1540787 - Assertion failure: bce->lookupName(name).hasKnownSlot(), at js/src/frontend/BytecodeEmitter.cpp:8397

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect, P1)

Description

[Christian Holler (:decoder)]

The following testcase crashes on mozilla-central revision c06dfc552c64 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe --ion-offthread-compile=off --enable-experimental-fields):

class C {
    x = 1;
    constructor() {};
}

Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  js::frontend::BytecodeEmitter::<lambda(js::frontend::BytecodeEmitter*, js::HandlePropertyName, JSOp)>::operator()(js::frontend::BytecodeEmitter *, js::HandlePropertyName, JSOp) (bce=bce@entry=0x7fffffffb6e0, name=..., op=op@entry=JSOP_FUNCTIONTHIS, __closure=<optimized out>) at js/src/frontend/BytecodeEmitter.cpp:8397
#1  0x0000555555efc7ed in js::frontend::BytecodeEmitter::emitInitializeFunctionSpecialNames (this=0x7fffffffb6e0) at js/src/frontend/BytecodeEmitter.cpp:8433
#2  0x0000555555f42350 in js::frontend::FunctionScriptEmitter::prepareForParameters (this=this@entry=0x7fffffffb320) at js/src/frontend/FunctionEmitter.cpp:430
#3  0x0000555555f0b21d in js::frontend::BytecodeEmitter::emitFunctionScript (this=this@entry=0x7fffffffb6e0, funNode=funNode@entry=0x7ffff4eb3490, isTopLevel=isTopLevel@entry=js::frontend::BytecodeEmitter::TopLevelFunction::No) at js/src/frontend/BytecodeEmitter.cpp:2471
#4  0x0000555555f0dcd3 in js::frontend::BytecodeEmitter::emitFunction (this=this@entry=0x7fffffffc050, funNode=funNode@entry=0x7ffff4eb3490, needsProto=<optimized out>) at js/src/frontend/BytecodeEmitter.cpp:5651
#5  0x0000555555f0e3c8 in js::frontend::BytecodeEmitter::emitClass (this=this@entry=0x7fffffffc050, classNode=classNode@entry=0x7ffff4eb3750, nameKind=nameKind@entry=js::frontend::BytecodeEmitter::ClassNameKind::BindingName, nameForAnonymousClass=nameForAnonymousClass@entry=...) at js/src/frontend/BytecodeEmitter.cpp:8580
#6  0x0000555555f078f9 in js::frontend::BytecodeEmitter::emitTree (this=this@entry=0x7fffffffc050, pn=pn@entry=0x7ffff4eb3750, valueUsage=valueUsage@entry=js::frontend::ValueUsage::WantValue, emitLineNote=emitLineNote@entry=js::frontend::BytecodeEmitter::EMIT_LINENOTE) at js/src/frontend/BytecodeEmitter.cpp:9152
#7  0x0000555555f08373 in js::frontend::BytecodeEmitter::emitTree (this=this@entry=0x7fffffffc050, pn=pn@entry=0x7ffff4eb3750, valueUsage=js::frontend::ValueUsage::WantValue, emitLineNote=emitLineNote@entry=js::frontend::BytecodeEmitter::EMIT_LINENOTE, valueUsage=js::frontend::ValueUsage::WantValue) at js/src/frontend/BytecodeEmitter.cpp:9192
#8  0x0000555555f13010 in js::frontend::BytecodeEmitter::emitStatementList (this=this@entry=0x7fffffffc050, stmtList=<optimized out>) at js/src/frontend/BytecodeEmitter.cpp:6609
#9  0x0000555555f074f3 in js::frontend::BytecodeEmitter::emitTree (this=this@entry=0x7fffffffc050, pn=pn@entry=0x7ffff4eb3020, valueUsage=valueUsage@entry=js::frontend::ValueUsage::WantValue, emitLineNote=emitLineNote@entry=js::frontend::BytecodeEmitter::EMIT_LINENOTE) at js/src/frontend/BytecodeEmitter.cpp:8794
#10 0x0000555555f08373 in js::frontend::BytecodeEmitter::emitTree (this=this@entry=0x7fffffffc050, pn=pn@entry=0x7ffff4eb3020, valueUsage=js::frontend::ValueUsage::WantValue, emitLineNote=emitLineNote@entry=js::frontend::BytecodeEmitter::EMIT_LINENOTE, valueUsage=js::frontend::ValueUsage::WantValue) at js/src/frontend/BytecodeEmitter.cpp:9192
#11 0x0000555555f164c4 in js::frontend::BytecodeEmitter::emitScript (this=0x7fffffffc050, body=body@entry=0x7ffff4eb3020) at js/src/frontend/BytecodeEmitter.cpp:2423
#12 0x0000555555f24032 in js::frontend::ScriptCompiler<char16_t>::compileScript (this=this@entry=0x7fffffffc460, info=..., environment=..., environment@entry=..., sc=sc@entry=0x7fffffffcfa0) at js/src/frontend/BytecodeCompiler.cpp:553
#13 0x0000555555f16a94 in CreateGlobalScript<char16_t> (info=..., srcBuf=..., sourceObjectOut=sourceObjectOut@entry=0x0) at js/src/frontend/BytecodeCompiler.cpp:207
#14 0x0000555555f16c3a in js::frontend::CompileGlobalScript (info=..., srcBuf=..., sourceObjectOut=sourceObjectOut@entry=0x0) at js/src/frontend/BytecodeCompiler.cpp:219
#15 0x0000555555a033c5 in CompileSourceBuffer<char16_t> (cx=cx@entry=0x7ffff5f17000, options=..., srcBuf=..., script=...) at js/src/vm/CompilationAndEvaluation.cpp:70
[...]
#22 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:11276
rax	0x555557c22240	93825032921664
rbx	0x3a32b5e25600	63989474285056
rcx	0x555556b95998	93825015568792
rdx	0x0	0
rsi	0x7ffff6eeb770	140737336227696
rdi	0x7ffff6eea540	140737336223040
rbp	0x7fffffffb180	140737488335232
rsp	0x7fffffffb120	140737488335136
r8	0x7ffff6eeb770	140737336227696
r9	0x7ffff7fe6cc0	140737354034368
r10	0x58	88
r11	0x7ffff6b927a0	140737332717472
r12	0x7fffffffb6e0	140737488336608
r13	0xb9	185
r14	0x7ffff5f45308	140737319817992
r15	0x7fffffffb320	140737488335648
rip	0x555555efc6e9 <js::frontend::BytecodeEmitter::<lambda(js::frontend::BytecodeEmitter*, js::HandlePropertyName, JSOp)>::operator()(js::frontend::BytecodeEmitter *, js::HandlePropertyName, JSOp)+249>
=> 0x555555efc6e9 <js::frontend::BytecodeEmitter::<lambda(js::frontend::BytecodeEmitter*, js::HandlePropertyName, JSOp)>::operator()(js::frontend::BytecodeEmitter *, js::HandlePropertyName, JSOp)+249>:	movl   $0x0,0x0
   0x555555efc6f4 <js::frontend::BytecodeEmitter::<lambda(js::frontend::BytecodeEmitter*, js::HandlePropertyName, JSOp)>::operator()(js::frontend::BytecodeEmitter *, js::HandlePropertyName, JSOp)+260>:	ud2

Comment 1

[Ashley Hauck [:khyperia]]

Attachment: Bug 1540787 - Always declare .this in constructors.

Comment 2

[Pulsebot]

Pushed by ahauck@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/afb947a236be
Always declare .this in constructors. r=jorendorff

Comment 3

[Bogdan Tara[:bogdan_tara | bogdant]]

https://hg.mozilla.org/mozilla-central/rev/afb947a236be