Assertion failure: !isIndex(&dummy), at js/src/vm/StringType.h:1876 with class
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
Tracking | Status | |
---|---|---|
firefox67 | --- | fixed |
People
(Reporter: decoder, Unassigned)
References
Details
(4 keywords, Whiteboard: [fuzzblocker] [jsbugmon:update,ignore][adv-main67-])
The following testcase crashes on mozilla-central revision 6924dd16f7b1 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe --ion-offthread-compile=off):
class B extends class {
0 = x;
}
Backtrace:
received signal SIGSEGV, Segmentation fault.
#0 JSAtom::asPropertyName (this=0x16cb9bc00640) at js/src/vm/StringType.h:1876
#1 0x0000555555ef70fa in js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::fieldInitializer (this=this@entry=0x7fffffffc9d0, yieldHandling=yieldHandling@entry=js::frontend::YieldIsName, propAtom=..., propAtom@entry=...) at js/src/frontend/Parser.cpp:7366
#2 0x0000555555ef811e in js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::classDefinition (this=this@entry=0x7fffffffc9d0, yieldHandling=yieldHandling@entry=js::frontend::YieldIsName, classContext=classContext@entry=js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::ClassExpression, defaultHandling=defaultHandling@entry=js::frontend::NameRequired) at js/src/frontend/Parser.cpp:6998
#3 0x0000555555f02082 in js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::primaryExpr (this=this@entry=0x7fffffffc9d0, yieldHandling=yieldHandling@entry=js::frontend::YieldIsName, tripledotHandling=tripledotHandling@entry=js::frontend::TripledotProhibited, tt=<optimized out>, possibleError=possibleError@entry=0x0, invoked=invoked@entry=js::frontend::ParserBase::PredictUninvoked) at js/src/frontend/Parser.cpp:10254
#4 0x0000555555f0249c in js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::memberExpr (this=this@entry=0x7fffffffc9d0, yieldHandling=yieldHandling@entry=js::frontend::YieldIsName, tripledotHandling=tripledotHandling@entry=js::frontend::TripledotProhibited, tt=<optimized out>, allowCallSyntax=allowCallSyntax@entry=true, possibleError=possibleError@entry=0x0, invoked=js::frontend::ParserBase::PredictUninvoked) at js/src/frontend/Parser.cpp:8841
#5 0x0000555555ef7ab2 in js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::classDefinition (this=this@entry=0x7fffffffc9d0, yieldHandling=yieldHandling@entry=js::frontend::YieldIsName, classContext=classContext@entry=js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::ClassStatement, defaultHandling=defaultHandling@entry=js::frontend::NameRequired) at js/src/frontend/Parser.cpp:6925
#6 0x0000555555ef85f7 in js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::statementListItem (this=this@entry=0x7fffffffc9d0, yieldHandling=yieldHandling@entry=js::frontend::YieldIsName, canHaveDirectives=<optimized out>) at js/src/frontend/Parser.cpp:7858
#7 0x0000555555ef8bb1 in js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::statementList (this=this@entry=0x7fffffffc9d0, yieldHandling=yieldHandling@entry=js::frontend::YieldIsName) at js/src/frontend/Parser.cpp:3539
#8 0x0000555555f09562 in js::frontend::Parser<js::frontend::FullParseHandler, char16_t>::globalBody (this=0x7fffffffc9d0, globalsc=globalsc@entry=0x7fffffffd000) at js/src/frontend/Parser.cpp:1419
#9 0x0000555555f3a900 in js::frontend::ScriptCompiler<char16_t>::compileScript (this=this@entry=0x7fffffffc4c0, info=..., environment=..., environment@entry=..., sc=sc@entry=0x7fffffffd000) at js/src/frontend/BytecodeCompiler.cpp:538
#10 0x0000555555f2d9f4 in CreateGlobalScript<char16_t> (info=..., srcBuf=..., sourceObjectOut=sourceObjectOut@entry=0x0) at js/src/frontend/BytecodeCompiler.cpp:207
[...]
#19 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:10970
rax 0x555557c31280 93825032983168
rbx 0x16cb9bc00640 25063747225152
rcx 0x7ffff6c1c2dd 140737333281501
rdx 0x555556b02998 93825014966680
rsi 0x7ffff6eeb770 140737336227696
rdi 0x7ffff6eea540 140737336223040
rbp 0x7fffffffb1c0 140737488335296
rsp 0x7fffffffb1a0 140737488335264
r8 0x7ffff6eeb770 140737336227696
r9 0x7ffff7fe6cc0 140737354034368
r10 0x58 88
r11 0x7ffff6b927a0 140737332717472
r12 0x7ffff4eb40d8 140737302446296
r13 0x7fffffffb2f0 140737488335600
r14 0x7fffffffb250 140737488335440
r15 0x7fffffffb248 140737488335432
rip 0x5555558ec321 <JSAtom::asPropertyName()+113>
=> 0x5555558ec321 <JSAtom::asPropertyName()+113>: movl $0x0,0x0
0x5555558ec32c <JSAtom::asPropertyName()+124>: ud2
Marking s-s because this looks like the parser is going into some undefined state and the assertion doesn't look necessarily healthy. Also marking fuzzblocker because it occurs fairly often.
autobisectjs shows this is probably related to the following changeset:
The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/49fda807b7c5
user: Ashley Hauck
date: Thu Feb 21 23:48:16 2019 +0000
summary: Bug 1499448 - Implement more field functionality. r=jorendorff
Ashley, is bug 1499448 a likely regressor?
Comment 2•6 years ago
|
||
I'm pretty sure this is the same issue as https://bugzilla.mozilla.org/show_bug.cgi?id=1530084 and I'm pushing the fix for that now.
Updated•6 years ago
|
Comment 3•6 years ago
|
||
Updated•6 years ago
|
Updated•6 years ago
|
Updated•6 years ago
|
Reporter | ||
Updated•4 years ago
|
Description
•