Closed Bug 1551454 Opened 6 years ago Closed 6 years ago

Assertion failure: !isIndex(&dummy), at js/src/vm/StringType.h:1945

Categories

(Core :: JavaScript Engine, defect, P1)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla69
Tracking Flags:
Tracking Status
firefox-esr60 --- unaffected
firefox67 --- disabled
firefox68 --- disabled
firefox69 --- fixed

People

(Reporter: decoder, Assigned: khyperia)

References

(Regression)

Details

(4 keywords, Whiteboard: [jsbugmon:update])

Attachments

(1 file)

Bug 1551454 - Don't name field initializer lambdas.
47 bytes, text/x-phabricator-request
Details | Review

The following testcase crashes on mozilla-central revision cb5734727c0a (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe --ion-offthread-compile=off --enable-experimental-fields):

class C53 extends A2 {
  1 = eval();
}

Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  JSAtom::asPropertyName (this=0xbf401100660) at js/src/vm/StringType.h:1945
#1  NextEnvironmentShape (shape=..., stackBase=..., slot=<optimized out>, bindKind=<optimized out>, name=..., cx=0x7ffff5f19000) at js/src/vm/Scope.cpp:112
#2  CreateEnvironmentShape (cx=<optimized out>, cx@entry=0x7ffff5f19000, bi=..., cls=<optimized out>, numSlots=<optimized out>, baseShapeFlags=baseShapeFlags@entry=24) at js/src/vm/Scope.cpp:133
#3  0x0000555555bfc581 in PrepareScopeData<js::LexicalScope> (cls=<optimized out>, baseShapeFlags=24, envShape=..., data=..., bi=..., cx=0x7ffff5f19000) at js/src/vm/Scope.cpp:190
#4  js::LexicalScope::createWithData (cx=<optimized out>, cx@entry=0x7ffff5f19000, kind=kind@entry=js::ScopeKind::StrictNamedLambda, data=data@entry=..., firstFrameSlot=firstFrameSlot@entry=16777216, enclosing=..., enclosing@entry=...) at js/src/vm/Scope.cpp:564
#5  0x0000555555c07de5 in js::LexicalScope::create (cx=cx@entry=0x7ffff5f19000, kind=<optimized out>, data=..., data@entry=..., firstFrameSlot=firstFrameSlot@entry=16777216, enclosing=enclosing@entry=...) at js/src/vm/Scope.cpp:547
#6  0x0000555555f57a52 in js::frontend::EmitterScope::<lambda(JSContext*, js::HandleScope)>::operator() (enclosing=..., cx=0x7ffff5f19000, __closure=<synthetic pointer>) at js/src/frontend/EmitterScope.cpp:558
#7  js::frontend::EmitterScope::internScope<js::frontend::EmitterScope::enterNamedLambda(js::frontend::BytecodeEmitter*, js::frontend::FunctionBox*)::<lambda(JSContext*, js::HandleScope)> > (createScope=..., bce=0x7fffffffb490, this=0x7fffffffb0d0) at js/src/frontend/EmitterScope.cpp:340
#8  js::frontend::EmitterScope::enterNamedLambda (this=this@entry=0x7fffffffb0d0, bce=0x7fffffffb490, funbox=0x7ffff4db2148) at js/src/frontend/EmitterScope.cpp:560
#9  0x0000555555f68f73 in js::frontend::FunctionScriptEmitter::prepareForParameters (this=this@entry=0x7fffffffb0c0) at js/src/frontend/FunctionEmitter.cpp:388
#10 0x0000555555f359e6 in js::frontend::BytecodeEmitter::emitFunctionScript (this=this@entry=0x7fffffffb490, funNode=funNode@entry=0x7ffff4db2108, isTopLevel=isTopLevel@entry=js::frontend::BytecodeEmitter::TopLevelFunction::No) at js/src/frontend/BytecodeEmitter.cpp:2490
#11 0x0000555555f38c34 in js::frontend::BytecodeEmitter::emitFunction (this=this@entry=0x7fffffffbfe0, funNode=0x7ffff4db2108, needsProto=needsProto@entry=false, classContentsIfConstructor=classContentsIfConstructor@entry=0x0) at js/src/frontend/BytecodeEmitter.cpp:5712
#12 0x0000555555f32c47 in js::frontend::BytecodeEmitter::emitTree (this=this@entry=0x7fffffffbfe0, pn=0x7ffff4db2108, valueUsage=valueUsage@entry=js::frontend::ValueUsage::WantValue, emitLineNote=emitLineNote@entry=js::frontend::BytecodeEmitter::EMIT_LINENOTE) at js/src/frontend/BytecodeEmitter.cpp:8851
#13 0x0000555555f33be3 in js::frontend::BytecodeEmitter::emitTree (this=this@entry=0x7fffffffbfe0, pn=<optimized out>, valueUsage=js::frontend::ValueUsage::WantValue, emitLineNote=emitLineNote@entry=js::frontend::BytecodeEmitter::EMIT_LINENOTE, valueUsage=js::frontend::ValueUsage::WantValue) at js/src/frontend/BytecodeEmitter.cpp:9378
#14 0x0000555555f33e54 in js::frontend::BytecodeEmitter::emitCreateFieldInitializers (this=this@entry=0x7fffffffbfe0, obj=obj@entry=0x7ffff4db2090) at js/src/frontend/BytecodeEmitter.cpp:8048
#15 0x0000555555f3b15c in js::frontend::BytecodeEmitter::emitPropertyList (this=this@entry=0x7fffffffbfe0, obj=obj@entry=0x7ffff4db2090, pe=..., type=type@entry=js::frontend::ClassBody) at js/src/frontend/BytecodeEmitter.cpp:7904
#16 0x0000555555f39239 in js::frontend::BytecodeEmitter::emitClass (this=this@entry=0x7fffffffbfe0, classNode=classNode@entry=0x7ffff4db2968, nameKind=nameKind@entry=js::frontend::BytecodeEmitter::ClassNameKind::BindingName, nameForAnonymousClass=nameForAnonymousClass@entry=...) at js/src/frontend/BytecodeEmitter.cpp:8787
#17 0x0000555555f33169 in js::frontend::BytecodeEmitter::emitTree (this=this@entry=0x7fffffffbfe0, pn=pn@entry=0x7ffff4db2968, valueUsage=valueUsage@entry=js::frontend::ValueUsage::WantValue, emitLineNote=emitLineNote@entry=js::frontend::BytecodeEmitter::EMIT_LINENOTE) at js/src/frontend/BytecodeEmitter.cpp:9338
[...]
#33 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:11371
rax	0x555557c9d980	93825033427328
rbx	0x7ffff5f19000	140737319636992
rcx	0x555556b4d310	93825015272208
rdx	0x0	0
rsi	0x7ffff6eeb770	140737336227696
rdi	0x7ffff6eea540	140737336223040
rbp	0x7fffffffac70	140737488333936
rsp	0x7fffffffab40	140737488333632
r8	0x7ffff6eeb770	140737336227696
r9	0x7ffff7fe6cc0	140737354034368
r10	0x58	88
r11	0x7ffff6b927a0	140737332717472
r12	0xbf401100660	13142617753184
r13	0x555555b10730	93824998246192
r14	0x7fffffffad10	140737488334096
r15	0x7fffffffabf0	140737488333808
rip	0x555555bfb0f2 <CreateEnvironmentShape(JSContext*, js::BindingIter&, js::Class const*, uint32_t, uint32_t)+1410>
=> 0x555555bfb0f2 <CreateEnvironmentShape(JSContext*, js::BindingIter&, js::Class const*, uint32_t, uint32_t)+1410>:	movl   $0x0,0x0
   0x555555bfb0fd <CreateEnvironmentShape(JSContext*, js::BindingIter&, js::Class const*, uint32_t, uint32_t)+1421>:	ud2
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:bisect]
JSBugMon: Cannot process bug: Error: Failed to isolate test from comment
Whiteboard: [jsbugmon:bisect] → [jsbugmon:update,bisect]
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/7a1ad6647c22 user: Jason Orendorff date: Tue Mar 12 19:14:57 2019 +0000 summary: Bug 1529758 - Add a pref for fields. r=tcampbell This iteration took 506.403 seconds to run.
Flags: needinfo?(khyperia)
Regressed by: 1529758

Looks like things get grumpy when you name a function something that's not a name - fields were essentially doing function 1(){} for the initializer lambda.

Assignee: nobody → khyperia
Status: NEW → ASSIGNED
Flags: needinfo?(khyperia)
Attachment #9065470 - Attachment description: Bug 1551454 - Don't name field initializer lambdas with an index. → Bug 1551454 - Don't name field initializer lambdas.
Priority: -- → P1
Pushed by ahauck@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/586ea3b71700 Don't name field initializer lambdas. r=jorendorff

https://hg.mozilla.org/mozilla-central/rev/586ea3b71700

Status: ASSIGNED → RESOLVED
Closed: 6 years ago
status-firefox69: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla69
Has Regression Range: --- → yes
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: