Closed
Bug 1504719
Opened 6 years ago
Closed 6 years ago
Assertion failure: v.isUndefined(), at js/src/vm/StringType.cpp:2276 with globalLexicals
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla65
| Tracking | Status | |
|---|---|---|
| firefox-esr60 | --- | unaffected |
| firefox63 | --- | unaffected |
| firefox64 | --- | unaffected |
| firefox65 | --- | fixed |
People
(Reporter: decoder, Assigned: jandem)
References
Details
(4 keywords, Whiteboard: [jsbugmon:update,bisect])
Attachments
(1 file)
The following testcase crashes on mozilla-central revision d2963b5a2897 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe --ion-offthread-compile=off):
try {
evaluate(`
y;
let x = 500;
`);
} catch (exc) {}
var obj = globalLexicals();
assertEq(obj.x, 500);
Backtrace:
received signal SIGSEGV, Segmentation fault.
0x0000555555c28af0 in js::ToStringSlow<(js::AllowGC)1> (cx=0x7ffff5f18000, arg=...) at js/src/vm/StringType.cpp:2276
#0 0x0000555555c28af0 in js::ToStringSlow<(js::AllowGC)1> (cx=0x7ffff5f18000, arg=...) at js/src/vm/StringType.cpp:2276
#1 0x0000555555c17576 in js::ToString<(js::AllowGC)1> (v=..., cx=<optimized out>) at js/src/vm/StringType.h:1749
#2 js::ValueToSource (cx=<optimized out>, cx@entry=0x7ffff5f18000, v=...) at js/src/vm/StringType.cpp:2360
#3 0x0000555555d1850d in JS_ValueToSource (cx=0x7ffff5f18000, value=...) at js/src/jsapi.cpp:398
#4 0x0000555555808010 in ToSource (cx=<optimized out>, vp=..., bytes=0x7fffffffc978) at js/src/shell/js.cpp:2722
#5 0x0000555555808213 in AssertEq (cx=<optimized out>, argc=<optimized out>, vp=<optimized out>) at js/src/shell/js.cpp:2754
#6 0x00005555558ac175 in CallJSNative (cx=0x7ffff5f18000, native=0x5555558080f0 <AssertEq(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/vm/Interpreter.cpp:468
[...]
#20 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:10962
rax 0x0 0
rbx 0x7ffff5f18000 140737319632896
rcx 0x7ffff6c1c2dd 140737333281501
rdx 0x0 0
rsi 0x7ffff6eeb770 140737336227696
rdi 0x7ffff6eea540 140737336223040
rbp 0x7fffffffc6f0 140737488340720
rsp 0x7fffffffc690 140737488340624
r8 0x7ffff6eeb770 140737336227696
r9 0x7ffff7fe6cc0 140737354034368
r10 0x58 88
r11 0x7ffff6b927a0 140737332717472
r12 0xfff9800000000000 -1829587348619264
r13 0x7fffffdfdc71 140737486249073
r14 0x7ffff48380b0 140737295646896
r15 0x7ffff5f7d800 140737320048640
rip 0x555555c28af0 <js::ToStringSlow<(js::AllowGC)1>(JSContext*, js::MaybeRooted<JS::Value, (js::AllowGC)1>::HandleType)+832>
=> 0x555555c28af0 <js::ToStringSlow<(js::AllowGC)1>(JSContext*, js::MaybeRooted<JS::Value, (js::AllowGC)1>::HandleType)+832>: movl $0x0,0x0
0x555555c28afb <js::ToStringSlow<(js::AllowGC)1>(JSContext*, js::MaybeRooted<JS::Value, (js::AllowGC)1>::HandleType)+843>: ud2
This is shell-only, so not s-s.
|
Assignee | |
Comment 1•6 years ago
|
||
Uninitialized lexicals. I should have thought of that..
Flags: needinfo?(jdemooij)
|
|
Assignee | |
Updated•6 years ago
|
Assignee: nobody → jdemooij
Status: NEW → ASSIGNED
Flags: needinfo?(jdemooij)
|
|
Assignee | |
Comment 2•6 years ago
|
||
Also uses JS_DefinePropertyById instead of JS_SetPropertyById because it's more natural.
Pushed by jandemooij@gmail.com: https://hg.mozilla.org/integration/autoland/rev/d55c49b76be1 Ignore uninitialized lexicals in globalLexicals() testing function. r=jorendorff
|
||
Comment 4•6 years ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/d55c49b76be1
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla65
|
||
Updated•6 years ago
|
Blocks: 1503586
status-firefox63:
--- → unaffected
status-firefox64:
--- → unaffected
status-firefox-esr60:
--- → unaffected
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•