Closed
Bug 1265313
Opened 8 years ago
Closed 8 years ago
Assertion failure: CheckVarNameConflict(cx, lexicalScope, dn), at js/src/vm/Interpreter-inl.h:361
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla48
Tracking | Status | |
---|---|---|
firefox48 | --- | fixed |
People
(Reporter: decoder, Unassigned)
Details
(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update])
Attachments
(1 file)
1.78 KB,
patch
|
jorendorff
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision f5a97eb5c89a (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --target=i686-pc-linux-gnu --disable-tests --enable-simulator=arm --enable-debug, run with --fuzzing-safe): let env for (let i;;) try {} catch (env) { var env } Backtrace: Program received signal SIGSEGV, Segmentation fault. 0x0847e60f in js::DefVarOperation (cx=0xf7a70020, varobj=..., dn=..., attrs=5) at js/src/vm/Interpreter-inl.h:361 #0 0x0847e60f in js::DefVarOperation (cx=0xf7a70020, varobj=..., dn=..., attrs=5) at js/src/vm/Interpreter-inl.h:361 #1 0x086f6411 in Interpret (cx=cx@entry=0xf7a70020, state=...) at js/src/vm/Interpreter.cpp:3323 #2 0x086fe43f in js::RunScript (cx=cx@entry=0xf7a70020, state=...) at js/src/vm/Interpreter.cpp:426 #3 0x08703e2c in js::ExecuteKernel (cx=cx@entry=0xf7a70020, script=..., script@entry=..., scopeChainArg=..., newTargetValue=..., evalInFrame=evalInFrame@entry=..., result=result@entry=0x0) at js/src/vm/Interpreter.cpp:704 #4 0x08704122 in js::Execute (cx=cx@entry=0xf7a70020, script=script@entry=..., scopeChainArg=..., rval=rval@entry=0x0) at js/src/vm/Interpreter.cpp:737 #5 0x0851273c in ExecuteScript (cx=cx@entry=0xf7a70020, scope=scope@entry=..., script=script@entry=..., rval=rval@entry=0x0) at js/src/jsapi.cpp:4392 #6 0x08512916 in JS_ExecuteScript (cx=cx@entry=0xf7a70020, scriptArg=scriptArg@entry=...) at js/src/jsapi.cpp:4425 #7 0x0806eb95 in RunFile (compileOnly=false, file=<optimized out>, filename=0xffffda61 "min.js", cx=0xf7a70020) at js/src/shell/js.cpp:530 #8 Process (cx=0xf7a70020, filename=0xffffda61 "min.js", forceTTY=forceTTY@entry=false, kind=kind@entry=FileScript) at js/src/shell/js.cpp:803 #9 0x080da0ca in ProcessArgs (op=0xffffd780, cx=0xf7a70020) at js/src/shell/js.cpp:6743 #10 Shell (envp=<optimized out>, op=0xffffd780, cx=0xf7a70020) at js/src/shell/js.cpp:7071 #11 main (argc=3, argv=0xffffd8d4, envp=0xffffd8e4) at js/src/shell/js.cpp:7455 eax 0x0 0 ebx 0x986fefc 159842044 ecx 0xf7e4488c -136034164 edx 0x0 0 esi 0xf7a70020 -140050400 edi 0xffffcf98 -12392 ebp 0xffffce38 4294954552 esp 0xffffcdb0 4294954416 eip 0x847e60f <js::DefVarOperation(JSContext*, JS::Handle<JSObject*>, JS::Handle<js::PropertyName*>, unsigned int)+687> => 0x847e60f <js::DefVarOperation(JSContext*, JS::Handle<JSObject*>, JS::Handle<js::PropertyName*>, unsigned int)+687>: movl $0x169,0x0 0x847e619 <js::DefVarOperation(JSContext*, JS::Handle<JSObject*>, JS::Handle<js::PropertyName*>, unsigned int)+697>: call 0x8101fa0 <abort()>
Updated•8 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
Comment 1•8 years ago
|
||
JSBugMon: Bisection requested, result: === Treeherder Build Bisection Results by autoBisect === The "good" changeset has the timestamp "20160205134855" and the hash "140603de6df9cdd8ae6d2671ffc07379500fd719". The "bad" changeset has the timestamp "20160205150953" and the hash "aa076a770ac03eff1d1f2ba4b0758f22f87acfaf". Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=140603de6df9cdd8ae6d2671ffc07379500fd719&tochange=aa076a770ac03eff1d1f2ba4b0758f22f87acfaf
Comment 2•8 years ago
|
||
Looks like a scoping issue and shu is in the regression window (probably bug 1225041) => ni? shu.
Flags: needinfo?(shu)
Comment 3•8 years ago
|
||
Attachment #8742575 -
Flags: review?(jorendorff)
Updated•8 years ago
|
Flags: needinfo?(shu)
Comment 4•8 years ago
|
||
Comment on attachment 8742575 [details] [diff] [review] Fix Annex B.3.5 handling with body-level lexicals. Review of attachment 8742575 [details] [diff] [review]: ----------------------------------------------------------------- Argh.
Attachment #8742575 -
Flags: review?(jorendorff) → review+
Comment 6•8 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/c2564073b2bb
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla48
You need to log in
before you can comment on or make changes to this bug.
Description
•