Closed Bug 1363191 Opened 8 years ago Closed 8 years ago

Assertion failure: !redeclaredKind, at js/src/frontend/Parser.cpp:210

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla55
Tracking Flags:
Tracking Status
firefox-esr52 --- unaffected
firefox53 --- unaffected
firefox54 --- unaffected
firefox55 --- fixed

People

(Reporter: gkw, Assigned: shu)

References

Details

(Keywords: assertion, bugmon, testcase, Whiteboard: [jsbugmon:update])

Attachments

(2 files)

Detailed Crash Information
8.83 KB, text/plain
Details
Pop eval lexical scope before propagating its var scope's Annex B functions.
2.11 KB, patch
anba
: review+
Details | Diff | Splinter Review
The following testcase crashes on mozilla-central revision bab7046ee2d8 (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --no-threads --no-baseline --no-ion): // Adapted from randomly chosen test: js/src/tests/ecma_6/LexicalEnvironment/block-scoped-functions-annex-b-eval.js eval("{ function f() {} }"); let f; Backtrace: #0 0x00000000004ad88a in js::frontend::ParseContext::Scope::propagateAndMarkAnnexBFunctionBoxes (this=this@entry=0x7ffd5eb952c0, pc=0x7ffd5eb95390) at js/src/frontend/Parser.cpp:210 #1 0x00000000004af5da in js::frontend::Parser<js::frontend::FullParseHandler, char16_t>::evalBody (this=<optimized out>, evalsc=evalsc@entry=0x7ffd5eb95910) at js/src/frontend/Parser.cpp:2158 #2 0x0000000000ab09a3 in BytecodeCompiler::compileScript (this=this@entry=0x7ffd5eb95970, environment=..., environment@entry=..., sc=sc@entry=0x7ffd5eb95910) at js/src/frontend/BytecodeCompiler.cpp:346 #3 0x0000000000ab0eea in BytecodeCompiler::compileEvalScript (enclosingScope=..., environment=..., this=0x7ffd5eb95970) at js/src/frontend/BytecodeCompiler.cpp:402 #4 js::frontend::CompileEvalScript (cx=cx@entry=0x7f560f275000, alloc=..., environment=environment@entry=..., enclosingScope=..., options=..., srcBuf=..., sourceObjectOut=0x0) at js/src/frontend/BytecodeCompiler.cpp:601 /snip For detailed crash information, see attachment.
autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/0ad1250ede3a user: Shu-yu Guo date: Fri May 05 13:01:02 2017 -0700 summary: Bug 1361317 - Check Annex B applicability upon Scope exit. (r=anba) Shu-yu, is bug 1361317 a likely regressor?
Blocks: 1361317
Flags: needinfo?(shu)
Attachment #8865725 - Flags: review?(andrebargull)
Flags: needinfo?(shu)
Comment on attachment 8865725 [details] [diff] [review] Pop eval lexical scope before propagating its var scope's Annex B functions. Review of attachment 8865725 [details] [diff] [review]: ----------------------------------------------------------------- Thanks!
Attachment #8865725 - Flags: review?(andrebargull) → review+
Pushed by shu@rfrn.org: https://hg.mozilla.org/integration/mozilla-inbound/rev/cf2ee5242986 Pop eval lexical scope before propagating its var scope's Annex B functions. (r=anba)
backed this out in https://treeherder.mozilla.org/#/jobs?repo=mozilla-inbound&revision=11f3f002c7f4b8bc55678ddf9a902d8d36e1015b for causing https://treeherder.mozilla.org/logviewer.html#?job_id=97937052&repo=mozilla-inbound that started at least with this push. Not sure which of 3 changes cause it, so backing it out
Flags: needinfo?(shu)
as a note, when this landed we had a performance regression: == Change summary for alert #6493 (as of May 09 2017 22:25 UTC) == Regressions: 2% tart summary windows7-32 pgo e10s 5.23 -> 5.34 For up to date results, see: https://treeherder.mozilla.org/perf.html#/alerts?id=6493 and when this was backed out we see: == Change summary for alert #6493 (as of May 09 2017 22:25 UTC) == Regressions: 2% tart summary windows7-32 pgo e10s 5.23 -> 5.34 For up to date results, see: https://treeherder.mozilla.org/perf.html#/alerts?id=6493 Please consider using talos on try before landing again: |./mach try -b o -p win32 -u none -t svgr-e10s --rebuild 5|
(In reply to Joel Maher ( :jmaher) from comment #8) > as a note, when this landed we had a performance regression: > == Change summary for alert #6493 (as of May 09 2017 22:25 UTC) == > > Regressions: > > 2% tart summary windows7-32 pgo e10s 5.23 -> 5.34 > > For up to date results, see: > https://treeherder.mozilla.org/perf.html#/alerts?id=6493 > > > and when this was backed out we see: > == Change summary for alert #6493 (as of May 09 2017 22:25 UTC) == > > Regressions: > > 2% tart summary windows7-32 pgo e10s 5.23 -> 5.34 > > For up to date results, see: > https://treeherder.mozilla.org/perf.html#/alerts?id=6493 > > > Please consider using talos on try before landing again: > |./mach try -b o -p win32 -u none -t svgr-e10s --rebuild 5| I can't imagine how this, or any of the patches in the backed out series, can cause any regressions.
Ooh, it must be because I didn't JIT compile the new nop bytecode I added in bug 1357075 as a nop, so all scripts with destructuring were accidentally blacklisted by the JITs.
Flags: needinfo?(shu)
Pushed by shu@rfrn.org: https://hg.mozilla.org/integration/mozilla-inbound/rev/accca3d23d7b Pop eval lexical scope before propagating its var scope's Annex B functions. (r=anba)
https://hg.mozilla.org/mozilla-central/rev/accca3d23d7b
Status: NEW → RESOLVED
Closed: 8 years ago
status-firefox55: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla55
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: