Closed Bug 1265313 Opened 8 years ago Closed 8 years ago

Assertion failure: CheckVarNameConflict(cx, lexicalScope, dn), at js/src/vm/Interpreter-inl.h:361

Categories

(Core :: JavaScript Engine, defect)

ARM
Linux
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla48
Tracking Status
firefox48 --- fixed

People

(Reporter: decoder, Unassigned)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update])

Attachments

(1 file)

The following testcase crashes on mozilla-central revision f5a97eb5c89a (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --target=i686-pc-linux-gnu --disable-tests --enable-simulator=arm --enable-debug, run with --fuzzing-safe):

 let env
 for (let i;;) try {}
 catch (env) {
     var env
 }


Backtrace:

Program received signal SIGSEGV, Segmentation fault.
0x0847e60f in js::DefVarOperation (cx=0xf7a70020, varobj=..., dn=..., attrs=5) at js/src/vm/Interpreter-inl.h:361
#0  0x0847e60f in js::DefVarOperation (cx=0xf7a70020, varobj=..., dn=..., attrs=5) at js/src/vm/Interpreter-inl.h:361
#1  0x086f6411 in Interpret (cx=cx@entry=0xf7a70020, state=...) at js/src/vm/Interpreter.cpp:3323
#2  0x086fe43f in js::RunScript (cx=cx@entry=0xf7a70020, state=...) at js/src/vm/Interpreter.cpp:426
#3  0x08703e2c in js::ExecuteKernel (cx=cx@entry=0xf7a70020, script=..., script@entry=..., scopeChainArg=..., newTargetValue=..., evalInFrame=evalInFrame@entry=..., result=result@entry=0x0) at js/src/vm/Interpreter.cpp:704
#4  0x08704122 in js::Execute (cx=cx@entry=0xf7a70020, script=script@entry=..., scopeChainArg=..., rval=rval@entry=0x0) at js/src/vm/Interpreter.cpp:737
#5  0x0851273c in ExecuteScript (cx=cx@entry=0xf7a70020, scope=scope@entry=..., script=script@entry=..., rval=rval@entry=0x0) at js/src/jsapi.cpp:4392
#6  0x08512916 in JS_ExecuteScript (cx=cx@entry=0xf7a70020, scriptArg=scriptArg@entry=...) at js/src/jsapi.cpp:4425
#7  0x0806eb95 in RunFile (compileOnly=false, file=<optimized out>, filename=0xffffda61 "min.js", cx=0xf7a70020) at js/src/shell/js.cpp:530
#8  Process (cx=0xf7a70020, filename=0xffffda61 "min.js", forceTTY=forceTTY@entry=false, kind=kind@entry=FileScript) at js/src/shell/js.cpp:803
#9  0x080da0ca in ProcessArgs (op=0xffffd780, cx=0xf7a70020) at js/src/shell/js.cpp:6743
#10 Shell (envp=<optimized out>, op=0xffffd780, cx=0xf7a70020) at js/src/shell/js.cpp:7071
#11 main (argc=3, argv=0xffffd8d4, envp=0xffffd8e4) at js/src/shell/js.cpp:7455
eax	0x0	0
ebx	0x986fefc	159842044
ecx	0xf7e4488c	-136034164
edx	0x0	0
esi	0xf7a70020	-140050400
edi	0xffffcf98	-12392
ebp	0xffffce38	4294954552
esp	0xffffcdb0	4294954416
eip	0x847e60f <js::DefVarOperation(JSContext*, JS::Handle<JSObject*>, JS::Handle<js::PropertyName*>, unsigned int)+687>
=> 0x847e60f <js::DefVarOperation(JSContext*, JS::Handle<JSObject*>, JS::Handle<js::PropertyName*>, unsigned int)+687>:	movl   $0x169,0x0
   0x847e619 <js::DefVarOperation(JSContext*, JS::Handle<JSObject*>, JS::Handle<js::PropertyName*>, unsigned int)+697>:	call   0x8101fa0 <abort()>
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result:
=== Treeherder Build Bisection Results by autoBisect ===

The "good" changeset has the timestamp "20160205134855" and the hash "140603de6df9cdd8ae6d2671ffc07379500fd719".
The "bad" changeset has the timestamp "20160205150953" and the hash "aa076a770ac03eff1d1f2ba4b0758f22f87acfaf".

Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=140603de6df9cdd8ae6d2671ffc07379500fd719&tochange=aa076a770ac03eff1d1f2ba4b0758f22f87acfaf
Looks like a scoping issue and shu is in the regression window (probably bug 1225041) => ni? shu.
Flags: needinfo?(shu)
Flags: needinfo?(shu)
Comment on attachment 8742575 [details] [diff] [review]
Fix Annex B.3.5 handling with body-level lexicals.

Review of attachment 8742575 [details] [diff] [review]:
-----------------------------------------------------------------

Argh.
Attachment #8742575 - Flags: review?(jorendorff) → review+
https://hg.mozilla.org/mozilla-central/rev/c2564073b2bb
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla48
You need to log in before you can comment on or make changes to this bug.