Closed Bug 1547130 Opened 9 months ago Closed 9 months ago

Assertion failure: !check (TDZ only needs to be checked once per binding per basic block.), at js/src/frontend/TDZCheckCache.cpp:65

Categories

(Core :: JavaScript Engine, defect)

x86_64
Linux
defect
Not set

Tracking

()

RESOLVED FIXED
mozilla68
Tracking Status
firefox-esr60 --- unaffected
firefox67 --- disabled
firefox68 --- fixed

People

(Reporter: decoder, Assigned: khyperia)

References

(Blocks 2 open bugs)

Details

(4 keywords, Whiteboard: [jsbugmon:])

Attachments

(1 file)

The following testcase crashes on mozilla-central revision 0ec836eceb96 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe --ion-offthread-compile=off --enable-experimental-fields):

[ class  { i32a = [ i32a ] = c27 } ] && class { c27 = [ c27 ] = c27 }

Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  js::frontend::TDZCheckCache::noteTDZCheck (this=this@entry=0x7fffffffb9b0, bce=bce@entry=0x7fffffffbf60, name=<optimized out>, check=<optimized out>, check@entry=js::CheckTDZ) at js/src/frontend/TDZCheckCache.cpp:63
#1  0x0000555555f4e414 in js::frontend::EmitterScope::enterLexical (this=0x7fffffffb848, bce=bce@entry=0x7fffffffbf60, kind=kind@entry=js::ScopeKind::Lexical, bindings=bindings@entry=...) at js/src/frontend/EmitterScope.cpp:487
#2  0x0000555555f6dd80 in js::frontend::ClassEmitter::emitScope (this=this@entry=0x7fffffffb7f0, scopeBindings=..., hasName=hasName@entry=js::frontend::ClassEmitter::HasName::No) at js/src/frontend/ObjectEmitter.cpp:496
#3  0x0000555555f313af in js::frontend::BytecodeEmitter::emitClass (this=this@entry=0x7fffffffbf60, classNode=classNode@entry=0x7ffff4d02f30, nameKind=nameKind@entry=js::frontend::BytecodeEmitter::ClassNameKind::BindingName, nameForAnonymousClass=nameForAnonymousClass@entry=...) at js/src/frontend/BytecodeEmitter.cpp:8750
#4  0x0000555555f2a309 in js::frontend::BytecodeEmitter::emitTree (this=0x7fffffffbf60, pn=0x7ffff4d02f30, valueUsage=valueUsage@entry=js::frontend::ValueUsage::WantValue, emitLineNote=<optimized out>) at js/src/frontend/BytecodeEmitter.cpp:9364
#5  0x0000555555f2ad83 in js::frontend::BytecodeEmitter::emitTree (this=<optimized out>, pn=<optimized out>, valueUsage=js::frontend::ValueUsage::WantValue, emitLineNote=<optimized out>, valueUsage=js::frontend::ValueUsage::WantValue) at js/src/frontend/BytecodeEmitter.cpp:9404
#6  0x0000555555f3670d in js::frontend::BytecodeEmitter::emitLogical (this=this@entry=0x7fffffffbf60, node=<optimized out>) at js/src/frontend/BytecodeEmitter.cpp:7560
#7  0x0000555555f29f23 in js::frontend::BytecodeEmitter::emitTree (this=0x7fffffffbf60, pn=0x7ffff4d02f70, valueUsage=<optimized out>, emitLineNote=<optimized out>) at js/src/frontend/BytecodeEmitter.cpp:9063
#8  0x0000555555f2aabb in js::frontend::BytecodeEmitter::emitExpressionStatement (this=this@entry=0x7fffffffbf60, exprStmt=<optimized out>) at js/src/frontend/BytecodeEmitter.cpp:6760
#9  0x0000555555f29f63 in js::frontend::BytecodeEmitter::emitTree (this=this@entry=0x7fffffffbf60, pn=pn@entry=0x7ffff4d02fb0, valueUsage=valueUsage@entry=js::frontend::ValueUsage::WantValue, emitLineNote=emitLineNote@entry=js::frontend::BytecodeEmitter::EMIT_LINENOTE) at js/src/frontend/BytecodeEmitter.cpp:9015
#10 0x0000555555f2ad83 in js::frontend::BytecodeEmitter::emitTree (this=this@entry=0x7fffffffbf60, pn=pn@entry=0x7ffff4d02fb0, valueUsage=js::frontend::ValueUsage::WantValue, emitLineNote=emitLineNote@entry=js::frontend::BytecodeEmitter::EMIT_LINENOTE, valueUsage=js::frontend::ValueUsage::WantValue) at js/src/frontend/BytecodeEmitter.cpp:9404
#11 0x0000555555f361f0 in js::frontend::BytecodeEmitter::emitStatementList (this=this@entry=0x7fffffffbf60, stmtList=<optimized out>) at js/src/frontend/BytecodeEmitter.cpp:6703
#12 0x0000555555f29fc3 in js::frontend::BytecodeEmitter::emitTree (this=this@entry=0x7fffffffbf60, pn=pn@entry=0x7ffff4d02020, valueUsage=valueUsage@entry=js::frontend::ValueUsage::WantValue, emitLineNote=emitLineNote@entry=js::frontend::BytecodeEmitter::EMIT_LINENOTE) at js/src/frontend/BytecodeEmitter.cpp:9006
#13 0x0000555555f2ad83 in js::frontend::BytecodeEmitter::emitTree (this=this@entry=0x7fffffffbf60, pn=pn@entry=0x7ffff4d02020, valueUsage=js::frontend::ValueUsage::WantValue, emitLineNote=emitLineNote@entry=js::frontend::BytecodeEmitter::EMIT_LINENOTE, valueUsage=js::frontend::ValueUsage::WantValue) at js/src/frontend/BytecodeEmitter.cpp:9404
#14 0x0000555555f396b4 in js::frontend::BytecodeEmitter::emitScript (this=0x7fffffffbf60, body=body@entry=0x7ffff4d02020) at js/src/frontend/BytecodeEmitter.cpp:2468
#15 0x0000555555f47432 in js::frontend::ScriptCompiler<char16_t>::compileScript (this=this@entry=0x7fffffffc3a0, info=..., environment=..., environment@entry=..., sc=sc@entry=0x7fffffffcf18) at js/src/frontend/BytecodeCompiler.cpp:565
#16 0x0000555555f39c84 in CreateGlobalScript<char16_t> (info=..., srcBuf=..., sourceObjectOut=sourceObjectOut@entry=0x0) at js/src/frontend/BytecodeCompiler.cpp:207
#17 0x0000555555f39e2a in js::frontend::CompileGlobalScript (info=..., srcBuf=..., sourceObjectOut=sourceObjectOut@entry=0x0) at js/src/frontend/BytecodeCompiler.cpp:219
#18 0x0000555555a102c6 in CompileSourceBuffer<char16_t> (cx=cx@entry=0x7ffff5f19000, options=..., srcBuf=...) at js/src/vm/CompilationAndEvaluation.cpp:69
#19 0x0000555555a1048b in CompileUtf8Inflating (cx=cx@entry=0x7ffff5f19000, options=..., srcBuf=...) at js/src/vm/CompilationAndEvaluation.cpp:91

[...]
#25 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:11373
rax 0x555557c90360 93825033372512
rbx 0x7fffffffb9b0 140737488337328
rcx 0x555556bf8250 93825015972432
rdx 0x0 0
rsi 0x7ffff6eeb770 140737336227696
rdi 0x7ffff6eea540 140737336223040
rbp 0x7fffffffb680 140737488336512
rsp 0x7fffffffb5f0 140737488336368
r8 0x7ffff6eeb770 140737336227696
r9 0x7ffff7fe6cc0 140737354034368
r10 0x58 88
r11 0x7ffff6b927a0 140737332717472
r12 0x7fffffffb600 140737488336384
r13 0x7fffffffbf60 140737488338784
r14 0x7fffffffb5f8 140737488336376
r15 0x7ffff4d02f10 140737300672272
rip 0x555555f87f59 <js::frontend::TDZCheckCache::noteTDZCheck(js::frontend::BytecodeEmitter*, JSAtom*, js::MaybeCheckTDZ)+473>
=> 0x555555f87f59 <js::frontend::TDZCheckCache::noteTDZCheck(js::frontend::BytecodeEmitter*, JSAtom*, js::MaybeCheckTDZ)+473>: movl $0x0,0x0
0x555555f87f64 <js::frontend::TDZCheckCache::noteTDZCheck(js::frontend::BytecodeEmitter*, JSAtom*, js::MaybeCheckTDZ)+484>: ud2

Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:bisect]
JSBugMon: Cannot process bug: Error: Failed to isolate test from comment
Whiteboard: [jsbugmon:bisect] → [jsbugmon:]
JSBugMon: Bisection requested, failed due to error: Error: Failed to isolate test from comment
Assignee: nobody → khyperia
Status: NEW → ASSIGNED

This was incorrectly implemented in bug 1542448 - for a class without a
name, the .initializers varaible would correctly use the class scope,
but would incorrectly use the tdzCache of the surrounding scope.
Having two distinct .initializer variables use the same tdzCache caused
the crash in this bug.

Pushed by ahauck@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/b562a1384c61
Always use a tdzCache for class scopes. r=jorendorff
Status: ASSIGNED → RESOLVED
Closed: 9 months ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla68
You need to log in before you can comment on or make changes to this bug.