Closed Bug 1530084 Opened 8 months ago Closed 8 months ago

Crash [@ JSString::flags] with ES6 Classes

Categories

(Core :: JavaScript Engine, defect, critical)

x86_64
Linux
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla67
Tracking Status
firefox-esr60 --- unaffected
firefox65 --- unaffected
firefox66 --- unaffected
firefox67 --- fixed

People

(Reporter: gkw, Assigned: khyperia)

References

(Blocks 2 open bugs)

Details

(4 keywords, Whiteboard: [fuzzblocker][jsbugmon:update])

Crash Data

Attachments

(3 files)

The following testcase crashes on mozilla-central revision 6924dd16f7b1 (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --no-threads --no-baseline --no-ion):

// Adapted from randomly chosen test: js/src/tests/test262/language/expressions/class/fields-init-value-defined-after-class.js
let z = class {
  [x] = 0;
}

Backtrace:

#0 JSString::flags (this=0x0) at js/src/vm/StringType.h:397
#1 JSString::isLinear (this=0x0) at js/src/vm/StringType.h:484
#2 JSString::isFlat (this=0x0) at js/src/vm/StringType.h:504
#3 JSFlatString::isIndex (this=0x0, indexp=<optimized out>) at js/src/vm/StringType.h:992
#4 JSAtom::asPropertyName (this=0x0) at js/src/vm/StringType.h:1876
#5 0x000055dee2b9eca1 in js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::fieldInitializer (this=0x7ffc52ebef70, yieldHandling=(unknown: 1484419736), propAtom=...) at js/src/frontend/Parser.cpp:7366
/snip

For detailed crash information, see attachment.

autobisectjs shows this is probably related to the following changeset:

The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/49fda807b7c5
user: Ashley Hauck
date: Thu Feb 21 23:48:16 2019 +0000
summary: Bug 1499448 - Implement more field functionality. r=jorendorff

Setting [fuzzblocker] as this is happening very often. Ashley, is bug 1499448 a likely regressor?

Blocks: es-fields
Flags: needinfo?(khyperia)
Whiteboard: [jsbugmon:update] → [fuzzblocker][jsbugmon:update]

Ashley, is bug 1499448 a likely regressor?

Yeah, very likely. Just added a patch that should fix it (it's a very quick fix patch, not the proper fix, which would take much more time).

Flags: needinfo?(khyperia)
Pushed by ahauck@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/57f2a3550faf
Don't crash on unsupported syntax when fields are disabled. r=jorendorff
Status: NEW → RESOLVED
Closed: 8 months ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla67
Assignee: nobody → khyperia

Can we land the testcase for this also?

Flags: needinfo?(khyperia)

(Clearing needinfo due to patch above)

Flags: needinfo?(khyperia)
Duplicate of this bug: 1530148
Pushed by ahauck@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/eb9d835ce817
Add testcase for unimplemented fields not crashing. r=jorendorff
You need to log in before you can comment on or make changes to this bug.