Assertion failure: !node->isEmptyScope(), at js/src/frontend/FullParseHandler.h:484 with class
Categories
(Core :: JavaScript Engine, defect, P1)
Tracking
()
Tracking | Status | |
---|---|---|
firefox-esr60 | --- | unaffected |
firefox67 | --- | unaffected |
firefox68 | --- | unaffected |
firefox69 | --- | fixed |
People
(Reporter: gkw, Assigned: khyperia)
References
(Regression)
Details
(4 keywords, Whiteboard: [jsbugmon:update])
Attachments
(2 files)
The following testcase crashes on mozilla-central revision 909f78f4ebae (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --no-threads --no-baseline --no-ion):
// Adapted from randomly chosen test: js/src/jit-test/tests/class/classconstructor.js
(function() {
"use asm";
function f() {
class X {
constructor() {};
}
}
})();
Backtrace:
#0 js::frontend::FullParseHandler::deleteConstructorScope (this=<optimized out>, cx=<optimized out>, memberList=<optimized out>) at js/src/frontend/FullParseHandler.h:484
#1 0x000056493d79cbe8 in js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::finishClassConstructor (this=<optimized out>, classStmt=..., className=..., hasHeritage=<optimized out>, classStartOffset=0, classEndOffset=0, numFields=0, classMembers=@0x7ffc5ccae4c0: 0x7fc2b8202388) at js/src/frontend/Parser.cpp:6997
#2 0x000056493d78a061 in js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::classDefinition (this=<optimized out>, yieldHandling=<optimized out>, classContext=js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::ClassStatement, defaultHandling=js::frontend::NameRequired) at js/src/frontend/Parser.cpp:7109
#3 0x000056493d784ae3 in js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::statementListItem (this=<optimized out>, yieldHandling=<optimized out>, canHaveDirectives=<optimized out>) at js/src/frontend/Parser.cpp:7969
#4 0x000056493d782df5 in js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::statementList (this=<optimized out>, yieldHandling=js::frontend::YieldIsName) at js/src/frontend/Parser.cpp:3447
/snip
For detailed crash information, see attachment.
Reporter | ||
Comment 1•5 years ago
|
||
Reporter | ||
Comment 2•5 years ago
|
||
autobisectjs shows this is probably related to the following changeset:
The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/4ee40acc8b60
user: Ashley Hauck
date: Tue May 28 16:59:14 2019 +0000
summary: Bug 1553744 - Delete .initalizers scope for constructors in classes without fields. r=jorendorff
Ashley, is bug 1553744 a likely regressor?
Reporter | ||
Updated•5 years ago
|
Assignee | ||
Comment 3•5 years ago
|
||
Ugh, yep. I'm guessing asm.js is doing really strange things here.
(The fix is really simple and I already have it implemented, but I want to root cause it to figure out why use asm
causes the constructor scope to be empty, considering we unconditionally add .initializers whenever we create the scope https://searchfox.org/mozilla-central/rev/7556a400affa9eb99e522d2d17c40689fa23a729/js/src/frontend/Parser.cpp#6892 )
Updated•5 years ago
|
Assignee | ||
Comment 4•5 years ago
|
||
Right, I think use asm
is just weird. There's no .initializers in the scope right out of the gate, finishLexicalScope
in that code just returns an empty scope. Suure.
Assignee | ||
Comment 5•5 years ago
|
||
Updated•5 years ago
|
Pushed by ahauck@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/4ea4bed3417d Don't assume the constructor scope has .initializers in it. r=jorendorff
Comment 7•5 years ago
|
||
bugherder |
Updated•5 years ago
|
Description
•