Closed Bug 1364573 Opened 3 years ago Closed 3 years ago

Assertion failure: !fun->infallibleIsDefaultClassConstructor(cx) || fun->compartment()->behaviors().discardSource(), at js/src/jsfun.cpp:1096

Categories

(Core :: JavaScript Engine, defect, critical)

x86_64
Linux
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla55
Tracking Status
firefox-esr52 --- unaffected
firefox53 --- unaffected
firefox54 --- unaffected
firefox55 --- fixed

People

(Reporter: gkw, Assigned: shu)

References

(Blocks 2 open bugs)

Details

(Keywords: assertion, jsbugmon, testcase, Whiteboard: [fuzzblocker][jsbugmon:update])

Attachments

(2 files)

The following testcase crashes on mozilla-central revision 96b36c5f527d (build with --enable-debug --enable-more-deterministic --without-intl-api, run with --fuzzing-safe --no-threads --no-baseline --no-ion):

// Adapted from randomly chosen test: js/src/tests/test262/language/expressions/class/dstr-async-gen-meth-static-dflt-ary-ptrn-elem-obj-prop-id-init.js
var x = class {};
// jsfunfuzz-generated
relazifyFunctions();
this();

Backtrace:

#0  js::FunctionToString (cx=cx@entry=0x7f90c9b75000, fun=..., prettyPrint=prettyPrint@entry=false) at js/src/jsfun.cpp:1095
#1  0x000000000099a940 in fun_toStringHelper (cx=cx@entry=0x7f90c9b75000, obj=..., obj@entry=..., indent=indent@entry=32768) at js/src/jsfun.cpp:1125
#2  0x00000000009b9592 in fun_toSource (cx=0x7f90c9b75000, argc=<optimized out>, vp=<optimized out>) at js/src/jsfun.cpp:1178
#3  0x0000000000535fef in js::CallJSNative (cx=cx@entry=0x7f90c9b75000, native=0x9b9400 <fun_toSource(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:293
#4  0x000000000052ad53 in js::InternalCallOrConstruct (cx=cx@entry=0x7f90c9b75000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:470
/snip

For detailed crash information, see attachment.
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/e1a5bcc62058
user:        Shu-yu Guo
date:        Thu May 11 20:54:35 2017 -0700
summary:     Bug 1359622 - Fix assert for calling Function.toString on class constructors when the compartment has had source discarded. (r=Yoric)

Shu-yu, is bug 1359622 a likely regressor? (Setting [fuzzblocker] because this is happening fairly often)
Blocks: 1359622
Flags: needinfo?(shu)
Whiteboard: [jsbugmon:update] → [fuzzblocker][jsbugmon:update]
Because of the wacko way we handle toString offsets for class default
constructors, those offsets cannot be recovered if we relazify the
functions.

Luckily there's no reason to relazify them, their JSScripts are very
small: either a single 'retrval' for non-derived, and still fairly small
for derived.
Attachment #8867940 - Flags: review?(arai.unmht)
Assignee: nobody → shu
Flags: needinfo?(shu)
Attachment #8867940 - Flags: review?(arai.unmht) → review+
Pushed by shu@rfrn.org:
https://hg.mozilla.org/integration/mozilla-inbound/rev/9aa66595bf51
Don't relazify class default constructors. (r=arai)
https://hg.mozilla.org/mozilla-central/rev/9aa66595bf51
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla55
Duplicate of this bug: 1367989
You need to log in before you can comment on or make changes to this bug.