1367204 - Assertion failure: !fun->infallibleIsDefaultClassConstructor(cx) || fun->compartment()->behaviors().discardSource(), at js/src/jsfun.cpp:1103

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

The following testcase crashes on mozilla-central revision 6dfa56094f0c (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --no-threads --no-baseline --no-ion):

// jsfunfuzz-generated
var x = [];
Array.prototype.push.call(x, this);
// Adapted from randomly chosen test: js/src/tests/test262/language/expressions/class/async-gen-method-yield-star-next-get-abrupt.js
evaluate("y = class {}", {
    // jsfunfuzz-generated
    sourceIsLazy: true
})
1 instanceof x;

Backtrace:

#0  js::FunctionToString (cx=cx@entry=0x7f8124272000, fun=..., prettyPrint=prettyPrint@entry=false) at js/src/jsfun.cpp:1102
#1  0x00000000009ab610 in fun_toStringHelper (cx=cx@entry=0x7f8124272000, obj=..., obj@entry=..., indent=indent@entry=32768) at js/src/jsfun.cpp:1132
#2  0x00000000009cace2 in fun_toSource (cx=0x7f8124272000, argc=<optimized out>, vp=<optimized out>) at js/src/jsfun.cpp:1185
#3  0x000000000053dc4f in js::CallJSNative (cx=cx@entry=0x7f8124272000, native=0x9cab50 <fun_toSource(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:293
#4  0x0000000000532803 in js::InternalCallOrConstruct (cx=cx@entry=0x7f8124272000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:470
/snip

For detailed crash information, see attachment.

Comment 1

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Attachment: Detailed Crash Information

Comment 2

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Due to skipped revisions, the first bad revision could be any of:
changeset:   https://hg.mozilla.org/mozilla-central/rev/751cc121aa3f
user:        Shu-yu Guo
date:        Mon Apr 17 19:51:34 2017 -0700
summary:     Bug 1216630 - Print class source when calling toString on the constructor. (r=Yoric)

changeset:   https://hg.mozilla.org/mozilla-central/rev/8f3e4478d23a
user:        Shu-yu Guo
date:        Mon Apr 17 19:51:35 2017 -0700
summary:     Bug 1216630 - Rename preludeStart and postludeEnd to toStringStart and toStringEnd and misc fixes. (r=Yoric)

Shu-yu, is bug 1216630 a likely regressor?

Comment 3

[Shu-yu Guo [:shu]]

I can't reproduce this crash.

Comment 4

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Attachment: stack on m-c rev 55e5723b1e62

I can still reproduce this on m-c rev 55e5723b1e62.

Full configuration command:
AR=ar sh ./configure --enable-debug --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests

Ubuntu 16.04 GCC version:

$ gcc --version
gcc (Ubuntu 5.4.0-6ubuntu1~16.04.4) 5.4.0 20160609
Copyright (C) 2015 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.  There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

$ cat /etc/lsb-release 
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=16.04
DISTRIB_CODENAME=xenial
DISTRIB_DESCRIPTION="Ubuntu 16.04.2 LTS"

Comment 5

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Attachment: corefile (.tar.xz)

Core file.

Comment 6

[Shu-yu Guo [:shu]]

Attachment: Generate "[sourceless code]" for class constructors when sourceIsLazy and no source hook is set.

Comment 7

[David Teller [:Yoric] - still alive but not very active]

Comment on attachment 8873185 [details] [diff] [review]
Generate "[sourceless code]" for class constructors when sourceIsLazy and no source hook is set.

Review of attachment 8873185 [details] [diff] [review]:
-----------------------------------------------------------------

::: js/src/jsfun.cpp
@@ +1092,5 @@
> +               (!fun->isSelfHostedBuiltin() ||
> +                fun->infallibleIsDefaultClassConstructor(cx)))
> +    {
> +        // Default class constructors should always haveSource unless source
> +        // has been discarded for the whole compartment.

I don't get how this assertion checks that `haveSource`.

Comment 8

[Shu-yu Guo [:shu]]

(In reply to David Teller [:Yoric] (please use "needinfo") from comment #7)
> Comment on attachment 8873185 [details] [diff] [review]
> Generate "[sourceless code]" for class constructors when sourceIsLazy and no
> source hook is set.
> 
> Review of attachment 8873185 [details] [diff] [review]:
> -----------------------------------------------------------------
> 
> ::: js/src/jsfun.cpp
> @@ +1092,5 @@
> > +               (!fun->isSelfHostedBuiltin() ||
> > +                fun->infallibleIsDefaultClassConstructor(cx)))
> > +    {
> > +        // Default class constructors should always haveSource unless source
> > +        // has been discarded for the whole compartment.
> 
> I don't get how this assertion checks that `haveSource`.

Oops, that comment is stale. The new comment is:

        // Default class constructors should always haveSource except;
        //
        // 1. Source has been discarded for the whole compartment.
        //
        // 2. The source is marked as "lazy", i.e., retrieved on demand, and
        // the embedding has not provided a hook to retrieve sources.

Comment 9

[Shu-yu Guo [:shu]]

Attachment: Generate "[sourceless code]" for class constructors when sourceIsLazy and no source hook is set.

Comment 10

[Pulsebot]

Pushed by shu@rfrn.org:
https://hg.mozilla.org/integration/mozilla-inbound/rev/8fcb385640fa
Generate "[sourceless code]" for class constructors when sourceIsLazy and no source hook is set. (r=Yoric)

Comment 11

[Wes Kocher (:KWierso) (Not reading bugmail; email directly if needed)]

https://hg.mozilla.org/mozilla-central/rev/8fcb385640fa

Comment 12

[Julien Cristau [:jcristau]]

Should we fix this in beta55?

Comment 13

[Shu-yu Guo [:shu]]

(In reply to Julien Cristau [:jcristau] from comment #12)
> Should we fix this in beta55?

I think this crash is such a corner case that it wouldn't reproduce in the wild.