Closed Bug 1540789 Opened 5 months ago Closed 4 months ago

Assertion failure: loc->kind() != NameLocation::Kind::FrameSlot, at js/src/frontend/EmitterScope.cpp:326

Categories

(Core :: JavaScript Engine, defect, P1)

x86_64
Linux
defect

Tracking

()

RESOLVED FIXED
mozilla68
Tracking Status
firefox-esr60 --- unaffected
firefox67 --- disabled
firefox68 --- fixed

People

(Reporter: decoder, Assigned: khyperia)

References

(Blocks 2 open bugs)

Details

(Keywords: assertion, regression, testcase)

Attachments

(1 file)

The following testcase crashes on mozilla-central revision c06dfc552c64 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe --ion-offthread-compile=off --enable-experimental-fields):

class C {
    y = () => this.x;
}

Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  js::frontend::EmitterScope::searchAndCache (this=this@entry=0x7fffffffa458, bce=<optimized out>, bce@entry=0x7fffffffa7c0, name=name@entry=0x186cf7f25600) at js/src/frontend/EmitterScope.cpp:326
#1  0x0000555555f2ab68 in js::frontend::EmitterScope::lookup (this=0x7fffffffa458, bce=bce@entry=0x7fffffffa7c0, name=name@entry=0x186cf7f25600) at js/src/frontend/EmitterScope.cpp:1077
#2  0x0000555555effac4 in js::frontend::BytecodeEmitter::lookupName (name=0x186cf7f25600, this=0x7fffffffa7c0) at js/src/frontend/BytecodeEmitter.cpp:163
#3  js::frontend::BytecodeEmitter::emitGetName (name=0x186cf7f25600, this=0x7fffffffa7c0) at js/src/frontend/BytecodeEmitter.h:626
#4  js::frontend::BytecodeEmitter::emitGetFunctionThis (this=0x7fffffffa7c0, offset=...) at js/src/frontend/BytecodeEmitter.cpp:5800
#5  0x0000555555effc46 in js::frontend::BytecodeEmitter::emitGetFunctionThis (this=0x7fffffffa7c0, thisName=0x7ffff4eb32d8) at js/src/frontend/BytecodeEmitter.cpp:5789
#6  0x0000555555f07a98 in js::frontend::BytecodeEmitter::emitTree (this=this@entry=0x7fffffffa7c0, pn=0x7ffff4eb3308, valueUsage=valueUsage@entry=js::frontend::ValueUsage::WantValue, emitLineNote=emitLineNote@entry=js::frontend::BytecodeEmitter::EMIT_LINENOTE) at js/src/frontend/BytecodeEmitter.cpp:9134
#7  0x0000555555f08373 in js::frontend::BytecodeEmitter::emitTree (this=this@entry=0x7fffffffa7c0, pn=<optimized out>, valueUsage=js::frontend::ValueUsage::WantValue, emitLineNote=emitLineNote@entry=js::frontend::BytecodeEmitter::EMIT_LINENOTE, valueUsage=js::frontend::ValueUsage::WantValue) at js/src/frontend/BytecodeEmitter.cpp:9192
#8  0x0000555555f137a3 in js::frontend::BytecodeEmitter::emitPropLHS (this=this@entry=0x7fffffffa7c0, prop=prop@entry=0x7ffff4eb3370) at js/src/frontend/BytecodeEmitter.cpp:1784
#9  0x0000555555f075ec in js::frontend::BytecodeEmitter::emitTree (this=this@entry=0x7fffffffa7c0, pn=<optimized out>, valueUsage=valueUsage@entry=js::frontend::ValueUsage::WantValue, emitLineNote=emitLineNote@entry=js::frontend::BytecodeEmitter::EMIT_LINENOTE) at js/src/frontend/BytecodeEmitter.cpp:8975
#10 0x0000555555f08373 in js::frontend::BytecodeEmitter::emitTree (this=this@entry=0x7fffffffa7c0, pn=<optimized out>, valueUsage=js::frontend::ValueUsage::WantValue, emitLineNote=emitLineNote@entry=js::frontend::BytecodeEmitter::EMIT_LINENOTE, valueUsage=js::frontend::ValueUsage::WantValue) at js/src/frontend/BytecodeEmitter.cpp:9192
#11 0x0000555555f11976 in js::frontend::BytecodeEmitter::emitReturn (this=0x7fffffffa7c0, returnNode=0x7ffff4eb33a8) at js/src/frontend/BytecodeEmitter.cpp:5871
#12 0x0000555555f07803 in js::frontend::BytecodeEmitter::emitTree (this=this@entry=0x7fffffffa7c0, pn=pn@entry=0x7ffff4eb33a8, valueUsage=valueUsage@entry=js::frontend::ValueUsage::WantValue, emitLineNote=<optimized out>) at js/src/frontend/BytecodeEmitter.cpp:8758
#13 0x0000555555f08373 in js::frontend::BytecodeEmitter::emitTree (this=this@entry=0x7fffffffa7c0, pn=pn@entry=0x7ffff4eb33a8, valueUsage=js::frontend::ValueUsage::WantValue, emitLineNote=<optimized out>, valueUsage=js::frontend::ValueUsage::WantValue) at js/src/frontend/BytecodeEmitter.cpp:9192
#14 0x0000555555f15f1f in js::frontend::BytecodeEmitter::emitLexicalScopeBody (this=this@entry=0x7fffffffa7c0, body=body@entry=0x7ffff4eb33a8, emitLineNote=<optimized out>) at js/src/frontend/BytecodeEmitter.cpp:4763
#15 0x0000555555f199a5 in js::frontend::BytecodeEmitter::emitLexicalScope (this=this@entry=0x7fffffffa7c0, lexicalScope=0x7ffff4eb33e0) at js/src/frontend/BytecodeEmitter.cpp:4822
#16 0x0000555555f0771b in js::frontend::BytecodeEmitter::emitTree (this=this@entry=0x7fffffffa7c0, pn=0x7ffff4eb33e0, valueUsage=valueUsage@entry=js::frontend::ValueUsage::WantValue, emitLineNote=emitLineNote@entry=js::frontend::BytecodeEmitter::EMIT_LINENOTE) at js/src/frontend/BytecodeEmitter.cpp:9018
#17 0x0000555555f08373 in js::frontend::BytecodeEmitter::emitTree (this=this@entry=0x7fffffffa7c0, pn=<optimized out>, valueUsage=js::frontend::ValueUsage::WantValue, emitLineNote=emitLineNote@entry=js::frontend::BytecodeEmitter::EMIT_LINENOTE, valueUsage=js::frontend::ValueUsage::WantValue) at js/src/frontend/BytecodeEmitter.cpp:9192
#18 0x0000555555f0b35a in js::frontend::BytecodeEmitter::emitFunctionScript (this=this@entry=0x7fffffffa7c0, funNode=funNode@entry=0x7ffff4eb31c8, isTopLevel=isTopLevel@entry=js::frontend::BytecodeEmitter::TopLevelFunction::No) at js/src/frontend/BytecodeEmitter.cpp:2486
#19 0x0000555555f0dcd3 in js::frontend::BytecodeEmitter::emitFunction (this=this@entry=0x7fffffffb4d0, funNode=0x7ffff4eb31c8, needsProto=needsProto@entry=false) at js/src/frontend/BytecodeEmitter.cpp:5651
#20 0x0000555555f07315 in js::frontend::BytecodeEmitter::emitTree (this=this@entry=0x7fffffffb4d0, pn=pn@entry=0x7ffff4eb31c8, valueUsage=valueUsage@entry=js::frontend::ValueUsage::WantValue, emitLineNote=emitLineNote@entry=js::frontend::BytecodeEmitter::EMIT_LINENOTE) at js/src/frontend/BytecodeEmitter.cpp:8665
#21 0x0000555555f08373 in js::frontend::BytecodeEmitter::emitTree (this=this@entry=0x7fffffffb4d0, pn=pn@entry=0x7ffff4eb31c8, valueUsage=js::frontend::ValueUsage::WantValue, emitLineNote=emitLineNote@entry=js::frontend::BytecodeEmitter::EMIT_LINENOTE, valueUsage=js::frontend::ValueUsage::WantValue) at js/src/frontend/BytecodeEmitter.cpp:9192
#22 0x0000555555f182fe in EmitAssignmentRhs (offset=2 '\002', rhs=0x7ffff4eb31c8, bce=0x7fffffffb4d0) at js/src/frontend/BytecodeEmitter.cpp:4031
#23 js::frontend::BytecodeEmitter::emitAssignment (this=this@entry=0x7fffffffb4d0, lhs=0x7ffff4eb34f0, compoundOp=JSOP_NOP, rhs=0x7ffff4eb31c8) at js/src/frontend/BytecodeEmitter.cpp:4274
#24 0x0000555555f07c04 in js::frontend::BytecodeEmitter::emitTree (this=0x7fffffffb4d0, pn=0x7ffff4eb3528, valueUsage=<optimized out>, emitLineNote=<optimized out>) at js/src/frontend/BytecodeEmitter.cpp:8834
#25 0x0000555555f080a3 in js::frontend::BytecodeEmitter::emitExpressionStatement (this=this@entry=0x7fffffffb4d0, exprStmt=<optimized out>) at js/src/frontend/BytecodeEmitter.cpp:6666
#26 0x0000555555f07493 in js::frontend::BytecodeEmitter::emitTree (this=this@entry=0x7fffffffb4d0, pn=pn@entry=0x7ffff4eb3560, valueUsage=valueUsage@entry=js::frontend::ValueUsage::WantValue, emitLineNote=emitLineNote@entry=js::frontend::BytecodeEmitter::EMIT_LINENOTE) at js/src/frontend/BytecodeEmitter.cpp:8803
#27 0x0000555555f08373 in js::frontend::BytecodeEmitter::emitTree (this=this@entry=0x7fffffffb4d0, pn=pn@entry=0x7ffff4eb3560, valueUsage=js::frontend::ValueUsage::WantValue, emitLineNote=emitLineNote@entry=js::frontend::BytecodeEmitter::EMIT_LINENOTE, valueUsage=js::frontend::ValueUsage::WantValue) at js/src/frontend/BytecodeEmitter.cpp:9192
#28 0x0000555555f13010 in js::frontend::BytecodeEmitter::emitStatementList (this=this@entry=0x7fffffffb4d0, stmtList=<optimized out>) at js/src/frontend/BytecodeEmitter.cpp:6609
#29 0x0000555555f074f3 in js::frontend::BytecodeEmitter::emitTree (this=this@entry=0x7fffffffb4d0, pn=pn@entry=0x7ffff4eb3598, valueUsage=valueUsage@entry=js::frontend::ValueUsage::WantValue, emitLineNote=<optimized out>) at js/src/frontend/BytecodeEmitter.cpp:8794
#30 0x0000555555f08373 in js::frontend::BytecodeEmitter::emitTree (this=this@entry=0x7fffffffb4d0, pn=pn@entry=0x7ffff4eb3598, valueUsage=js::frontend::ValueUsage::WantValue, emitLineNote=<optimized out>, valueUsage=js::frontend::ValueUsage::WantValue) at js/src/frontend/BytecodeEmitter.cpp:9192
#31 0x0000555555f15f1f in js::frontend::BytecodeEmitter::emitLexicalScopeBody (this=this@entry=0x7fffffffb4d0, body=body@entry=0x7ffff4eb3598, emitLineNote=<optimized out>) at js/src/frontend/BytecodeEmitter.cpp:4763
#32 0x0000555555f199a5 in js::frontend::BytecodeEmitter::emitLexicalScope (this=this@entry=0x7fffffffb4d0, lexicalScope=0x7ffff4eb35d8) at js/src/frontend/BytecodeEmitter.cpp:4822
#33 0x0000555555f0771b in js::frontend::BytecodeEmitter::emitTree (this=this@entry=0x7fffffffb4d0, pn=0x7ffff4eb35d8, valueUsage=valueUsage@entry=js::frontend::ValueUsage::WantValue, emitLineNote=emitLineNote@entry=js::frontend::BytecodeEmitter::EMIT_LINENOTE) at js/src/frontend/BytecodeEmitter.cpp:9018
#34 0x0000555555f08373 in js::frontend::BytecodeEmitter::emitTree (this=this@entry=0x7fffffffb4d0, pn=<optimized out>, valueUsage=js::frontend::ValueUsage::WantValue, emitLineNote=emitLineNote@entry=js::frontend::BytecodeEmitter::EMIT_LINENOTE, valueUsage=js::frontend::ValueUsage::WantValue) at js/src/frontend/BytecodeEmitter.cpp:9192
#35 0x0000555555f0b35a in js::frontend::BytecodeEmitter::emitFunctionScript (this=this@entry=0x7fffffffb4d0, funNode=funNode@entry=0x7ffff4eb30d0, isTopLevel=isTopLevel@entry=js::frontend::BytecodeEmitter::TopLevelFunction::No) at js/src/frontend/BytecodeEmitter.cpp:2486
#36 0x0000555555f0dcd3 in js::frontend::BytecodeEmitter::emitFunction (this=this@entry=0x7fffffffc030, funNode=0x7ffff4eb30d0, needsProto=needsProto@entry=false) at js/src/frontend/BytecodeEmitter.cpp:5651
#37 0x0000555555f07315 in js::frontend::BytecodeEmitter::emitTree (this=this@entry=0x7fffffffc030, pn=0x7ffff4eb30d0, valueUsage=valueUsage@entry=js::frontend::ValueUsage::WantValue, emitLineNote=emitLineNote@entry=js::frontend::BytecodeEmitter::EMIT_LINENOTE) at js/src/frontend/BytecodeEmitter.cpp:8665
#38 0x0000555555f08373 in js::frontend::BytecodeEmitter::emitTree (this=this@entry=0x7fffffffc030, pn=<optimized out>, valueUsage=js::frontend::ValueUsage::WantValue, emitLineNote=emitLineNote@entry=js::frontend::BytecodeEmitter::EMIT_LINENOTE, valueUsage=js::frontend::ValueUsage::WantValue) at js/src/frontend/BytecodeEmitter.cpp:9192
#39 0x0000555555f08a23 in js::frontend::BytecodeEmitter::emitCreateFieldInitializers (this=this@entry=0x7fffffffc030, obj=obj@entry=0x7ffff4eb3060) at js/src/frontend/BytecodeEmitter.cpp:7973
#40 0x0000555555f0f09c in js::frontend::BytecodeEmitter::emitPropertyList (this=this@entry=0x7fffffffc030, obj=obj@entry=0x7ffff4eb3060, pe=..., type=type@entry=js::frontend::ClassBody) at js/src/frontend/BytecodeEmitter.cpp:7834
#41 0x0000555555f0e404 in js::frontend::BytecodeEmitter::emitClass (this=this@entry=0x7fffffffc030, classNode=classNode@entry=0x7ffff4eb39c0, nameKind=nameKind@entry=js::frontend::BytecodeEmitter::ClassNameKind::BindingName, nameForAnonymousClass=nameForAnonymousClass@entry=...) at js/src/frontend/BytecodeEmitter.cpp:8601
#42 0x0000555555f078f9 in js::frontend::BytecodeEmitter::emitTree (this=this@entry=0x7fffffffc030, pn=pn@entry=0x7ffff4eb39c0, valueUsage=valueUsage@entry=js::frontend::ValueUsage::WantValue, emitLineNote=emitLineNote@entry=js::frontend::BytecodeEmitter::EMIT_LINENOTE) at js/src/frontend/BytecodeEmitter.cpp:9152
#43 0x0000555555f08373 in js::frontend::BytecodeEmitter::emitTree (this=this@entry=0x7fffffffc030, pn=pn@entry=0x7ffff4eb39c0, valueUsage=js::frontend::ValueUsage::WantValue, emitLineNote=emitLineNote@entry=js::frontend::BytecodeEmitter::EMIT_LINENOTE, valueUsage=js::frontend::ValueUsage::WantValue) at js/src/frontend/BytecodeEmitter.cpp:9192
#44 0x0000555555f13010 in js::frontend::BytecodeEmitter::emitStatementList (this=this@entry=0x7fffffffc030, stmtList=<optimized out>) at js/src/frontend/BytecodeEmitter.cpp:6609
#45 0x0000555555f074f3 in js::frontend::BytecodeEmitter::emitTree (this=this@entry=0x7fffffffc030, pn=pn@entry=0x7ffff4eb3020, valueUsage=valueUsage@entry=js::frontend::ValueUsage::WantValue, emitLineNote=emitLineNote@entry=js::frontend::BytecodeEmitter::EMIT_LINENOTE) at js/src/frontend/BytecodeEmitter.cpp:8794
#46 0x0000555555f08373 in js::frontend::BytecodeEmitter::emitTree (this=this@entry=0x7fffffffc030, pn=pn@entry=0x7ffff4eb3020, valueUsage=js::frontend::ValueUsage::WantValue, emitLineNote=emitLineNote@entry=js::frontend::BytecodeEmitter::EMIT_LINENOTE, valueUsage=js::frontend::ValueUsage::WantValue) at js/src/frontend/BytecodeEmitter.cpp:9192
#47 0x0000555555f164c4 in js::frontend::BytecodeEmitter::emitScript (this=0x7fffffffc030, body=body@entry=0x7ffff4eb3020) at js/src/frontend/BytecodeEmitter.cpp:2423
#48 0x0000555555f24032 in js::frontend::ScriptCompiler<char16_t>::compileScript (this=this@entry=0x7fffffffc440, info=..., environment=..., environment@entry=..., sc=sc@entry=0x7fffffffcf80) at js/src/frontend/BytecodeCompiler.cpp:553
#49 0x0000555555f16a94 in CreateGlobalScript<char16_t> (info=..., srcBuf=..., sourceObjectOut=sourceObjectOut@entry=0x0) at js/src/frontend/BytecodeCompiler.cpp:207
#50 0x0000555555f16c3a in js::frontend::CompileGlobalScript (info=..., srcBuf=..., sourceObjectOut=sourceObjectOut@entry=0x0) at js/src/frontend/BytecodeCompiler.cpp:219
#51 0x0000555555a033c5 in CompileSourceBuffer<char16_t> (cx=cx@entry=0x7ffff5f17000, options=..., srcBuf=..., script=...) at js/src/vm/CompilationAndEvaluation.cpp:70
[...]
#58 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:11276
rax	0x555557c22240	93825032921664
rbx	0x7fffffff9e34	140737488330292
rcx	0x7ffff6c1c2dd	140737333281501
rdx	0x0	0
rsi	0x555556b9bd98	93825015594392
rdi	0x7ffff6eea540	140737336223040
rbp	0x7fffffff9f10	140737488330512
rsp	0x7fffffff9dc0	140737488330176
r8	0x7ffff6eeb770	140737336227696
r9	0x7ffff7fe6cc0	140737354034368
r10	0x58	88
r11	0x7ffff6b927a0	140737332717472
r12	0x0	0
r13	0x7fffffffb4d0	140737488336080
r14	0x186cf7f25600	26856295388672
r15	0x7fffffffb168	140737488335208
rip	0x555555f2aaae <js::frontend::EmitterScope::searchAndCache(js::frontend::BytecodeEmitter*, JSAtom*)+1342>
=> 0x555555f2aaae <js::frontend::EmitterScope::searchAndCache(js::frontend::BytecodeEmitter*, JSAtom*)+1342>:	movl   $0x0,0x0
   0x555555f2aab9 <js::frontend::EmitterScope::searchAndCache(js::frontend::BytecodeEmitter*, JSAtom*)+1353>:	ud2
Priority: -- → P1
Assignee: nobody → khyperia
Status: NEW → ASSIGNED
Pushed by ahauck@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/78d0aff2fdc1
Correctly scope .this in field initializers. r=jorendorff
Status: ASSIGNED → RESOLVED
Closed: 4 months ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla68
You need to log in before you can comment on or make changes to this bug.