Closed Bug 1542108 Opened 5 years ago Closed 5 years ago

Assertion failure: env == cx->global() || env == &cx->global()->lexicalEnvironment() || env->is<RuntimeLexicalErrorObject>(), at js/src/vm/Interpreter-inl.h:315

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
firefox-esr60 --- unaffected
firefox66 --- unaffected
firefox67 --- disabled
firefox68 --- fixed

People

(Reporter: gkw, Unassigned)

References

(Regression)

Details

(4 keywords, Whiteboard: [jsbugmon:])

Attachments

(1 file)

Detailed Crash Information
6.03 KB, text/plain
Details

The following testcase crashes on mozilla-central revision aa4c97d22712 (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --no-threads --no-baseline --no-ion --enable-experimental-fields):

// Adapted from randomly chosen test: js/src/tests/test262/language/expressions/class/elements/private-derived-cls-direct-eval-err-contains-supercall-2.js
let A = class {}
var a = class extends A {
    x;
}

Backtrace:

#0 js::SetNameOperation (cx=0x7f7ca0419000, script=0xaa5839b2a60, pc=0x7f7ca0448853 "\233\001", env=..., val=...) at js/src/vm/Interpreter-inl.h:311
#1 0x0000555b17429ed9 in Interpret (cx=<optimized out>, state=...) at js/src/vm/Interpreter.cpp:2823
#2 0x0000555b17422c5d in js::RunScript (cx=0x7f7ca0419000, state=...) at js/src/vm/Interpreter.cpp:422
#3 0x0000555b1743847a in js::ExecuteKernel (cx=<optimized out>, script=..., envChainArg=..., newTargetValue=..., evalInFrame=..., result=0x0) at js/src/vm/Interpreter.cpp:781
#4 0x0000555b174388be in js::Execute (cx=0x7f7ca0419000, script=..., envChainArg=..., rval=0x0) at js/src/vm/Interpreter.cpp:814
/snip

For detailed crash information, see attachment.

autobisectjs shows this is probably related to the following changeset:

The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/7a1ad6647c22
user: Jason Orendorff
date: Tue Mar 12 19:14:57 2019 +0000
summary: Bug 1529758 - Add a pref for fields. r=tcampbell

Blocks: pi-es-class-fields
Regressed by: 1529758
Whiteboard: [jsbugmon:update] → [jsbugmon:]
JSBugMon: Cannot process bug: Error: Failed to isolate test from comment

This is fixed in master. Likely fixed by bug 1534721. Not adding a testcase because fields in classes with extends was a very known problem to crash before that bug landed, and so we already have lots of tests similar to this one.

Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → WORKSFORME
Resolution: WORKSFORME → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: