Assertion failure: !redeclaredKind, at js/src/frontend/Parser.cpp:210

RESOLVED FIXED in Firefox 55

Status

()

--
critical
RESOLVED FIXED
2 years ago
a year ago

People

(Reporter: gkw, Assigned: shu)

Tracking

(Blocks: 2 bugs, {assertion, jsbugmon, testcase})

Trunk
mozilla55
x86_64
Linux
assertion, jsbugmon, testcase
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox-esr52 unaffected, firefox53 unaffected, firefox54 unaffected, firefox55 fixed)

Details

(Whiteboard: [jsbugmon:update])

Attachments

(2 attachments)

(Reporter)

Description

2 years ago
The following testcase crashes on mozilla-central revision bab7046ee2d8 (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --no-threads --no-baseline --no-ion):

// Adapted from randomly chosen test: js/src/tests/ecma_6/LexicalEnvironment/block-scoped-functions-annex-b-eval.js
eval("{ function f() {} }");
let f;


Backtrace:

#0  0x00000000004ad88a in js::frontend::ParseContext::Scope::propagateAndMarkAnnexBFunctionBoxes (this=this@entry=0x7ffd5eb952c0, pc=0x7ffd5eb95390) at js/src/frontend/Parser.cpp:210
#1  0x00000000004af5da in js::frontend::Parser<js::frontend::FullParseHandler, char16_t>::evalBody (this=<optimized out>, evalsc=evalsc@entry=0x7ffd5eb95910) at js/src/frontend/Parser.cpp:2158
#2  0x0000000000ab09a3 in BytecodeCompiler::compileScript (this=this@entry=0x7ffd5eb95970, environment=..., environment@entry=..., sc=sc@entry=0x7ffd5eb95910) at js/src/frontend/BytecodeCompiler.cpp:346
#3  0x0000000000ab0eea in BytecodeCompiler::compileEvalScript (enclosingScope=..., environment=..., this=0x7ffd5eb95970) at js/src/frontend/BytecodeCompiler.cpp:402
#4  js::frontend::CompileEvalScript (cx=cx@entry=0x7f560f275000, alloc=..., environment=environment@entry=..., enclosingScope=..., options=..., srcBuf=..., sourceObjectOut=0x0) at js/src/frontend/BytecodeCompiler.cpp:601
/snip

For detailed crash information, see attachment.
(Reporter)

Comment 1

2 years ago
Created attachment 8865636 [details]
Detailed Crash Information
(Reporter)

Comment 2

2 years ago
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/0ad1250ede3a
user:        Shu-yu Guo
date:        Fri May 05 13:01:02 2017 -0700
summary:     Bug 1361317 - Check Annex B applicability upon Scope exit. (r=anba)

Shu-yu, is bug 1361317 a likely regressor?
Blocks: 1361317
Flags: needinfo?(shu)
(Assignee)

Comment 3

2 years ago
Created attachment 8865725 [details] [diff] [review]
Pop eval lexical scope before propagating its var scope's Annex B functions.
(Assignee)

Updated

2 years ago
Attachment #8865725 - Flags: review?(andrebargull)
(Assignee)

Updated

2 years ago
Flags: needinfo?(shu)
Comment on attachment 8865725 [details] [diff] [review]
Pop eval lexical scope before propagating its var scope's Annex B functions.

Review of attachment 8865725 [details] [diff] [review]:
-----------------------------------------------------------------

Thanks!
Attachment #8865725 - Flags: review?(andrebargull) → review+

Comment 5

2 years ago
Pushed by shu@rfrn.org:
https://hg.mozilla.org/integration/mozilla-inbound/rev/cf2ee5242986
Pop eval lexical scope before propagating its var scope's Annex B functions. (r=anba)
backed this out in https://treeherder.mozilla.org/#/jobs?repo=mozilla-inbound&revision=11f3f002c7f4b8bc55678ddf9a902d8d36e1015b for causing https://treeherder.mozilla.org/logviewer.html#?job_id=97937052&repo=mozilla-inbound that started at least with this push. Not sure which of 3 changes cause it, so backing it out
Flags: needinfo?(shu)
as a note, when this landed we had a performance regression:
== Change summary for alert #6493 (as of May 09 2017 22:25 UTC) ==

Regressions:

  2%  tart summary windows7-32 pgo e10s     5.23 -> 5.34

For up to date results, see: https://treeherder.mozilla.org/perf.html#/alerts?id=6493


and when this was backed out we see:
== Change summary for alert #6493 (as of May 09 2017 22:25 UTC) ==

Regressions:

  2%  tart summary windows7-32 pgo e10s     5.23 -> 5.34

For up to date results, see: https://treeherder.mozilla.org/perf.html#/alerts?id=6493


Please consider using talos on try before landing again:
|./mach try -b o -p win32 -u none -t svgr-e10s --rebuild 5|
(Assignee)

Comment 9

2 years ago
(In reply to Joel Maher ( :jmaher) from comment #8)
> as a note, when this landed we had a performance regression:
> == Change summary for alert #6493 (as of May 09 2017 22:25 UTC) ==
> 
> Regressions:
> 
>   2%  tart summary windows7-32 pgo e10s     5.23 -> 5.34
> 
> For up to date results, see:
> https://treeherder.mozilla.org/perf.html#/alerts?id=6493
> 
> 
> and when this was backed out we see:
> == Change summary for alert #6493 (as of May 09 2017 22:25 UTC) ==
> 
> Regressions:
> 
>   2%  tart summary windows7-32 pgo e10s     5.23 -> 5.34
> 
> For up to date results, see:
> https://treeherder.mozilla.org/perf.html#/alerts?id=6493
> 
> 
> Please consider using talos on try before landing again:
> |./mach try -b o -p win32 -u none -t svgr-e10s --rebuild 5|

I can't imagine how this, or any of the patches in the backed out series, can cause any regressions.
(Assignee)

Comment 10

2 years ago
Ooh, it must be because I didn't JIT compile the new nop bytecode I added in bug 1357075 as a nop, so all scripts with destructuring were accidentally blacklisted by the JITs.
Flags: needinfo?(shu)

Comment 11

2 years ago
Pushed by shu@rfrn.org:
https://hg.mozilla.org/integration/mozilla-inbound/rev/accca3d23d7b
Pop eval lexical scope before propagating its var scope's Annex B functions. (r=anba)

Comment 12

2 years ago
bugherder
https://hg.mozilla.org/mozilla-central/rev/accca3d23d7b
Status: NEW → RESOLVED
Last Resolved: 2 years ago
status-firefox55: affected → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla55
Assignee: nobody → shu
status-firefox53: --- → unaffected
status-firefox54: --- → unaffected
status-firefox-esr52: --- → unaffected
You need to log in before you can comment on or make changes to this bug.