1340089 - Crash [@ js::frontend::Parser<js::frontend::FullParseHandler>::switchStatement] or Assertion failure: keyNonZero(l), at js/src/ds/InlineTable.h:269

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

The following testcase crashes on mozilla-central revision a9ec72f82299 (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --no-threads --no-baseline --no-ion):

"use strict";
eval("(for (let of y) x)");


Backtrace:

#0  0x00000000004b6548 in js::detail::InlineTable<js::InlineMap<JSAtom*, js::frontend::RecyclableAtomMapValueWrapper<js::frontend::DeclaredNameInfo>, 24ul, js::DefaultHasher<JSAtom*>, js::SystemAllocPolicy>::InlineEntry, js::InlineMap<JSAtom*, js::frontend::RecyclableAtomMapValueWrapper<js::frontend::DeclaredNameInfo>, 24ul, js::DefaultHasher<JSAtom*>, js::SystemAllocPolicy>::Entry, js::HashMap<JSAtom*, js::frontend::RecyclableAtomMapValueWrapper<js::frontend::DeclaredNameInfo>, js::DefaultHasher<JSAtom*>, js::SystemAllocPolicy>, js::DefaultHasher<JSAtom*>, js::SystemAllocPolicy, 24ul>::lookupForAdd (this=<optimized out>, l=<optimized out>) at js/src/ds/InlineTable.h:269
#1  0x00000000004b9768 in js::InlineMap<JSAtom*, js::frontend::RecyclableAtomMapValueWrapper<js::frontend::DeclaredNameInfo>, 24ul, js::DefaultHasher<JSAtom*>, js::SystemAllocPolicy>::lookupForAdd (l=@0x7ffe6f79c370: 0x0, this=<optimized out>) at js/src/ds/InlineTable.h:530
#2  js::frontend::ParseContext::Scope::lookupDeclaredNameForAdd (name=0x0, this=0x7ffe6f79c510) at js/src/frontend/Parser.h:145
#3  js::frontend::Parser<js::frontend::FullParseHandler>::noteDeclaredName (this=this@entry=0x7ffe6f79e040, name=name@entry=..., kind=kind@entry=js::frontend::DeclarationKind::Let, pos=..., pos@entry=...) at js/src/frontend/Parser.cpp:1419
#4  0x00000000004c4557 in js::frontend::Parser<js::frontend::FullParseHandler>::comprehensionFor (this=this@entry=0x7ffe6f79e040, comprehensionKind=comprehensionKind@entry=js::StarGenerator) at js/src/frontend/Parser.cpp:8088
/snip

For detailed crash information, see attachment.

Comment 1

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Attachment: Detailed Crash Information

Comment 2

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/761227e357b9
user:        Tooru Fujisawa
date:        Wed Feb 15 23:53:05 2017 +0900
summary:     Bug 1336783 - Part 2: Remove Parser::checkStrictBinding. r=jwalden

Arai-san, is bug 1336783 a likely regressor?

Comment 3

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Attachment: Opt stack for testcase

Comment 4

[Tooru Fujisawa [:arai]]

thanks!

forgot to handle null case.
I'll fix it shortly.

Comment 5

[Tooru Fujisawa [:arai]]

Attachment: Check the binding name in comprehensionFor.

just added null-check, after bindingIdentifier that can return null when the name is not valid.

Comment 6

[Till Schneidereit [:till]]

Comment on attachment 8838101 [details] [diff] [review]
Check the binding name in comprehensionFor.

Review of attachment 8838101 [details] [diff] [review]:
-----------------------------------------------------------------

Great tests, thank you!

Comment 7

[Tooru Fujisawa [:arai]]

https://hg.mozilla.org/integration/mozilla-inbound/rev/e1850269c2e0f4509d5b82931a7c1a3feba5054b
Bug 1340089 - Check the binding name in comprehensionFor. r=till

Comment 8

[Carsten Book [:Tomcat]]

https://hg.mozilla.org/mozilla-central/rev/e1850269c2e0