffff693f000	140737330278400
r14	0x7ffffff01e70	140737487314544
r15	0x7ffffff01880	140737487313024
rip	0xcddc78 <js::frontend::BytecodeEmitter::EmitterScope::checkEnvironmentChainLength(js::frontend::BytecodeEmitter*)+152>
=> 0xcddc78 <js::frontend::BytecodeEmitter::EmitterScope::checkEnvironmentChainLength(js::frontend::BytecodeEmitter*)+152>:	movl   $0x0,0x0
   0xcddc83 <js::frontend::BytecodeEmitter::EmitterScope::checkEnvironmentChainLength(js::frontend::BytecodeEmitter*)+163>:	ud2


This seems to involve some kind of over-recursion.
This is an automated crash issue comment:

Summary: Assertion failure: offset >= list[index].start, at js/src/frontend/BytecodeEmitter.cpp:9572
Build version: mozilla-central revision 6cf0089510fa+
Build flags: --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug --enable-optimize
Runtime options: --fuzzing-safe --ion-offthread-compile=off

Testcase:

eval(`
var of;
let expect =false , assertEq;
`);

Backtrace:

 received signal SIGSEGV, Segmentation fault.
0x0000000000cb5208 in js::frontend::CGScopeNoteList::recordEnd (this=0x7fffffffc270, index=0, offset=13, inPrologue=<optimized out>) at js/src/frontend/BytecodeEmitter.cpp:9572
#0  0x0000000000cb5208 in js::frontend::CGScopeNoteList::recordEnd (this=0x7fffffffc270, index=0, offset=13, inPrologue=<optimized out>) at js/src/frontend/BytecodeEmitter.cpp:9572
#1  0x0000000000cb5e10 in js::frontend::BytecodeEmitter::EmitterScope::leave (this=this@entry=0x7fffffffbf30, bce=bce@entry=0x7fffffffbfe8, nonLocal=nonLocal@entry=false) at js/src/frontend/BytecodeEmitter.cpp:1398
#2  0x0000000000ccd08d in js::frontend::BytecodeEmitter::emitScript (this=0x7fffffffbfe8, body=body@entry=0x7ffff69a5190) at js/src/frontend/BytecodeEmitter.cpp:4105
#3  0x0000000000ccd4df in BytecodeCompiler::compileScript (this=this@entry=0x7fffffffc3c0, environment=environment@entry=..., sc=sc@entry=0x7fffffffc350) at js/src/frontend/BytecodeCompiler.cpp:349
#4  0x0000000000ccd8e7 in BytecodeCompiler::compileEvalScript (enclosingScope=..., environment=..., this=0x7fffffffc3c0) at js/src/frontend/BytecodeCompiler.cpp:384
#5  js::frontend::CompileEvalScript (cx=cx@entry=0x7ffff693f000, alloc=..., environment=environment@entry=..., enclosingScope=enclosingScope@entry=..., options=..., srcBuf=..., extraSct=0x0, sourceObjectOut=0x0) at js/src/frontend/BytecodeCompiler.cpp:583
#6  0x00000000009efda5 in EvalKernel (cx=cx@entry=0x7ffff693f000, v=..., v@entry=..., evalType=evalType@entry=DIRECT_EVAL, caller=..., env=env@entry=..., pc=<optimized out>, vp=...) at js/src/builtin/Eval.cpp:318
#7  0x00000000009f0521 in js::DirectEval (cx=0x7ffff693f000, v=..., vp=...) at js/src/builtin/Eval.cpp:438
#8  0x0000000000acc722 in Interpret (cx=0x7ffff693f000, state=...) at js/src/vm/Interpreter.cpp:2822
This is an automated crash issue comment:

Summary: Assertion failure: canHaveArgumentSlots(), at js/src/vm/Scope.h:1090
Build version: mozilla-central revision 6cf0089510fa+
Build flags: --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug --enable-optimize
Runtime options: --fuzzing-safe

Testcase:

function f({get
} = (yield), y) {
    var stack = getBacktrace({
        args: true,
    });
}
f(1, 2);

Backtrace:

 received signal SIGSEGV, Segmentation fault.
0x0000000000931f68 in js::BindingIter::argumentSlot (this=<optimized out>) at js/src/vm/Scope.h:1090
#0  0x0000000000931f68 in js::BindingIter::argumentSlot (this=<optimized out>) at js/src/vm/Scope.h:1090
#1  0x0000000000917586 in FormatFrame (showThisProps=false, showLocals=false, showArgs=true, num=0, buf=0x7fffef310f00 "0 f(", iter=..., cx=0x7ffff693f000) at js/src/jsfriendapi.cpp:861
#2  JS::FormatStackDump (cx=cx@entry=0x7ffff693f000, buf=<optimized out>, buf@entry=0x0, showArgs=true, showLocals=false, showThisProps=false) at js/src/jsfriendapi.cpp:993
#3  0x0000000000c4f349 in GetBacktrace (cx=cx@entry=0x7ffff693f000, argc=<optimized out>, vp=<optimized out>) at js/src/builtin/TestingFunctions.cpp:2503
#4  0x0000000000ae6b1b in js::CallJSNative (cx=cx@entry=0x7ffff693f000, native=0xc4f160 <GetBacktrace(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235
(Assignee)

Comment 83

3 years ago
Created attachment 8779926 [details] [diff] [review]
Rollup for fuzzing v7
Attachment #8779926 - Flags: feedback?(gary)
Attachment #8779926 - Flags: feedback?(choller)
(Assignee)

Updated

3 years ago
Attachment #8779579 - Attachment is obsolete: true
Attachment #8779579 - Flags: feedback?(gary)
Attachment #8779579 - Flags: feedback?(choller)
(Assignee)

Comment 84

3 years ago
Created attachment 8779947 [details] [diff] [review]
Rollup for fuzzing v7

Applies on top of m-c 0502bd9e025e
Attachment #8779947 - Flags: feedback?(gary)
Attachment #8779947 - Flags: feedback?(choller)
(Assignee)

Updated

3 years ago
Attachment #8779926 - Attachment is obsolete: true
Attachment #8779926 - Flags: feedback?(gary)
Attachment #8779926 - Flags: feedback?(choller)
This is an automated crash issue comment:

Summary: Assertion failure: si_.kind() == ScopeKind::NamedLambda || si_.kind() == ScopeKind::StrictNamedLambda, at js/src/vm/EnvironmentObject.cpp:1233
Build version: mozilla-central revision 0502bd9e025e+
Build flags: --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug --enable-optimize
Runtime options: --fuzzing-safe

Testcase:

(function f() {
    let x = (new function() {
        x(() => {
            f.ArrayType(1, 2);
        }, "first argument of ctypes.cast must be a CData");
    })
})();

Backtrace:

 received signal SIGSEGV, Segmentation fault.
0x0000000000a23870 in js::EnvironmentIter::settle (this=this@entry=0x7fffffffdc90) at js/src/vm/EnvironmentObject.cpp:1232
#0  0x0000000000a23870 in js::EnvironmentIter::settle (this=this@entry=0x7fffffffdc90) at js/src/vm/EnvironmentObject.cpp:1232
#1  0x0000000000a23ab6 in js::EnvironmentIter::EnvironmentIter(JSContext*, js::AbstractFramePtr, unsigned char*, mozilla::detail::GuardObjectNotifier&&) (this=0x7fffffffdc90, cx=0x7ffff693f000, frame=..., pc=0x7fffef409c5f "R", _notifier=<unknown type in /home/ubuntu/mozilla-central/js/src/dist/bin/js, CU 0x36f121b, DIE 0x38e484b>) at js/src/vm/EnvironmentObject.cpp:1201
#2  0x0000000000ac7dcf in HandleError (regs=..., cx=<optimized out>) at js/src/vm/Interpreter.cpp:1227
#3  Interpret (cx=0x7ffff693f000, state=...) at js/src/vm/Interpreter.cpp:4110
[...]
This is an automated crash issue comment:

Summary: Assertion failure: script->isDerivedClassConstructor(), at js/src/vm/Interpreter.cpp:3374
Build version: mozilla-central revision 0502bd9e025e+
Build flags: --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug --enable-optimize
Runtime options: --fuzzing-safe

Testcase:

{
    while (x && 0)
        if (!((x = 1) === x)) {}
    let x = () => sym()
}

Backtrace:

 received signal SIGSEGV, Segmentation fault.
0x0000000000ad2d02 in Interpret (cx=0x7ffff693f000, state=...) at js/src/vm/Interpreter.cpp:3374
#0  0x0000000000ad2d02 in Interpret (cx=0x7ffff693f000, state=...) at js/src/vm/Interpreter.cpp:3374
#1  0x0000000000ad3db5 in js::RunScript (cx=cx@entry=0x7ffff693f000, state=...) at js/src/vm/Interpreter.cpp:400
[..]
This is an automated crash issue comment:

Summary: Assertion failure: bi.kind() == BindingKind::FormalParameter, at js/src/frontend/BytecodeEmitter.cpp:1063
Build version: mozilla-central revision 0502bd9e025e+
Build flags: --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug --enable-optimize
Runtime options: --fuzzing-safe

Testcase:

function crashMe2(n) {
    var nasty = [],
        fn
    while (n--) nasty[n] = "a" + 1234567890
    fn = Function(nasty.join(), "void 0")
}
crashMe2(0x10000);

Backtrace:

 received signal SIGSEGV, Segmentation fault.
0x0000000000cba8dc in js::frontend::BytecodeEmitter::EmitterScope::enterFunction (this=this@entry=0x7fffffffb440, bce=bce@entry=0x7fffffffb5e8, funbox=0x7ffff69a5080) at js/src/frontend/BytecodeEmitter.cpp:1063
#0  0x0000000000cba8dc in js::frontend::BytecodeEmitter::EmitterScope::enterFunction (this=this@entry=0x7fffffffb440, bce=bce@entry=0x7fffffffb5e8, funbox=0x7ffff69a5080) at js/src/frontend/BytecodeEmitter.cpp:1063
#1  0x0000000000cc1c97 in js::frontend::BytecodeEmitter::EmitterScope::enterFunction (this=<optimized out>, bce=0x7fffffffb5e8, funbox=<optimized out>) at js/src/frontend/NameCollections.h:306
#2  0x0000000000cc20e4 in js::frontend::BytecodeEmitter::emitFunctionFormalParametersAndBody (this=this@entry=0x7fffffffb5e8, pn=pn@entry=0x7ffff69a5050) at js/src/frontend/BytecodeEmitter.cpp:8512
#3  0x0000000000cc302b in js::frontend::BytecodeEmitter::emitTree (this=this@entry=0x7fffffffb5e8, pn=pn@entry=0x7ffff69a5050, emitLineNote=emitLineNote@entry=js::frontend::BytecodeEmitter::EMIT_LINENOTE) at js/src/frontend/BytecodeEmitter.cpp:8859
#4  0x0000000000cc4462 in js::frontend::BytecodeEmitter::emitFunctionScript (this=0x7fffffffb5e8, body=body@entry=0x7ffff69a5050) at js/src/frontend/BytecodeEmitter.cpp:4167
#5  0x0000000000cc5f7a in BytecodeCompiler::compileFunctionBody (this=this@entry=0x7fffffffb950, fun=..., fun@entry=..., formals=..., formals@entry=..., generatorKind=generatorKind@entry=js::NotGenerator) at js/src/frontend/BytecodeCompiler.cpp:474
#6  0x0000000000cc60a8 in CompileFunctionBody (cx=cx@entry=0x7ffff693f000, fun=fun@entry=..., options=..., formals=formals@entry=..., srcBuf=..., enclosingScope=..., enclosingScope@entry=..., generatorKind=js::NotGenerator) at js/src/frontend/BytecodeCompiler.cpp:692
#7  0x0000000000cc62ae in js::frontend::CompileFunctionBody (cx=cx@entry=0x7ffff693f000, fun=fun@entry=..., options=..., formals=formals@entry=..., srcBuf=...) at js/src/frontend/BytecodeCompiler.cpp:711
#8  0x000000000092a3a2 in FunctionConstructor (cx=<optimized out>, argc=<optimized out>, vp=<optimized out>, generatorKind=js::NotGenerator) at js/src/jsfun.cpp:1863
#9  0x0000000000ae3c89 in js::CallJSNative (cx=cx@entry=0x7ffff693f000, native=0x92af50 <js::Function(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235
[...]
#40 0x0000000000000000 in ?? ()
rax	0x0	0
rbx	0x7ffff69f5520	140737331025184
rcx	0x7ffff6c28a2d	140737333332525
rdx	0x0	0
rsi	0x7ffff6ef7770	140737336276848
rdi	0x7ffff6ef6540	140737336272192
rbp	0x7fffffffb280	140737488335488
rsp	0x7fffffffb140	140737488335168
r8	0x7ffff6ef7770	140737336276848
r9	0x7ffff7fe4740	140737354024768
r10	0x58	88
r11	0x7ffff6b9f750	140737332770640
r12	0x7ffff69a5080	140737330696320
r13	0x7fffffffb1e0	140737488335328
r14	0x7fffffffb5e8	140737488336360
r15	0x7fffffffb1b0	140737488335280
rip	0xcba8dc <js::frontend::BytecodeEmitter::EmitterScope::enterFunction(js::frontend::BytecodeEmitter*, js::frontend::FunctionBox*)+3004>
=> 0xcba8dc <js::frontend::BytecodeEmitter::EmitterScope::enterFunction(js::frontend::BytecodeEmitter*, js::frontend::FunctionBox*)+3004>:	movl   $0x0,0x0
   0xcba8e7 <js::frontend::BytecodeEmitter::EmitterScope::enterFunction(js::frontend::BytecodeEmitter*, js::frontend::FunctionBox*)+3015>:	ud2
(In reply to Shu-yu Guo [:shu] from comment #78)
> If they are regressions from earlier versions, definitely.

function f(a = 0) {
    let a = 1;
}
f();

Expected: Throws SyntaxError
Actual: No error


(In reply to Jeff Walden [:Waldo] (remove +bmo to email) from comment #79)
> Or if they're bugs in newly-added functionality.  Like, I think we want to
> know if there's some spec compliance issue with the TDZ for parameter
> defaults, even tho that's new code and such a problem might not be a
> regression.

function f(a = 0, b = (eval("var a = 1"), assertEq(a, 1)), c = assertEq(a, 0)) { }
f();

Expected: No error
Actual: Throws "Error: Assertion failed"

---

function f(a = (eval("{function a(){}}"), print(typeof a))) { }
f();

Expected: Prints "function"
Actual: Throws ReferenceError

---

function f(a, b = () => a) {
    eval("var a");
    print(b())
    a = 2;
    print(b())
}
f(1);

Expected: Prints "1 1"
Actual: Prints "1 2"

---

var init, first;
for (let i = (init = () => i = 1, 0); (first = () => i, i) < 0; ++i); 
print(init(), first());

Expected: Prints "1 0"
Actual: Prints "1 1"

---

function f() {
    eval("{function a(){}}");
    const a = 1;
}
f();

Expected: No error
Actual: Throws SyntaxError
This is an automated crash issue comment:

Summary: Crash [@ js::frontend::FunctionBox::hasExtraVarScope]
Build version: mozilla-central revision 0502bd9e025e+
Build flags: --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug --enable-optimize
Runtime options: --fuzzing-safe

Testcase:

function test(get, [] = Bool16x8(...w), ...of) {
    var f;
}

Backtrace:

 received signal SIGSEGV, Segmentation fault.
0x0000000000ccf4f5 in js::frontend::FunctionBox::hasExtraVarScope (this=<optimized out>) at js/src/frontend/SharedContext.h:522
#0  0x0000000000ccf4f5 in js::frontend::FunctionBox::hasExtraVarScope (this=<optimized out>) at js/src/frontend/SharedContext.h:522
#1  js::frontend::BytecodeEmitter::isRestParameter (result=0x7fffffffc37f, pn=0x7ffff69a5280, this=<optimized out>) at js/src/frontend/BytecodeEmitter.cpp:7588
#2  js::frontend::BytecodeEmitter::emitOptimizeSpread (this=0x7fffffffc9a0, arg0=0x7ffff69a5280, jmp=0x7fffffffc420, emitted=0x7fffffffc41f) at js/src/frontend/BytecodeEmitter.cpp:7617
#3  0x0000000000cd18e4 in js::frontend::BytecodeEmitter::emitCallOrNew (this=this@entry=0x7fffffffc9a0, pn=pn@entry=0x7ffff69a5250) at js/src/frontend/BytecodeEmitter.cpp:7799
#4  0x0000000000cc2d53 in js::frontend::BytecodeEmitter::emitTree (this=this@entry=0x7fffffffc9a0, pn=pn@entry=0x7ffff69a5250, emitLineNote=emitLineNote@entry=js::frontend::BytecodeEmitter::EMIT_LINENOTE) at js/src/frontend/BytecodeEmitter.cpp:9094
#5  0x0000000000cd1d6a in js::frontend::BytecodeEmitter::emitFunctionFormalParameters (this=this@entry=0x7fffffffc9a0, pn=pn@entry=0x7ffff69a5190) at js/src/frontend/BytecodeEmitter.cpp:8581
#6  0x0000000000cc220e in js::frontend::BytecodeEmitter::emitFunctionFormalParametersAndBody (this=this@entry=0x7fffffffc9a0, pn=pn@entry=0x7ffff69a5190) at js/src/frontend/BytecodeEmitter.cpp:8445
#7  0x0000000000cc302b in js::frontend::BytecodeEmitter::emitTree (this=this@entry=0x7fffffffc9a0, pn=pn@entry=0x7ffff69a5190, emitLineNote=emitLineNote@entry=js::frontend::BytecodeEmitter::EMIT_LINENOTE) at js/src/frontend/BytecodeEmitter.cpp:8859
#8  0x0000000000cc4462 in js::frontend::BytecodeEmitter::emitFunctionScript (this=this@entry=0x7fffffffc9a0, body=0x7ffff69a5190) at js/src/frontend/BytecodeEmitter.cpp:4167
#9  0x0000000000cc4f05 in js::frontend::BytecodeEmitter::emitFunction (this=this@entry=0x7fffffffced8, pn=pn@entry=0x7ffff69a5050, needsProto=needsProto@entry=false) at js/src/frontend/BytecodeEmitter.cpp:6671
#10 0x0000000000cc2c4d in js::frontend::BytecodeEmitter::emitTree (this=this@entry=0x7fffffffced8, pn=pn@entry=0x7ffff69a5050, emitLineNote=emitLineNote@entry=js::frontend::BytecodeEmitter::EMIT_LINENOTE) at js/src/frontend/BytecodeEmitter.cpp:8854
#11 0x0000000000cce81e in js::frontend::BytecodeEmitter::emitStatementList (this=0x7fffffffced8, pn=<optimized out>) at js/src/frontend/BytecodeEmitter.cpp:7267
#12 0x0000000000cc2dab in js::frontend::BytecodeEmitter::emitTree (this=this@entry=0x7fffffffced8, pn=pn@entry=0x7ffff69a5020, emitLineNote=emitLineNote@entry=js::frontend::BytecodeEmitter::EMIT_LINENOTE) at js/src/frontend/BytecodeEmitter.cpp:8944
#13 0x0000000000cc92ed in js::frontend::BytecodeEmitter::emitScript (this=0x7fffffffced8, body=body@entry=0x7ffff69a5020) at js/src/frontend/BytecodeEmitter.cpp:4109
#14 0x0000000000cc9a2f in BytecodeCompiler::compileScript (this=this@entry=0x7fffffffd280, environment=environment@entry=..., sc=sc@entry=0x7fffffffd230) at js/src/frontend/BytecodeCompiler.cpp:349
#15 0x0000000000cca054 in BytecodeCompiler::compileGlobalScript (scopeKind=<optimized out>, this=0x7fffffffd280) at js/src/frontend/BytecodeCompiler.cpp:376
[...]
#26 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:7548
rax	0x7fffef700b50	140737210485584
rbp	0x7fffffffc3f0	140737488339952
r8	0x0	0
rip	0xccf4f5 <js::frontend::BytecodeEmitter::emitOptimizeSpread(js::frontend::ParseNode*, js::frontend::JumpList*, bool*)+629>
=> 0xccf4f5 <js::frontend::BytecodeEmitter::emitOptimizeSpread(js::frontend::ParseNode*, js::frontend::JumpList*, bool*)+629>:	mov    0x8(%r8),%r8
   0xccf4f9 <js::frontend::BytecodeEmitter::emitOptimizeSpread(js::frontend::ParseNode*, js::frontend::JumpList*, bool*)+633>:	lea    -0x50(%rbp),%rax
This is an automated crash issue comment:

Summary: Assertion failure: !isExtensible() && v.isPrivateGCThing(), at js/src/vm/EnvironmentObject.h:427
Build version: mozilla-central revision 0502bd9e025e+
Build flags: --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug --enable-optimize
Runtime options: --fuzzing-safe

Testcase:

for (var i = 0; i < 200; parseFloat++) {
    (function* get(undefined, ...get) {
        g.apply(this, arguments);
    })();
}

Backtrace:

 received signal SIGSEGV, Segmentation fault.
0x0000000000a69260 in js::LexicalEnvironmentObject::scope (this=0x7fffef775040) at js/src/vm/EnvironmentObject.h:427
#0  0x0000000000a69260 in js::LexicalEnvironmentObject::scope (this=0x7fffef775040) at js/src/vm/EnvironmentObject.h:427
#1  0x0000000000b406c0 in AssertScopeMatchesEnvironment (scope=<optimized out>, originalEnv=<optimized out>) at js/src/vm/Stack.cpp:130
#2  0x0000000000b40f03 in js::InterpreterFrame::prologue (this=0x7fffef3240d0, cx=0x7ffff693f000) at js/src/vm/Stack.cpp:232
#3  0x0000000000ac7a68 in Interpret (cx=0x7ffff693f000, state=...) at js/src/vm/Interpreter.cpp:1770
[...]
(Assignee)

Comment 91

3 years ago
Created attachment 8780428 [details] [diff] [review]
Rollup for fuzzing v8

Applies on top of m-c 233ab21b64b5
Attachment #8779947 - Attachment is obsolete: true
Attachment #8779947 - Flags: feedback?(gary)
Attachment #8779947 - Flags: feedback?(choller)
Attachment #8780428 - Flags: feedback?(choller)
This is an automated crash issue comment:

Summary: Assertion failure: script->isDerivedClassConstructor(), at js/src/vm/Interpreter.cpp:3374
Build version: mozilla-central revision 233ab21b64b5+
Build flags: --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug --enable-optimize
Runtime options: --fuzzing-safe

Testcase:

$2 = 0,
    label = 1;
switch (label | 0) {
    case 1:
        $2 -= $1 + 14 | 0;
        case [], $5(() => new Map(ArrayBuffer), $1), (yield):
        let $1 = [];
}

Backtrace:

 received signal SIGSEGV, Segmentation fault.
0x0000000000ad3c5f in Interpret (cx=0x7ffff693f000, state=...) at js/src/vm/Interpreter.cpp:3374
#0  0x0000000000ad3c5f in Interpret (cx=0x7ffff693f000, state=...) at js/src/vm/Interpreter.cpp:3374
#1  0x0000000000ad4a15 in js::RunScript (cx=cx@entry=0x7ffff693f000, state=...) at js/src/vm/Interpreter.cpp:400
[...]
(Assignee)

Comment 93

3 years ago
Created attachment 8780726 [details] [diff] [review]
Rollup for fuzzing v9
Attachment #8780726 - Flags: feedback?(choller)
(Assignee)

Updated

3 years ago
Attachment #8780428 - Attachment is obsolete: true
Attachment #8780428 - Flags: feedback?(choller)
(Assignee)

Comment 94

3 years ago
(In reply to Shu-yu Guo [:shu] from comment #93)
> Created attachment 8780726 [details] [diff] [review]
> Rollup for fuzzing v9

Applies on top of m-c 2ed7e61b988d
(Assignee)

Comment 95

3 years ago
Created attachment 8780730 [details] [diff] [review]
Rewrite the frontend: bindings.

With fixes for fuzz and anba tests.
Attachment #8780730 - Flags: review?(jwalden+bmo)
Attachment #8780730 - Flags: review?(jorendorff)
Attachment #8780730 - Flags: review?(efaustbmo)
(Assignee)

Updated

3 years ago
Attachment #8779082 - Attachment is obsolete: true
Attachment #8779082 - Flags: review?(winter2718)
Attachment #8779082 - Flags: review?(jwalden+bmo)
Attachment #8779082 - Flags: review?(jorendorff)
Attachment #8779082 - Flags: review?(efaustbmo)
Created attachment 8780757 [details]
OOM_VERBOSE=1 stack from m-c rev 2ed7e61b988d with patch in comment 93

// Adapted from randomly chosen test: js/src/jit-test/tests/profiler/bug1231925.js
"use strict";
enableSPSProfiling();
oomTest(function() {
    eval("(function() {})()");
});


Run with --fuzzing-safe --no-threads --no-baseline --no-ion:

Assertion failure: size_before == *profiler->size_, at js/src/vm/SPSProfiler.cpp:434
function f(a = x, x = x) {}
f(/y/)


Run with --fuzzing-safe --no-threads --no-baseline --no-ion:

Assertion failure: script->isDerivedClassConstructor(), at js/src/vm/Interpreter.cpp:3374
Attachment #8779519 - Attachment is obsolete: true
Attachment #8780726 - Flags: feedback-
(Assignee)

Comment 98

3 years ago
Created attachment 8780784 [details] [diff] [review]
Rollup for fuzzing v10

Applies on top of m-c 2ed7e61b988d
Attachment #8780726 - Attachment is obsolete: true
Attachment #8780726 - Flags: feedback?(choller)
Attachment #8780784 - Flags: feedback?(gary)
Attachment #8780784 - Flags: feedback?(choller)
This is an automated crash issue comment:

Summary: Assertion failure: !fun->needsExtraBodyVarEnvironment(), at js/src/jit/IonBuilder.cpp:1245
Build version: mozilla-central revision 2ed7e61b988d+
Build flags: --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug --enable-optimize
Runtime options: --fuzzing-safe --ion-offthread-compile=off --baseline-eager

Testcase:

setJitCompilerOption("ion.warmup.trigger", 4);
var lfLogBuffer = `
function logProxy(object = {}, handler = {}) {
    var log = [];
    var proxy = new WeakMap(object, new Proxy(handler, {
        get(proto) {
            log.push(propertyKey);
        }
    }));
}
var {proxy, log} = logProxy();
`;
loadFile(lfLogBuffer);
loadFile(lfLogBuffer);
loadFile(lfLogBuffer);
function loadFile(lfVarx) {
    try {
      function newFunc(x) {
        new Function(x)();
      };
      newFunc(lfVarx);
    } catch (lfVare) {}
}


Backtrace:

 received signal SIGSEGV, Segmentation fault.
0x0000000000647818 in js::jit::IonBuilder::initEnvironmentChain (this=this@entry=0x7fffffff9690, callee=0x7ffff69b4ea0) at js/src/jit/IonBuilder.cpp:1245
#0  0x0000000000647818 in js::jit::IonBuilder::initEnvironmentChain (this=this@entry=0x7fffffff9690, callee=0x7ffff69b4ea0) at js/src/jit/IonBuilder.cpp:1245
#1  0x000000000068efb3 in js::jit::IonBuilder::buildInline (this=0x7fffffff9690, callerBuilder=<optimized out>, callerResumePoint=<optimized out>, callInfo=...) at js/src/jit/IonBuilder.cpp:1090
#2  0x000000000068f459 in js::jit::IonBuilder::inlineScriptedCall (this=this@entry=0x7fffffffa4a0, callInfo=..., target=<optimized out>) at js/src/jit/IonBuilder.cpp:5226
#3  0x000000000068fa00 in js::jit::IonBuilder::inlineSingleCall (this=0x7fffffffa4a0, callInfo=..., targetArg=<optimized out>) at js/src/jit/IonBuilder.cpp:5734
#4  0x0000000000691049 in js::jit::IonBuilder::inlineCallsite (this=0x7fffffffa4a0, targets=..., callInfo=...) at js/src/jit/IonBuilder.cpp:5790
#5  0x00000000006914f5 in js::jit::IonBuilder::jsop_call (this=this@entry=0x7fffffffa4a0, argc=0, constructing=<optimized out>) at js/src/jit/IonBuilder.cpp:6743
#6  0x000000000069559c in js::jit::IonBuilder::inspectOpcode (this=this@entry=0x7fffffffa4a0, op=op@entry=JSOP_CALL) at js/src/jit/IonBuilder.cpp:1918
#7  0x000000000068dc9e in js::jit::IonBuilder::traverseBytecode (this=this@entry=0x7fffffffa4a0) at js/src/jit/IonBuilder.cpp:1534
#8  0x000000000068efc3 in js::jit::IonBuilder::buildInline (this=0x7fffffffa4a0, callerBuilder=<optimized out>, callerResumePoint=<optimized out>, callInfo=...) at js/src/jit/IonBuilder.cpp:1093
#9  0x000000000068f459 in js::jit::IonBuilder::inlineScriptedCall (this=this@entry=0x7ffff69b2270, callInfo=..., target=<optimized out>) at js/src/jit/IonBuilder.cpp:5226
#10 0x000000000068fa00 in js::jit::IonBuilder::inlineSingleCall (this=0x7ffff69b2270, callInfo=..., targetArg=<optimized out>) at js/src/jit/IonBuilder.cpp:5734
#11 0x00000000006903ee in js::jit::IonBuilder::inlineCalls (this=this@entry=0x7ffff69b2270, callInfo=..., targets=..., choiceSet=..., maybeCache=<optimized out>) at js/src/jit/IonBuilder.cpp:6054
#12 0x0000000000690f22 in js::jit::IonBuilder::inlineCallsite (this=0x7ffff69b2270, targets=..., callInfo=...) at js/src/jit/IonBuilder.cpp:5802
#13 0x00000000006914f5 in js::jit::IonBuilder::jsop_call (this=this@entry=0x7ffff69b2270, argc=0, constructing=<optimized out>) at js/src/jit/IonBuilder.cpp:6743
#14 0x000000000069559c in js::jit::IonBuilder::inspectOpcode (this=this@entry=0x7ffff69b2270, op=op@entry=JSOP_CALL) at js/src/jit/IonBuilder.cpp:1918
#15 0x000000000068dc9e in js::jit::IonBuilder::traverseBytecode (this=this@entry=0x7ffff69b2270) at js/src/jit/IonBuilder.cpp:1534
#16 0x000000000068e896 in js::jit::IonBuilder::build (this=0x7ffff69b2270) at js/src/jit/IonBuilder.cpp:921
#17 0x00000000006a267f in js::jit::IonCompile (cx=cx@entry=0x7ffff6965000, script=<optimized out>, baselineFrame=baselineFrame@entry=0x7fffffffb6f8, osrPc=<optimized out>, constructing=<optimized out>, recompile=<optimized out>, optimizationLevel=js::jit::OptimizationLevel::Normal) at js/src/jit/Ion.cpp:2232
#18 0x00000000006a2f79 in js::jit::Compile (cx=cx@entry=0x7ffff6965000, script=script@entry=..., osrFrame=osrFrame@entry=0x7fffffffb6f8, osrPc=osrPc@entry=0x0, constructing=<optimized out>, forceRecompile=forceRecompile@entry=false) at js/src/jit/Ion.cpp:2473
#19 0x00000000006a398a in BaselineCanEnterAtEntry (frame=0x7fffffffb6f8, script=..., cx=0x7ffff6965000) at js/src/jit/Ion.cpp:2597
#20 js::jit::IonCompileScriptForBaseline (cx=0x7ffff6965000, frame=0x7fffffffb6f8, pc=<optimized out>) at js/src/jit/Ion.cpp:2721
#21 0x00007ffff7feb360 in ?? ()
[...]
These two parameter environment tests from https://github.com/anba/es6draft/blob/master/src/test/scripts/suite/semantic/function/parameter_environment.js#L133-L150 are still failing:

function g8(h = () => arguments) {
  var arguments = 0;
  assertEq(arguments, 0);
  assertEq(arguments === h(), false);
}
g8();

function g9(h = () => arguments) {
  var arguments;
  assertEq(void 0 === arguments, false);
  assertEq(h(), arguments);
  arguments = 0;
  assertEq(arguments, 0);
  assertEq(arguments === h(), false);
}
g9();
This is an automated crash issue comment:

Summary: Assertion failure: env->lastProperty() == copy->lastProperty(), at js/src/vm/EnvironmentObject.cpp:972
Build version: mozilla-central revision 2ed7e61b988d+
Build flags: --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug --without-intl-api --enable-optimize --target=i686-pc-linux-gnu
Runtime options: --fuzzing-safe --ion-offthread-compile=off

Testcase:

for (let x = 0; x < 4; ++x) {
    (function() {
        for (var set = 0, get, get; eval("\tvar\tx\t=\t1\t");) {}
    })()
};

Backtrace:

 received signal SIGSEGV, Segmentation fault.
0x086823a9 in js::LexicalEnvironmentObject::clone (cx=0xf7934000, env=...) at js/src/vm/EnvironmentObject.cpp:972
#0  0x086823a9 in js::LexicalEnvironmentObject::clone (cx=0xf7934000, env=...) at js/src/vm/EnvironmentObject.cpp:972
#1  0x0874f7e8 in js::InterpreterFrame::freshenLexicalEnvironment (this=0xf1225018, cx=0xf7934000) at js/src/vm/Stack.cpp:332
#2  0x086ef2c1 in Interpret (cx=0xf7934000, state=...) at js/src/vm/Interpreter.cpp:3806
[...]
This is an automated crash issue comment:

Summary: Assertion failure: NewFunctionEnvironmentIsWellFormed(cx, enclosingEnv), at js/src/jsfun.cpp:2093
Build version: mozilla-central revision 2ed7e61b988d+
Build flags: --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug --enable-optimize
Runtime options: --fuzzing-safe

Testcase:

function eval(source) {
    offThreadCompileModule(source);
    let m = finishOffThreadModule();
    m.declarationInstantiation();
    return m.evaluation();
}
function runTestCase(testcase) {
    if (testcase() !== true) {}
}
eval(`
  function testcase() {
    function set () {}
  }
  runTestCase(testcase);
`);

Backtrace:

 received signal SIGSEGV, Segmentation fault.
0x00000000009279c8 in js::CloneFunctionReuseScript (cx=cx@entry=0x7ffff693f000, fun=fun@entry=..., enclosingEnv=..., enclosingEnv@entry=..., allocKind=allocKind@entry=js::gc::AllocKind::FIRST, newKind=newKind@entry=js::GenericObject, proto=..., proto@entry=...) at js/src/jsfun.cpp:2093
#0  0x00000000009279c8 in js::CloneFunctionReuseScript (cx=cx@entry=0x7ffff693f000, fun=fun@entry=..., enclosingEnv=..., enclosingEnv@entry=..., allocKind=allocKind@entry=js::gc::AllocKind::FIRST, newKind=newKind@entry=js::GenericObject, proto=..., proto@entry=...) at js/src/jsfun.cpp:2093
#1  0x0000000000af1be3 in js::CloneFunctionObjectIfNotSingleton (cx=cx@entry=0x7ffff693f000, fun=..., fun@entry=..., parent=..., proto=..., proto@entry=..., newKind=newKind@entry=js::GenericObject) at js/src/jsfuninlines.h:89
#2  0x0000000000ab5b26 in js::Lambda (cx=0x7ffff693f000, fun=..., parent=...) at js/src/vm/Interpreter.cpp:4290
#3  0x0000000000ac8573 in Interpret (cx=0x7ffff693f000, state=...) at js/src/vm/Interpreter.cpp:3452
#4  0x0000000000ace425 in js::RunScript (cx=cx@entry=0x7ffff693f000, state=...) at js/src/vm/Interpreter.cpp:400
#5  0x0000000000ad73fe in js::ExecuteKernel (cx=cx@entry=0x7ffff693f000, script=..., script@entry=..., envChainArg=..., newTargetValue=..., evalInFrame=..., evalInFrame@entry=..., result=result@entry=0x7ffff021d1c8) at js/src/vm/Interpreter.cpp:681
#6  0x0000000000ad77a0 in js::Execute (cx=cx@entry=0x7ffff693f000, script=..., script@entry=..., envChainArg=..., rval=rval@entry=0x7ffff021d1c8) at js/src/vm/Interpreter.cpp:714
#7  0x0000000000c1135e in js::ModuleObject::evaluate (cx=cx@entry=0x7ffff693f000, self=..., self@entry=..., rval=rval@entry=...) at js/src/builtin/ModuleObject.cpp:915
#8  0x0000000000b27b1f in intrinsic_EvaluateModule (cx=cx@entry=0x7ffff693f000, argc=<optimized out>, vp=0x7ffff021d1c8) at js/src/vm/SelfHosting.cpp:2201
#9  0x0000000000addf19 in js::CallJSNative (cx=cx@entry=0x7ffff693f000, native=0xb27a90 <intrinsic_EvaluateModule(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235
[...]
This is an automated crash issue comment:

Summary: Crash [@ js::Shape::slot]
Build version: mozilla-central revision 2ed7e61b988d+
Build flags: --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug --enable-optimize
Runtime options: --fuzzing-safe

Testcase:

const libdir = "/srv/repos/mozilla-central/js/src/jit-test/lib/";
load(libdir + "iteration.js");
function* f4(get = [1], f2, ...each) {}
it = f4();
assertIteratorResult(it.return(-2), 2, false);

Backtrace:

 received signal SIGSEGV, Segmentation fault.
0x00000000006109b1 in js::Shape::slot (this=0x0) at js/src/vm/Shape.h:830
#0  0x00000000006109b1 in js::Shape::slot (this=0x0) at js/src/vm/Shape.h:830
#1  0x0000000000a9b13d in js::SetReturnValueForClosingGenerator (cx=cx@entry=0x7ffff693f000, frame=...) at js/src/vm/GeneratorObject.cpp:111
#2  0x0000000000aa1909 in js::HandleClosingGeneratorReturn (cx=0x7ffff693f000, frame=..., ok=true) at js/src/vm/Interpreter.cpp:1210
#3  0x0000000000ac1d94 in HandleError (regs=..., cx=<optimized out>) at js/src/vm/Interpreter.cpp:1270
#4  Interpret (cx=0x7ffff693f000, state=...) at js/src/vm/Interpreter.cpp:4121
#5  0x0000000000ace425 in js::RunScript (cx=cx@entry=0x7ffff693f000, state=...) at js/src/vm/Interpreter.cpp:400
#6  0x0000000000ace6d5 in js::InternalCallOrConstruct (cx=0x7ffff693f000, args=..., construct=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:472
#7  0x0000000000ac9418 in js::CallFromStack (args=..., cx=<optimized out>) at js/src/vm/Interpreter.cpp:505
#8  Interpret (cx=0x7ffff693f000, state=...) at js/src/vm/Interpreter.cpp:2915
[...]
#18 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:7551
rax	0x0	0
rbx	0x7ffff693f000	140737330278400
rcx	0x0	0
rdx	0x4	4
rsi	0x7ffff693f000	140737330278400
rdi	0x0	0
rbp	0x7fffffffd170	140737488343408
rsp	0x7fffffffd120	140737488343328
r8	0xffffffff	4294967295
r9	0x2e	46
r10	0x7ffff021d1e8	140737222136296
r11	0xfffffffffffffff5	-11
r12	0x7ffff0700a00	140737227262464
r13	0x7fffffffd130	140737488343344
r14	0x1d68020	30834720
r15	0x7fffffffd840	140737488345152
rip	0x6109b1 <js::Shape::slot() const+1>
=> 0x6109b1 <js::Shape::slot() const+1>:	testb  $0x40,0x14(%rdi)
   0x6109b5 <js::Shape::slot() const+5>:	mov    %rsp,%rbp


Test requires iteration.js, provided by jit-tests in mozilla-central.
(Assignee)

Comment 104

3 years ago
Created attachment 8781299 [details] [diff] [review]
Rollup for fuzzing v11

Applies on top of m-c 054d4856cea6
(Assignee)

Updated

3 years ago
Attachment #8780784 - Attachment is obsolete: true
Attachment #8780784 - Flags: feedback?(gary)
Attachment #8780784 - Flags: feedback?(choller)
(Assignee)

Updated

3 years ago
Attachment #8781299 - Attachment is obsolete: true
(Assignee)

Comment 105

3 years ago
Created attachment 8781341 [details] [diff] [review]
Rollup for fuzzing v11
This is an automated crash issue comment:

Summary: Assertion failure: frame.stackDepth() == 0, at js/src/jit/BaselineCompiler.cpp:3982
Build version: mozilla-central revision 054d4856cea6+
Build flags: --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug --without-intl-api --enable-optimize --target=i686-pc-linux-gnu
Runtime options: --fuzzing-safe --ion-eager

Testcase:

(function* of([d] = eval("var MYVAR=new String('0Xf');++MYVAR"), ...get) {})();

Backtrace:

 received signal SIGSEGV, Segmentation fault.
0x089ac436 in js::jit::BaselineCompiler::emit_JSOP_GENERATOR (this=0xffffbaf0) at js/src/jit/BaselineCompiler.cpp:3982
#0  0x089ac436 in js::jit::BaselineCompiler::emit_JSOP_GENERATOR (this=0xffffbaf0) at js/src/jit/BaselineCompiler.cpp:3982
#1  0x089d1c71 in js::jit::BaselineCompiler::emitBody (this=0xffffbaf0) at js/src/jit/BaselineCompiler.cpp:990
#2  0x089d2cc9 in js::jit::BaselineCompiler::compile (this=0xffffbaf0) at js/src/jit/BaselineCompiler.cpp:115
#3  0x08202fa1 in js::jit::BaselineCompile (cx=0xf7934000, script=0xf155e100, forceDebugInstrumentation=false) at js/src/jit/BaselineJIT.cpp:298
#4  0x08203854 in CanEnterBaselineJIT (cx=cx@entry=0xf7934000, script=..., script@entry=..., osrFrame=osrFrame@entry=0x0) at js/src/jit/BaselineJIT.cpp:337
#5  0x08203a0b in js::jit::CanEnterBaselineMethod (cx=0xf7934000, state=...) at js/src/jit/BaselineJIT.cpp:399
#6  0x082d156c in js::jit::CanEnter (cx=0xf7934000, state=...) at js/src/jit/Ion.cpp:2558
#7  0x086f6f5c in js::RunScript (cx=0xf7934000, state=...) at js/src/vm/Interpreter.cpp:376
#8  0x086f7243 in js::InternalCallOrConstruct (cx=0xf7934000, args=..., construct=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:472
#9  0x086f747d in InternalCall (cx=cx@entry=0xf7934000, args=...) at js/src/vm/Interpreter.cpp:499
#10 0x086f75cf in js::CallFromStack (cx=0xf7934000, args=...) at js/src/vm/Interpreter.cpp:505
#11 0x089d6618 in js::jit::DoCallFallback (cx=0xf7934000, frame=0xffffce58, stub_=0xf1373010, argc=0, vp=0xffffce28, res=...) at js/src/jit/BaselineIC.cpp:5985
#12 0xf7be367c in ?? ()
Comment on attachment 8781341 [details] [diff] [review]
Rollup for fuzzing v11

I didn't find more issues apart from the ones I mentioned already.

I suggest we land this as long as it remains that stable and find any remaining bugs when it landed :)
Attachment #8781341 - Flags: feedback+
Comment on attachment 8781341 [details] [diff] [review]
Rollup for fuzzing v11

I have been busy lately so have not been focused too much on this, but most of the fuzzblockers seem to be gone on Linux so I agree with :decoder, let's land it and we can file follow-up bugs later.
Attachment #8781341 - Flags: feedback+
(Assignee)

Comment 112

2 years ago
Created attachment 8782672 [details] [diff] [review]
Use UniquePtrs for Scope data.
Attachment #8782672 - Flags: review?(jwalden+bmo)
Comment on attachment 8782672 [details] [diff] [review]
Use UniquePtrs for Scope data.

Review of attachment 8782672 [details] [diff] [review]:
-----------------------------------------------------------------

::: js/public/RootingAPI.h
@@ +1127,5 @@
> +
> +template <typename Outer, typename T, typename D>
> +class UniquePtrOperations
> +{
> +    const js::UniquePtr<T, D>& uniquePtr() const { return static_cast<const Outer*>(this)->get(); }

Don't think you need the js:: on UniquePtr in the various places here.

@@ +1144,5 @@
> +};
> +
> +template <typename T, typename D>
> +class RootedBase<js::UniquePtr<T, D>>
> +  : public MutableUniquePtrOperations<JS::Rooted<js::UniquePtr<T, D>>, T, D> { };

Most excellent.  I think we put {} on its own line usually, tho.

::: js/src/vm/Runtime.h
@@ +1677,5 @@
> +    struct DeletePolicy<Data> : public js::GCManagedDeletePolicy<Data>  \
> +    { }
> +
> +DEFINE_SCOPE_DATA_DELETEPOLICY(js::FunctionScope::Data);
> +DEFINE_SCOPE_DATA_DELETEPOLICY(js::ModuleScope::Data);

I'd prefer just typing this out, no macros.

::: js/src/vm/Scope.cpp
@@ +243,5 @@
>  
>      if (mode == XDR_ENCODE) {
>          data.set(&scope->data());
>      } else {
> +        data.set(NewEmptyScopeData<ConcreteScope>(cx, length).release());

The explicit, and necessary, js_free of this in the loop below still ensaddens me.  I dunno that we can get rid of it, unfortunately.

Still, looks like we got rid of the vast majority of js_free, so this looks overall pretty winning.

@@ +334,1 @@
>              return nullptr;

I guess |scopeClone| doesn't leak here because it's GC-managed?  And there's no GC hazard because CopyScopeData returns manually-managed memory and can never GC?  Fugly, but I guess okay?
Attachment #8782672 - Flags: review?(jwalden+bmo) → review+
Here's a test that fails for me; if you add an eval("") in the loop it passes. (Run with -e 'const libdir="jit-test/lib/";' .)


// TDZ checks work in destructuring default expressions,
// even after the variables are initialized the first time.

load(libdir + "asserts.js");

assertThrowsInstanceOf(() => {
    // should throw the second time through: b is uninitialized
    for (const {a=b, b} of [{a:1, b:2}, {b:3}]) {}
}, ReferenceError);
(Assignee)

Comment 115

2 years ago
Created attachment 8783055 [details] [diff] [review]
Fix per-iteration TDZ in for-of and for-in for frame slots.

Good catch
Attachment #8783055 - Flags: review?(jorendorff)
Comment on attachment 8779082 [details] [diff] [review]
Rewrite the frontend: bindings.

Review of attachment 8779082 [details] [diff] [review]:
-----------------------------------------------------------------

Splinter almost gave me a heart attack today when I thought this review was lost. Nothing was lost - it just didn't show up for me because the patch is obsolete, and I accidentally started reviewing a later one in a separate tab.

I did not read every line but this has to land. I mostly stuck to the parts of the code you said to read, plus all the headers, the tests, and a few other random files.

This is awesome. I sort of wish the mega-renamings had been separate patches, in case you plan on doing this again... but no complaints.

::: js/src/ds/InlineTable.h
@@ +4,5 @@
> + * License, v. 2.0. If a copy of the MPL was not distributed with this
> + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
> +
> +#ifndef ds_InlineMap_h
> +#define ds_InlineMap_h

might as well update these

::: js/src/frontend/FoldConstants.cpp
@@ -904,5 @@
> -        // Don't decay the overall expression if the replacement node is a
> -        // a definition.
> -        //
> -        // The rationale for this pre-existing restriction is unclear; if you
> -        // discover it, please document it!  Speculation is that it has

lol

::: js/src/frontend/NameCollections.h
@@ +19,5 @@
> +// BytecodeEmitter create many maps for name analysis that are short-lived
> +// (i.e., for the duration of parsing or emitting a lexical scope). Making
> +// them recyclable cuts down significantly on allocator churn.
> +template <typename RepresentativeCollection, typename ConcreteCollectionPool>
> +class CollectionPool

This code, the whole file, is pretty... "all-in", relative to the importance of what it's doing. What I mean is: CRTP + 50-line #define + `##` usage + reinterpret_cast across unrelated types + void** + unions...

I don't have a specific productive comment, just ...are you sure [y/N]?

::: js/src/frontend/ParseNode.h
@@ -1002,5 @@
>      void dump(int indent);
>  #endif
>  };
>  
> -struct BinaryObjNode : public ParseNode

OMG good riddance

@@ -1495,5 @@
>  void DumpParseTree(ParseNode* pn, int indent = 0);
>  #endif
>  
> -/*
> - * js::Definition is a degenerate subtype of the PN_FUNC and PN_NAME variants

Same comment here and on all the other lines of this file

::: js/src/jit-test/tests/arguments/defaults-scoping.js
@@ +3,2 @@
>  var x = 'global';
>  function f(a=x) {  // local variable x

update the comment, fwiw?

@@ +9,3 @@
>  
> +var i = 42;
> +function g(f=function () { return ++i; }) {  // closes on global variable x

global variable i, not x

@@ +32,3 @@
>  }
>  assertEq(j("expr"), "expr");
> +assertThrowsInstanceOf(() => j("v"), ReferenceError);

What happens when there's a direct eval in an argument default expression could definitely stand to be tested more. In particular, the way each default expression gets its own VarEnvironmentObject, which can be mutated by separate sloppy evals in the same default expression ... we should have a test that does that, if only because the spec is nuts. :-|

::: js/src/tests/ecma_6/LexicalEnvironment/const-declaration-in-for-loop.js
@@ +46,5 @@
>  
>  // We don't support for (const ... in ...) or for (const ... of ...) yet.  When
>  // we do, these all should start passing without throwing a syntax error, and
>  // we can remove the try/catch here, and the ultimate throw-canary forcing this
>  // test to be updated.

Please delete the comment too.

::: js/src/vm/EnvironmentObject.h
@@ +39,5 @@
> +extern JSScript*
> +EnvironmentCoordinateFunctionScript(JSScript* script, jsbytecode* pc);
> +
> +
> +/*** Environment objects *****************************************************/

Please put this in here:

/*** Environment objects *****************************************************/

/*
 * About environments
 * ------------------
 *
 * (See also: ecma262 rev c7952de (19 Aug 2016) 8.1 "Lexical Environments".)
 *
 * Scoping in ES is specified in terms of "Environment Records". There's a
 * global Environment Record per realm, and a new Environment Record is created
 * whenever control enters a function, block, or other scope.
 *
 * A "Lexical Environment" is a list of nested Environment Records, innermost
 * first: everything that's in scope. Throughout SpiderMonkey, "environment"
 * means a Lexical Environment.
 *
 * N.B.: "Scope" means something different: a static scope, the compile-time
 * analogue of an environment. See Scope.h.
 *
 * How SpiderMonkey represents environments
 * ----------------------------------------
 *
 * Some environments are stored as JSObjects. Several kinds of objects
 * represent environments:
 *
 *   JSObject
 *    |
 *    +--NativeObject
 *    |   |
 *    |   +--EnvironmentObject             Engine-internal environment
 *    |   |   |
 *    |   |   +--CallObject                    Environment of entire function
 *    |   |   |
 *    |   |   +--ModuleEnvironmentObject       Module top-level environment
 *    |   |   |
 *    |   |   +--LexicalEnvironmentObject      Lexical (block) environment
 *    |   |   |   |
 *    |   |   |   +--NamedLambdaObject             Environment for `(function f(){...})`
 *    |   |   |                                        containing only a binding for `f`
 *    |   |   +--VarEnvironmentObject          See VarScope in Scope.h.
 *    |   |   |
 *    |   |   +--WithEnvironmentObject         Presents object properties as bindings
 *    |   |   |
 *    |   |   +--NonSyntacticVariablesObject   See "Non-syntactic environments" below
 *    |   |
 *    |   +--GlobalObject                  The global environment
 *    |
 *    +--ProxyObject
 *        |
 *        +--DebugEnvironmentProxy         Environment for debugger eval-in-frame
 *
 * EnvironmentObjects are technically real JSObjects but only belong on the
 * environment chain (that is, fp->environmentChain() or fun->environment()).
 * They are never exposed to scripts.
 *
 * Note that reserved slots in any base classes shown above are fixed for all
 * derived classes. So e.g. EnvironmentObject::enclosingEnvironment() can
 * simply access a fixed slot without further dynamic type information.
 *
 * When the current environment is represented by an object, the stack frame
 * has a pointer to that object (see AbstractFramePtr::environmentChain()).
 * However, that isn't always the case. Where possible, we store binding values
 * in JS stack slots. For block and function scopes where all bindings can be
 * stored in stack slots, nothing is allocated in the heap; there is no
 * environment object.
 *
 * Full information about the environment chain is always recoverable:
 * EnvironmentIter can do it, and we construct a fake environment for debugger
 * eval-in-frame (see "Debug environment objects" below).
 *
 * Syntactic Environments
 * ----------------------
 *
 * Environments may be syntactic, i.e., corresponding to source text, or
 * non-syntactic, i.e., specially created by embedding.
 *

The comment should do a better job of explaining why this distinction matters so much. It has never really been clear to me.

 * CallObject, ModuleEnvironmentObject, and LexicalEnvironmentObject always
 * represent syntactic environments. (CallObject is considered syntactic even
 * when it's used as the scope of strict eval code.) WithEnvironmentObject is
 * syntactic when it's used to represent the scope of a `with` block.
 *
 *
 * Non-syntactic Environments
 * --------------------------

...and from there on it's fine as-is.

@@ +76,5 @@
> + *
> + * Non-syntactic Environments
> + * --------------------------
> + *
> + * A non-syntactic environment is one that was not created due to source

due to JS source code

@@ +750,5 @@
> + * this, the engine assumes there is no debugger and optimizes scope access
> + * and creation accordingly. When the debugger wants to perform an unexpected
> + * eval-in-frame (or other, similar environment-requiring operations),
> + * fp->environmentChain is now incomplete: it may not contain all, or any, of
> + * the EnvironmentObjects to represent the current scope.

"may not" is misleading, so replace the part after the colon with "any or all of the EnvironmentObjects representing the current environment may have been optimized away." (or just delete the colon and everything after it, your call)

@@ +956,5 @@
> +IsGlobalLexicalEnvironment(JSObject* env)
> +{
> +    return env->is<LexicalEnvironmentObject>() &&
> +           env->as<LexicalEnvironmentObject>().isGlobal();
> +}

Not in this version of the patch, but in Github:

>     // An frame's initial environment is the innermost environment

typo ("An frame")

And:

>    // If a function frame's CallObject, if present, is always the initial

typo ("If a" should be "A")

::: js/src/vm/Interpreter-inl.h
@@ +375,5 @@
>  
> +    if (varobj->is<GlobalObject>()) {
> +        if (!varobj->compartment()->addToVarNames(cx, dn))
> +            return false;
> +    }

Shaking my head. I can't believe this got into the standard. The test for this is just ridiculous.

::: js/src/vm/Scope.h
@@ +276,5 @@
> +};
> +
> +//
> +// A lexical scope that holds let and const bindings. There are 3 kinds of
> +// LexicalScopes.

Comment goes on to describe only two kinds. NamedLambda and StrictNamedLambda are missing. ;)

@@ +628,5 @@
> +//
> +// Scope of an eval. Holds var bindings. There are 2 kinds of EvalScopes.
> +//
> +// ScopeKind::StrictEval
> +//   A strict eval. Corresponds to a CallObject, where its var bindings lives.

VarEnvironmentObject, not CallObject

@@ +633,5 @@
> +//
> +// ScopeKind::Eval
> +//   A sloppy eval. If this is a direct `eval()` call inside a parameter
> +//   default value expression, then this is like a StrictEval scope (per
> +//   spec). Anywhere else, this is an empty scope, used only in the frontend,

Is this comment correct? The implementation doesn't seem to treat this scope "like a StrictEval scope": it doesn't emit JSOP_PUSHVARENV, anyway, and it wasn't clear what else this was supposed to mean.

::: js/src/vm/Stack-inl.h
@@ +182,5 @@
>  {
> +    MOZ_ASSERT(*environmentChain() == env.enclosingEnvironment());
> +    envChain_ = &env;
> +    if (mozilla::IsSame<SpecificEnvironment, CallObject>::value ||
> +        mozilla::IsSame<SpecificEnvironment, VarEnvironmentObject>::value)

I had a comment about this, but it looks like you already factored this out into a function (because it got weirder).  Yay?

::: js/src/vm/Stack.h
@@ +280,5 @@
>  
>          RESUMED_GENERATOR      =        0x2,  /* frame is for a resumed generator invocation */
>  
>          /* Function prologue state */
> +        HAS_INITIAL_ENV        =        0x4,  /* call obj created function or var env for eval */

This comment didn't help me.

@@ +481,5 @@
>       * arguments, missing formal arguments are padded with |undefined|.
>       *
> +     * When a local/formal variable is aliased (accessed by nested closures,
> +     * environment operations, or 'arguments'), the canonical location for
> +     * that value is the slot of an activation object.  Aliased locals don't

Can we s/activation/environment/ globally?

@@ +525,2 @@
>       *
> +     * Given that an InterpreterFrame corresponds roughly to a ES5 Execution

While you're here: "a ES5" -> "an ES".

(Really this whole comment is not great.)
Comment on attachment 8780730 [details] [diff] [review]
Rewrite the frontend: bindings.

Review of attachment 8780730 [details] [diff] [review]:
-----------------------------------------------------------------

::: js/src/jsscript.cpp
@@ +279,5 @@
>  {
> +    ScopeArray* scopes = script->scopes();
> +    GCPtrScope* vector = scopes->vector;
> +    unsigned length = scopes->length;
> +    for (uint32_t i = 0; i < length; ++i) {

Types of `length` and `i` might as well match here.

::: js/src/octane/run-deltablue.js
@@ +51,5 @@
>  }
>  
>  
>  BenchmarkSuite.config.doWarmup = undefined;
> +BenchmarkSuite.config.doDeterministic = true;

Looks like you probably don't mean to land this.
Attachment #8783055 - Flags: review?(jorendorff) → review+
Attachment #8780730 - Flags: review?(jorendorff) → review+
Created attachment 8784200 [details]
Review comments

Apologies for the format, Bugzilla claims to me that I can't post review comments longer than 64K or something insane.  IT'S NOT MY FAULT!

I think the only thing that really needs my over-IRC discussion, is the naming of notePositionalFormalParameter and all the other note* functions.  Will try to catch you so we can iron that out firstmost, then you won't be blocked because I happen not to be around to discuss something.
Attachment #8780730 - Flags: review?(jwalden+bmo) → review+
(Assignee)

Comment 119

2 years ago
THANK YOU FRIENDS FOR REVIEWING
Blocks: 1297706

Comment 121

2 years ago
Pushed by shu@rfrn.org:
https://hg.mozilla.org/integration/mozilla-inbound/rev/dbf7b0e7dc66
Fix Scope->zone() comparison to use zoneFromAnyThread to fix CLOSED TREE.

Comment 122

2 years ago
FYI, this rewrite improved a few benchmarks on AWFY: Octane-MandreelLatency and SS-date-format-tofte
(Assignee)

Updated

2 years ago
Attachment #8780730 - Flags: review?(efaustbmo)
Depends on: 1298356
Depends on: 1298568
Depends on: 1298570
Blocks: 1298640
Depends on: 1298656
Depends on: 1298854
Depends on: 1299121

Updated

2 years ago
Duplicate of this bug: 1296441
Depends on: 1300528
Depends on: 1300517
Depends on: 1298778
Depends on: 1303118
Depends on: 1301301
Depends on: 1304649
Depends on: 1287047
Depends on: 1305333
Depends on: 1302432
Depends on: 1302692
Depends on: 1312525
Depends on: 1311316
Depends on: 1316832
Depends on: 1317329
Depends on: 1315856
Depends on: 1324773

Updated

2 years ago
Duplicate of this bug: 1329949
Depends on: 1342101
Depends on: 1358073
Depends on: 1368360

Updated

2 years ago
See Also: → bug 1376090
Depends on: 1385843
You need to log in before you can comment on or make changes to this bug.