Closed Bug 1332155 Opened 6 years ago Closed 6 years ago

Assertion failure: BytecodeIsJumpTarget(JSOp(*tryTarget)), at js/src/jsscript.cpp:2808

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla53
Tracking Flags:
Tracking Status
firefox53 --- fixed

People

(Reporter: gkw, Unassigned)

References

Details

(Keywords: assertion, bugmon, testcase, Whiteboard: [jsbugmon:update])

Attachments

(3 files)

Detailed Crash Information
29.15 KB, text/plain
Details
Testcase
5.11 KB, text/plain
Details
Skip non-try-related trynotes when asserting jump targets.
1.05 KB, patch
arai
: review+
Details | Diff | Splinter Review 
The following testcase crashes on mozilla-central revision b3774461acc6 (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --no-threads --ion-eager):

See attachment.

Backtrace:

0   js-dbg-64-dm-clang-darwin-b3774461acc6	0x0000000102e79bfa JSScript::assertValidJumpTargets() const + 1530 (jsscript.cpp:2808)
1   js-dbg-64-dm-clang-darwin-b3774461acc6	0x0000000102e791f4 JSScript::fullyInitFromEmitter(js::ExclusiveContext*, JS::Handle<JSScript*>, js::frontend::BytecodeEmitter*) + 2212 (jsscript.cpp:2745)
2   js-dbg-64-dm-clang-darwin-b3774461acc6	0x0000000102f8be9a js::frontend::BytecodeEmitter::emitScript(js::frontend::ParseNode*) + 922 (BytecodeEmitter.cpp:4500)
3   js-dbg-64-dm-clang-darwin-b3774461acc6	0x0000000102f8b8e9 BytecodeCompiler::compileScript(JS::Handle<JSObject*>, js::frontend::SharedContext*) + 569 (BytecodeCompiler.cpp:340)
4   js-dbg-64-dm-clang-darwin-b3774461acc6	0x0000000102f8c229 BytecodeCompiler::compileGlobalScript(js::ScopeKind) + 201 (SharedContext.h:373)
/snip

For detailed crash information, see attachment.
Due to skipped revisions, the first bad revision could be any of:
changeset:   https://hg.mozilla.org/mozilla-central/rev/757b50c0ee48
user:        Shu-yu Guo
date:        Sat Jan 14 14:51:38 2017 -0800
summary:     Bug 1147371 - Implement IteratorClose for for-of. (r=arai)

changeset:   https://hg.mozilla.org/mozilla-central/rev/8ad6c93e5162
user:        Shu-yu Guo
date:        Sat Jan 14 14:51:38 2017 -0800
summary:     Bug 1147371 - Rename allowContentSpread to allowContentIter. (r=arai)

changeset:   https://hg.mozilla.org/mozilla-central/rev/d7d332a5b2e8
user:        Shu-yu Guo
date:        Sat Jan 14 14:51:38 2017 -0800
summary:     Bug 1147371 - Convert self-hosted code that need to call IteratorClose to use for-of. (r=arai)

changeset:   https://hg.mozilla.org/mozilla-central/rev/ce293b3c0a8b
user:        Shu-yu Guo
date:        Sat Jan 14 14:51:38 2017 -0800
summary:     Bug 1147371 - Implement IteratorClose for array destructuring. (r=arai)

changeset:   https://hg.mozilla.org/mozilla-central/rev/e0dc4150f8ac
user:        Shu-yu Guo
date:        Sat Jan 14 14:51:39 2017 -0800
summary:     Bug 1147371 - Implement calling IteratorClose and "return" on iterators in yield*. (r=jandem)

Shu-yu, is bug 1147371 a likely regressor?

I tried to further reduce the testcase but for some reason the symptoms seemed to disappear as one reduces.
Blocks: 1147371
Flags: needinfo?(shu)
Flags: needinfo?(shu)
Attachment #8828216 - Flags: review?(arai.unmht) → review+
Pushed by shu@rfrn.org:
https://hg.mozilla.org/integration/mozilla-inbound/rev/adbedc3ae1b4
Skip non-try-related trynotes when asserting jump targets. (r=arai)
https://hg.mozilla.org/mozilla-central/rev/adbedc3ae1b4
Status: NEW → RESOLVED
Closed: 6 years ago
status-firefox53: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla53
You need to log in before you can comment on or make changes to this bug.