Assertion failure: BytecodeIsJumpTarget(JSOp(*tryTarget)), at js/src/jsscript.cpp:2808

RESOLVED FIXED in Firefox 53

Status

()

--
critical
RESOLVED FIXED
2 years ago
2 years ago

People

(Reporter: gkw, Unassigned)

Tracking

(Blocks: 2 bugs, {assertion, jsbugmon, testcase})

Trunk
mozilla53
x86_64
Mac OS X
assertion, jsbugmon, testcase
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox53 fixed)

Details

(Whiteboard: [jsbugmon:update])

Attachments

(3 attachments)

(Reporter)

Description

2 years ago
The following testcase crashes on mozilla-central revision b3774461acc6 (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --no-threads --ion-eager):

See attachment.

Backtrace:

0   js-dbg-64-dm-clang-darwin-b3774461acc6	0x0000000102e79bfa JSScript::assertValidJumpTargets() const + 1530 (jsscript.cpp:2808)
1   js-dbg-64-dm-clang-darwin-b3774461acc6	0x0000000102e791f4 JSScript::fullyInitFromEmitter(js::ExclusiveContext*, JS::Handle<JSScript*>, js::frontend::BytecodeEmitter*) + 2212 (jsscript.cpp:2745)
2   js-dbg-64-dm-clang-darwin-b3774461acc6	0x0000000102f8be9a js::frontend::BytecodeEmitter::emitScript(js::frontend::ParseNode*) + 922 (BytecodeEmitter.cpp:4500)
3   js-dbg-64-dm-clang-darwin-b3774461acc6	0x0000000102f8b8e9 BytecodeCompiler::compileScript(JS::Handle<JSObject*>, js::frontend::SharedContext*) + 569 (BytecodeCompiler.cpp:340)
4   js-dbg-64-dm-clang-darwin-b3774461acc6	0x0000000102f8c229 BytecodeCompiler::compileGlobalScript(js::ScopeKind) + 201 (SharedContext.h:373)
/snip

For detailed crash information, see attachment.
(Reporter)

Comment 1

2 years ago
Created attachment 8828202 [details]
Detailed Crash Information
(Reporter)

Comment 2

2 years ago
Created attachment 8828203 [details]
Testcase
(Reporter)

Comment 3

2 years ago
Due to skipped revisions, the first bad revision could be any of:
changeset:   https://hg.mozilla.org/mozilla-central/rev/757b50c0ee48
user:        Shu-yu Guo
date:        Sat Jan 14 14:51:38 2017 -0800
summary:     Bug 1147371 - Implement IteratorClose for for-of. (r=arai)

changeset:   https://hg.mozilla.org/mozilla-central/rev/8ad6c93e5162
user:        Shu-yu Guo
date:        Sat Jan 14 14:51:38 2017 -0800
summary:     Bug 1147371 - Rename allowContentSpread to allowContentIter. (r=arai)

changeset:   https://hg.mozilla.org/mozilla-central/rev/d7d332a5b2e8
user:        Shu-yu Guo
date:        Sat Jan 14 14:51:38 2017 -0800
summary:     Bug 1147371 - Convert self-hosted code that need to call IteratorClose to use for-of. (r=arai)

changeset:   https://hg.mozilla.org/mozilla-central/rev/ce293b3c0a8b
user:        Shu-yu Guo
date:        Sat Jan 14 14:51:38 2017 -0800
summary:     Bug 1147371 - Implement IteratorClose for array destructuring. (r=arai)

changeset:   https://hg.mozilla.org/mozilla-central/rev/e0dc4150f8ac
user:        Shu-yu Guo
date:        Sat Jan 14 14:51:39 2017 -0800
summary:     Bug 1147371 - Implement calling IteratorClose and "return" on iterators in yield*. (r=jandem)

Shu-yu, is bug 1147371 a likely regressor?

I tried to further reduce the testcase but for some reason the symptoms seemed to disappear as one reduces.
Blocks: 1147371
Flags: needinfo?(shu)

Comment 4

2 years ago
Created attachment 8828216 [details] [diff] [review]
Skip non-try-related trynotes when asserting jump targets.
Attachment #8828216 - Flags: review?(arai.unmht)

Updated

2 years ago
Flags: needinfo?(shu)

Updated

2 years ago
Attachment #8828216 - Flags: review?(arai.unmht) → review+

Comment 5

2 years ago
Pushed by shu@rfrn.org:
https://hg.mozilla.org/integration/mozilla-inbound/rev/adbedc3ae1b4
Skip non-try-related trynotes when asserting jump targets. (r=arai)

Comment 6

2 years ago
bugherder
https://hg.mozilla.org/mozilla-central/rev/adbedc3ae1b4
Status: NEW → RESOLVED
Last Resolved: 2 years ago
status-firefox53: affected → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla53
You need to log in before you can comment on or make changes to this bug.