Closed
Bug 1364573
Opened 7 years ago
Closed 7 years ago
Assertion failure: !fun->infallibleIsDefaultClassConstructor(cx) || fun->compartment()->behaviors().discardSource(), at js/src/jsfun.cpp:1096
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla55
Tracking | Status | |
---|---|---|
firefox-esr52 | --- | unaffected |
firefox53 | --- | unaffected |
firefox54 | --- | unaffected |
firefox55 | --- | fixed |
People
(Reporter: gkw, Assigned: shu)
References
Details
(Keywords: assertion, bugmon, testcase, Whiteboard: [fuzzblocker][jsbugmon:update])
Attachments
(2 files)
12.74 KB,
text/plain
|
Details | |
1.22 KB,
patch
|
arai
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision 96b36c5f527d (build with --enable-debug --enable-more-deterministic --without-intl-api, run with --fuzzing-safe --no-threads --no-baseline --no-ion): // Adapted from randomly chosen test: js/src/tests/test262/language/expressions/class/dstr-async-gen-meth-static-dflt-ary-ptrn-elem-obj-prop-id-init.js var x = class {}; // jsfunfuzz-generated relazifyFunctions(); this(); Backtrace: #0 js::FunctionToString (cx=cx@entry=0x7f90c9b75000, fun=..., prettyPrint=prettyPrint@entry=false) at js/src/jsfun.cpp:1095 #1 0x000000000099a940 in fun_toStringHelper (cx=cx@entry=0x7f90c9b75000, obj=..., obj@entry=..., indent=indent@entry=32768) at js/src/jsfun.cpp:1125 #2 0x00000000009b9592 in fun_toSource (cx=0x7f90c9b75000, argc=<optimized out>, vp=<optimized out>) at js/src/jsfun.cpp:1178 #3 0x0000000000535fef in js::CallJSNative (cx=cx@entry=0x7f90c9b75000, native=0x9b9400 <fun_toSource(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:293 #4 0x000000000052ad53 in js::InternalCallOrConstruct (cx=cx@entry=0x7f90c9b75000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:470 /snip For detailed crash information, see attachment.
Reporter | ||
Comment 1•7 years ago
|
||
Reporter | ||
Comment 2•7 years ago
|
||
autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/e1a5bcc62058 user: Shu-yu Guo date: Thu May 11 20:54:35 2017 -0700 summary: Bug 1359622 - Fix assert for calling Function.toString on class constructors when the compartment has had source discarded. (r=Yoric) Shu-yu, is bug 1359622 a likely regressor? (Setting [fuzzblocker] because this is happening fairly often)
Assignee | ||
Comment 3•7 years ago
|
||
Because of the wacko way we handle toString offsets for class default constructors, those offsets cannot be recovered if we relazify the functions. Luckily there's no reason to relazify them, their JSScripts are very small: either a single 'retrval' for non-derived, and still fairly small for derived.
Attachment #8867940 -
Flags: review?(arai.unmht)
Assignee | ||
Updated•7 years ago
|
Assignee: nobody → shu
Flags: needinfo?(shu)
Updated•7 years ago
|
Attachment #8867940 -
Flags: review?(arai.unmht) → review+
Pushed by shu@rfrn.org: https://hg.mozilla.org/integration/mozilla-inbound/rev/9aa66595bf51 Don't relazify class default constructors. (r=arai)
Comment 5•7 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/9aa66595bf51
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla55
Updated•7 years ago
|
status-firefox53:
--- → unaffected
status-firefox54:
--- → unaffected
status-firefox-esr52:
--- → unaffected
You need to log in
before you can comment on or make changes to this bug.
Description
•