Assertion failure: !fun->infallibleIsDefaultClassConstructor(cx) || fun->compartment()->behaviors().discardSource(), at js/src/jsfun.cpp:1096

RESOLVED FIXED in Firefox 55

Status

()

Core
JavaScript Engine
--
critical
RESOLVED FIXED
5 months ago
4 months ago

People

(Reporter: gkw, Assigned: shu)

Tracking

(Blocks: 2 bugs, {assertion, jsbugmon, testcase})

Trunk
mozilla55
x86_64
Linux
assertion, jsbugmon, testcase
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox-esr52 unaffected, firefox53 unaffected, firefox54 unaffected, firefox55 fixed)

Details

(Whiteboard: [fuzzblocker][jsbugmon:update])

Attachments

(2 attachments)

(Reporter)

Description

5 months ago
The following testcase crashes on mozilla-central revision 96b36c5f527d (build with --enable-debug --enable-more-deterministic --without-intl-api, run with --fuzzing-safe --no-threads --no-baseline --no-ion):

// Adapted from randomly chosen test: js/src/tests/test262/language/expressions/class/dstr-async-gen-meth-static-dflt-ary-ptrn-elem-obj-prop-id-init.js
var x = class {};
// jsfunfuzz-generated
relazifyFunctions();
this();

Backtrace:

#0  js::FunctionToString (cx=cx@entry=0x7f90c9b75000, fun=..., prettyPrint=prettyPrint@entry=false) at js/src/jsfun.cpp:1095
#1  0x000000000099a940 in fun_toStringHelper (cx=cx@entry=0x7f90c9b75000, obj=..., obj@entry=..., indent=indent@entry=32768) at js/src/jsfun.cpp:1125
#2  0x00000000009b9592 in fun_toSource (cx=0x7f90c9b75000, argc=<optimized out>, vp=<optimized out>) at js/src/jsfun.cpp:1178
#3  0x0000000000535fef in js::CallJSNative (cx=cx@entry=0x7f90c9b75000, native=0x9b9400 <fun_toSource(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:293
#4  0x000000000052ad53 in js::InternalCallOrConstruct (cx=cx@entry=0x7f90c9b75000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:470
/snip

For detailed crash information, see attachment.
(Reporter)

Comment 1

5 months ago
Created attachment 8867356 [details]
Detailed Crash Information
(Reporter)

Comment 2

5 months ago
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/e1a5bcc62058
user:        Shu-yu Guo
date:        Thu May 11 20:54:35 2017 -0700
summary:     Bug 1359622 - Fix assert for calling Function.toString on class constructors when the compartment has had source discarded. (r=Yoric)

Shu-yu, is bug 1359622 a likely regressor? (Setting [fuzzblocker] because this is happening fairly often)
Blocks: 1359622
Flags: needinfo?(shu)
Whiteboard: [jsbugmon:update] → [fuzzblocker][jsbugmon:update]
(Assignee)

Comment 3

5 months ago
Created attachment 8867940 [details] [diff] [review]
Don't relazify class default constructors.

Because of the wacko way we handle toString offsets for class default
constructors, those offsets cannot be recovered if we relazify the
functions.

Luckily there's no reason to relazify them, their JSScripts are very
small: either a single 'retrval' for non-derived, and still fairly small
for derived.
Attachment #8867940 - Flags: review?(arai.unmht)
(Assignee)

Updated

5 months ago
Assignee: nobody → shu
Flags: needinfo?(shu)

Updated

5 months ago
Attachment #8867940 - Flags: review?(arai.unmht) → review+

Comment 4

5 months ago
Pushed by shu@rfrn.org:
https://hg.mozilla.org/integration/mozilla-inbound/rev/9aa66595bf51
Don't relazify class default constructors. (r=arai)

Comment 5

5 months ago
bugherder
https://hg.mozilla.org/mozilla-central/rev/9aa66595bf51
Status: NEW → RESOLVED
Last Resolved: 5 months ago
status-firefox55: affected → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla55
status-firefox53: --- → unaffected
status-firefox54: --- → unaffected
status-firefox-esr52: --- → unaffected
Duplicate of this bug: 1367989
You need to log in before you can comment on or make changes to this bug.