Closed Bug 1542115 Opened 5 years ago Closed 5 years ago

Assertion failure: bce_->stackDepth == loopDepth_ (the stack must be balanced around the for-of body), at js/src/frontend/ForOfEmitter.cpp:222

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
firefox-esr60 --- unaffected
firefox66 --- unaffected
firefox67 --- disabled
firefox68 --- fixed

People

(Reporter: gkw, Unassigned)

References

(Regression)

Details

(4 keywords)

Attachments

(1 file)

Detailed Crash Information
9.14 KB, text/plain
Details

The following testcase crashes on mozilla-central revision aa4c97d22712 (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --no-threads --no-baseline --no-ion --enable-experimental-fields):

// jsfunfuzz-generated
for (let l of []) {
    // Adapted from randomly chosen test: js/src/tests/test262/language/statements/class/elements/private-derived-cls-direct-eval-err-contains-superproperty-1.js
    class C extends A {
        x = "";
    }
}

Backtrace:

#0 js::frontend::ForOfEmitter::emitEnd (this=0x7fff2dfb8570, iteratedPos=...) at js/src/frontend/ForOfEmitter.cpp:221
#1 0x000055eb07e6ef55 in js::frontend::BytecodeEmitter::emitForOf (this=0x7fff2dfb8a60, forOfLoop=0x7f8a163a9978, headLexicalEmitterScope=<optimized out>) at js/src/frontend/BytecodeEmitter.cpp:5343
#2 0x000055eb07e6d9ff in js::frontend::BytecodeEmitter::emitLexicalScope (this=0x7fff2dfb8a60, lexicalScope=<optimized out>) at js/src/frontend/BytecodeEmitter.cpp:4818
#3 0x000055eb07e61a1c in js::frontend::BytecodeEmitter::emitTree (this=0x7fff2dfb8a60, pn=0x7f8a163a99e0, valueUsage=js::frontend::ValueUsage::WantValue, emitLineNote=js::frontend::BytecodeEmitter::EMIT_LINENOTE) at js/src/frontend/BytecodeEmitter.cpp:9018
#4 0x000055eb07e61cf6 in js::frontend::BytecodeEmitter::emitStatementList (this=<optimized out>, stmtList=<optimized out>) at js/src/frontend/BytecodeEmitter.cpp:6609
/snip

For detailed crash information, see attachment.

Blocks: pi-es-class-fields
Regressed by: 1529758
Whiteboard: [jsbugmon:update]

This is fixed in master. Likely fixed by bug 1534721. Not adding a testcase because fields in classes with extends was a very known problem to crash before that bug landed, and so we already have lots of tests similar to this one.

Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: