Closed Bug 1363191 Opened 7 years ago Closed 6 years ago

Assertion failure: !redeclaredKind, at js/src/frontend/Parser.cpp:210

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla55
Tracking Flags:
Tracking Status
firefox-esr52 --- unaffected
firefox53 --- unaffected
firefox54 --- unaffected
firefox55 --- fixed

People

(Reporter: gkw, Assigned: shu)

References

Details

(Keywords: assertion, bugmon, testcase, Whiteboard: [jsbugmon:update])

Attachments

(2 files)

Detailed Crash Information
8.83 KB, text/plain
Details
Pop eval lexical scope before propagating its var scope's Annex B functions.
2.11 KB, patch
anba
: review+
Details | Diff | Splinter Review 
The following testcase crashes on mozilla-central revision bab7046ee2d8 (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --no-threads --no-baseline --no-ion):

// Adapted from randomly chosen test: js/src/tests/ecma_6/LexicalEnvironment/block-scoped-functions-annex-b-eval.js
eval("{ function f() {} }");
let f;


Backtrace:

#0  0x00000000004ad88a in js::frontend::ParseContext::Scope::propagateAndMarkAnnexBFunctionBoxes (this=this@entry=0x7ffd5eb952c0, pc=0x7ffd5eb95390) at js/src/frontend/Parser.cpp:210
#1  0x00000000004af5da in js::frontend::Parser<js::frontend::FullParseHandler, char16_t>::evalBody (this=<optimized out>, evalsc=evalsc@entry=0x7ffd5eb95910) at js/src/frontend/Parser.cpp:2158
#2  0x0000000000ab09a3 in BytecodeCompiler::compileScript (this=this@entry=0x7ffd5eb95970, environment=..., environment@entry=..., sc=sc@entry=0x7ffd5eb95910) at js/src/frontend/BytecodeCompiler.cpp:346
#3  0x0000000000ab0eea in BytecodeCompiler::compileEvalScript (enclosingScope=..., environment=..., this=0x7ffd5eb95970) at js/src/frontend/BytecodeCompiler.cpp:402
#4  js::frontend::CompileEvalScript (cx=cx@entry=0x7f560f275000, alloc=..., environment=environment@entry=..., enclosingScope=..., options=..., srcBuf=..., sourceObjectOut=0x0) at js/src/frontend/BytecodeCompiler.cpp:601
/snip

For detailed crash information, see attachment.
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/0ad1250ede3a
user:        Shu-yu Guo
date:        Fri May 05 13:01:02 2017 -0700
summary:     Bug 1361317 - Check Annex B applicability upon Scope exit. (r=anba)

Shu-yu, is bug 1361317 a likely regressor?
Blocks: 1361317
Flags: needinfo?(shu)
Attachment #8865725 - Flags: review?(andrebargull)
Flags: needinfo?(shu)
Comment on attachment 8865725 [details] [diff] [review]
Pop eval lexical scope before propagating its var scope's Annex B functions.

Review of attachment 8865725 [details] [diff] [review]:
-----------------------------------------------------------------

Thanks!
Attachment #8865725 - Flags: review?(andrebargull) → review+
Pushed by shu@rfrn.org:
https://hg.mozilla.org/integration/mozilla-inbound/rev/cf2ee5242986
Pop eval lexical scope before propagating its var scope's Annex B functions. (r=anba)
backed this out in https://treeherder.mozilla.org/#/jobs?repo=mozilla-inbound&revision=11f3f002c7f4b8bc55678ddf9a902d8d36e1015b for causing https://treeherder.mozilla.org/logviewer.html#?job_id=97937052&repo=mozilla-inbound that started at least with this push. Not sure which of 3 changes cause it, so backing it out
Flags: needinfo?(shu)
as a note, when this landed we had a performance regression:
== Change summary for alert #6493 (as of May 09 2017 22:25 UTC) ==

Regressions:

  2%  tart summary windows7-32 pgo e10s     5.23 -> 5.34

For up to date results, see: https://treeherder.mozilla.org/perf.html#/alerts?id=6493


and when this was backed out we see:
== Change summary for alert #6493 (as of May 09 2017 22:25 UTC) ==

Regressions:

  2%  tart summary windows7-32 pgo e10s     5.23 -> 5.34

For up to date results, see: https://treeherder.mozilla.org/perf.html#/alerts?id=6493


Please consider using talos on try before landing again:
|./mach try -b o -p win32 -u none -t svgr-e10s --rebuild 5|
(In reply to Joel Maher ( :jmaher) from comment #8)
> as a note, when this landed we had a performance regression:
> == Change summary for alert #6493 (as of May 09 2017 22:25 UTC) ==
> 
> Regressions:
> 
>   2%  tart summary windows7-32 pgo e10s     5.23 -> 5.34
> 
> For up to date results, see:
> https://treeherder.mozilla.org/perf.html#/alerts?id=6493
> 
> 
> and when this was backed out we see:
> == Change summary for alert #6493 (as of May 09 2017 22:25 UTC) ==
> 
> Regressions:
> 
>   2%  tart summary windows7-32 pgo e10s     5.23 -> 5.34
> 
> For up to date results, see:
> https://treeherder.mozilla.org/perf.html#/alerts?id=6493
> 
> 
> Please consider using talos on try before landing again:
> |./mach try -b o -p win32 -u none -t svgr-e10s --rebuild 5|

I can't imagine how this, or any of the patches in the backed out series, can cause any regressions.
Ooh, it must be because I didn't JIT compile the new nop bytecode I added in bug 1357075 as a nop, so all scripts with destructuring were accidentally blacklisted by the JITs.
Flags: needinfo?(shu)
Pushed by shu@rfrn.org:
https://hg.mozilla.org/integration/mozilla-inbound/rev/accca3d23d7b
Pop eval lexical scope before propagating its var scope's Annex B functions. (r=anba)
https://hg.mozilla.org/mozilla-central/rev/accca3d23d7b
Status: NEW → RESOLVED
Closed: 6 years ago
status-firefox55: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla55
You need to log in before you can comment on or make changes to this bug.