Closed Bug 1547035 Opened 7 months ago Closed 7 months ago

Assertion failure: NodeType::test(*this), at js/src/frontend/ParseNode.h:727

Categories

(Core :: JavaScript Engine, defect, critical)

x86_64
Linux
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla68
Tracking Status
firefox-esr60 --- unaffected
firefox67 --- unaffected
firefox68 --- fixed

People

(Reporter: gkw, Assigned: khyperia)

References

(Blocks 3 open bugs, Regression)

Details

(4 keywords, Whiteboard: [jsbugmon:update])

Attachments

(2 files)

The following testcase crashes on mozilla-central revision 07efc6e32c87 (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --no-threads --no-baseline --no-ion --enable-experimental-fields):

// Adapted from randomly chosen test: js/src/tests/test262/language/expressions/class/elements/syntax/early-errors/delete/field-delete-covered-err-delete-member-expression-private-method-gen.js
Reflect.parse("y=class{x};");

Backtrace:

#0 js::frontend::ParseNode::as<js::frontend::BinaryNode> (this=<optimized out>) at js/src/frontend/ParseNode.h:727
#1 (anonymous namespace)::ASTSerializer::statement (this=0x7ffcad179528, pn=<optimized out>, dst=...) at js/src/builtin/ReflectParse.cpp:2337
#2 0x000055a901a234c5 in (anonymous namespace)::ASTSerializer::classDefinition (this=0x7ffcad179528, pn=0x7fbf2911a708, expr=true, dst=...) at js/src/builtin/ReflectParse.cpp:2247
#3 0x000055a901a1d1f2 in (anonymous namespace)::ASTSerializer::expression (this=0x7ffcad179528, pn=0x7fbf2911a708, dst=...) at js/src/builtin/ReflectParse.cpp:3028
#4 0x000055a901a1c585 in (anonymous namespace)::ASTSerializer::expression (this=<optimized out>, pn=0x7fbf2911a748, dst=...) at js/src/builtin/ReflectParse.cpp:2728
/snip

For detailed crash information, see attachment.

Setting needinfo? from Ashley as the issue seems related to fields, as a start.

Flags: needinfo?(khyperia)

Caused by the patch for bug 1535471 :'(

tests/non262/reflect-parse/class-fields.js should have caught this, but apparently it was disabled.

Flags: needinfo?(khyperia)
Pushed by ahauck@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/d6c676a1ef3e
Handle AssignmentNode->BinaryNode change from bug 1535471 in Reflect.parse. r=jorendorff

(In reply to Ashley Hauck [:khyperia] from comment #3)

Caused by the patch for bug 1535471 :'(

Confirming that this is the case:

autobisectjs shows this is probably related to the following changeset:

The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/8457ce7cc442
user: Ashley Hauck
date: Wed Apr 24 19:41:37 2019 +0000
summary: Bug 1535471 - Use JSOP_INITPROP for field initializers. r=jorendorff

Regressed by: 1535471
Status: NEW → RESOLVED
Closed: 7 months ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla68
Assignee: nobody → khyperia
You need to log in before you can comment on or make changes to this bug.