Closed Bug 1359622 Opened 8 years ago Closed 8 years ago

Assertion failure: !fun->infallibleIsDefaultClassConstructor(cx), at js/src/jsfun.cpp:1091

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla55
Tracking Flags:
Tracking Status
firefox-esr52 --- unaffected
firefox53 --- unaffected
firefox54 --- unaffected
firefox55 --- fixed

People

(Reporter: decoder, Assigned: shu)

References

Details

(4 keywords, Whiteboard: [jsbugmon:update])

Attachments

(1 file)

Fix assert for calling Function.toString on class constructors when the compartment has had source discarded.
1.49 KB, patch
Yoric
: review+
Details | Diff | Splinter Review
The following testcase crashes on mozilla-central revision a30dc237c3a6 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-stdcxx-compat --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe): setDiscardSource(true) evaluate(` unescape(class get { static staticMethod() {} }); `); Backtrace: received signal SIGSEGV, Segmentation fault. 0x000000000099e963 in js::FunctionToString (cx=cx@entry=0x7ffff694c000, fun=..., prettyPrint=prettyPrint@entry=true) at js/src/jsfun.cpp:1091 #0 0x000000000099e963 in js::FunctionToString (cx=cx@entry=0x7ffff694c000, fun=..., prettyPrint=prettyPrint@entry=true) at js/src/jsfun.cpp:1091 #1 0x000000000099ea40 in fun_toStringHelper (cx=cx@entry=0x7ffff694c000, obj=..., obj@entry=..., indent=0) at js/src/jsfun.cpp:1120 #2 0x00000000009a40eb in js::fun_toString (cx=0x7ffff694c000, argc=<optimized out>, vp=<optimized out>) at js/src/jsfun.cpp:1152 #3 0x0000000000547a8f in js::CallJSNative (cx=cx@entry=0x7ffff694c000, native=0x9a3fd0 <js::fun_toString(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:291 #4 0x000000000053c9f3 in js::InternalCallOrConstruct (cx=cx@entry=0x7ffff694c000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:470 #5 0x000000000053ce08 in InternalCall (cx=cx@entry=0x7ffff694c000, args=...) at js/src/vm/Interpreter.cpp:515 #6 0x000000000053cf3d in js::Call (cx=cx@entry=0x7ffff694c000, fval=..., fval@entry=..., thisv=..., thisv@entry=..., args=..., rval=..., rval@entry=...) at js/src/vm/Interpreter.cpp:534 #7 0x00000000009ecb02 in js::Call (rval=..., thisObj=<optimized out>, fval=..., cx=0x7ffff694c000) at js/src/vm/Interpreter.h:96 #8 MaybeCallMethod (cx=cx@entry=0x7ffff694c000, obj=..., obj@entry=..., id=..., id@entry=..., vp=vp@entry=...) at js/src/jsobj.cpp:3007 #9 0x00000000009f10fe in JS::OrdinaryToPrimitive (cx=cx@entry=0x7ffff694c000, obj=obj@entry=..., hint=hint@entry=JSTYPE_STRING, vp=..., vp@entry=...) at js/src/jsobj.cpp:3053 #10 0x00000000009f1645 in js::ToPrimitiveSlow (cx=cx@entry=0x7ffff694c000, preferredType=preferredType@entry=JSTYPE_STRING, vp=..., vp@entry=...) at js/src/jsobj.cpp:3138 #11 0x0000000000a4ffb2 in js::ToPrimitive (vp=..., preferredType=JSTYPE_STRING, cx=0x7ffff694c000) at js/src/jsobj.h:1063 #12 js::ToStringSlow<(js::AllowGC)1> (cx=cx@entry=0x7ffff694c000, arg=...) at js/src/jsstr.cpp:3447 #13 0x0000000000a38431 in js::ToString<(js::AllowGC)1> (v=..., cx=0x7ffff694c000) at js/src/jsstr.h:172 #14 ArgToRootedString (cx=cx@entry=0x7ffff694c000, args=..., argno=0) at js/src/jsstr.cpp:83 #15 0x0000000000a3e434 in str_unescape (cx=0x7ffff694c000, argc=<optimized out>, vp=<optimized out>) at js/src/jsstr.cpp:321 #16 0x0000000000547a8f in js::CallJSNative (cx=cx@entry=0x7ffff694c000, native=0xa3e3e0 <str_unescape(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:291 [...] #24 0x0000000000944ed3 in JS_ExecuteScript (cx=cx@entry=0x7ffff694c000, scriptArg=scriptArg@entry=..., rval=...) at js/src/jsapi.cpp:4537 #25 0x000000000045e50e in Evaluate (cx=0x7ffff694c000, argc=<optimized out>, vp=<optimized out>) at js/src/shell/js.cpp:1860 [...] #39 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:8684 rax 0x0 0 rbx 0x1 1 rcx 0x7ffff6c28a2d 140737333332525 rdx 0x0 0 rsi 0x7ffff6ef7770 140737336276848 rdi 0x7ffff6ef6540 140737336272192 rbp 0x7fffffffb3b0 140737488335792 rsp 0x7fffffffb270 140737488335472 r8 0x7ffff6ef7770 140737336276848 r9 0x7ffff7fe4740 140737354024768 r10 0x58 88 r11 0x7ffff6b9f750 140737332770640 r12 0x7ffff694c000 140737330331648 r13 0x7fffffffb2e0 140737488335584 r14 0x7fffffffb2a0 140737488335520 r15 0x0 0 rip 0x99e963 <js::FunctionToString(JSContext*, JS::Handle<JSFunction*>, bool)+1507> => 0x99e963 <js::FunctionToString(JSContext*, JS::Handle<JSFunction*>, bool)+1507>: movl $0x0,0x0 0x99e96e <js::FunctionToString(JSContext*, JS::Handle<JSFunction*>, bool)+1518>: ud2
Due to skipped revisions, the first bad revision could be any of: changeset: https://hg.mozilla.org/mozilla-central/rev/751cc121aa3f user: Shu-yu Guo date: Mon Apr 17 19:51:34 2017 -0700 summary: Bug 1216630 - Print class source when calling toString on the constructor. (r=Yoric) changeset: https://hg.mozilla.org/mozilla-central/rev/8f3e4478d23a user: Shu-yu Guo date: Mon Apr 17 19:51:35 2017 -0700 summary: Bug 1216630 - Rename preludeStart and postludeEnd to toStringStart and toStringEnd and misc fixes. (r=Yoric) Shu-yu, is bug 1216630 a likely regressor?
Blocks: 1216630
Flags: needinfo?(shu)
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
Attachment #8865030 - Flags: review?(dteller)
Flags: needinfo?(shu)
Attachment #8865030 - Flags: review?(dteller) → review+
Pushed by shu@rfrn.org: https://hg.mozilla.org/integration/mozilla-inbound/rev/3258871b4902 Fix assert for calling Function.toString on class constructors when the compartment has had source discarded. (r=Yoric)
Backout by cbook@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/11f3f002c7f4 Backed out changeset 3258871b4902 for browser_CTP_crashreporting.js | Uncaught exception - Timed out waiting for plugin binding to be in success state - timed out after 50 tries.
backed this out in https://treeherder.mozilla.org/#/jobs?repo=mozilla-inbound&revision=11f3f002c7f4b8bc55678ddf9a902d8d36e1015b for causing https://treeherder.mozilla.org/logviewer.html#?job_id=97937052&repo=mozilla-inbound that started at least with this push. Not sure which of 3 changes cause it, so backing it out
Flags: needinfo?(shu)
Pushed by shu@rfrn.org: https://hg.mozilla.org/integration/mozilla-inbound/rev/e1a5bcc62058 Fix assert for calling Function.toString on class constructors when the compartment has had source discarded. (r=Yoric)
https://hg.mozilla.org/mozilla-central/rev/e1a5bcc62058
Status: NEW → RESOLVED
Closed: 8 years ago
status-firefox55: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla55
Flags: needinfo?(shu)
Assignee: nobody → shu
status-firefox53: --- → unaffected
status-firefox54: --- → unaffected
status-firefox-esr52: --- → unaffected
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: