Closed Bug 1555979 Opened 5 years ago Closed 5 years ago

Assertion failure: !node->isEmptyScope(), at js/src/frontend/FullParseHandler.h:484 with class

Categories

(Core :: JavaScript Engine, defect, P1)

x86_64
Linux
defect

Tracking

()

RESOLVED FIXED
mozilla69
Tracking Status
firefox-esr60 --- unaffected
firefox67 --- unaffected
firefox68 --- unaffected
firefox69 --- fixed

People

(Reporter: gkw, Assigned: khyperia)

References

(Regression)

Details

(4 keywords, Whiteboard: [jsbugmon:update])

Attachments

(2 files)

The following testcase crashes on mozilla-central revision 909f78f4ebae (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --no-threads --no-baseline --no-ion):

// Adapted from randomly chosen test: js/src/jit-test/tests/class/classconstructor.js
(function() {
    "use asm";
    function f() {
        class X {
            constructor() {};
        }
    }
})();

Backtrace:

#0 js::frontend::FullParseHandler::deleteConstructorScope (this=<optimized out>, cx=<optimized out>, memberList=<optimized out>) at js/src/frontend/FullParseHandler.h:484
#1 0x000056493d79cbe8 in js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::finishClassConstructor (this=<optimized out>, classStmt=..., className=..., hasHeritage=<optimized out>, classStartOffset=0, classEndOffset=0, numFields=0, classMembers=@0x7ffc5ccae4c0: 0x7fc2b8202388) at js/src/frontend/Parser.cpp:6997
#2 0x000056493d78a061 in js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::classDefinition (this=<optimized out>, yieldHandling=<optimized out>, classContext=js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::ClassStatement, defaultHandling=js::frontend::NameRequired) at js/src/frontend/Parser.cpp:7109
#3 0x000056493d784ae3 in js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::statementListItem (this=<optimized out>, yieldHandling=<optimized out>, canHaveDirectives=<optimized out>) at js/src/frontend/Parser.cpp:7969
#4 0x000056493d782df5 in js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::statementList (this=<optimized out>, yieldHandling=js::frontend::YieldIsName) at js/src/frontend/Parser.cpp:3447
/snip

For detailed crash information, see attachment.

autobisectjs shows this is probably related to the following changeset:

The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/4ee40acc8b60
user: Ashley Hauck
date: Tue May 28 16:59:14 2019 +0000
summary: Bug 1553744 - Delete .initalizers scope for constructors in classes without fields. r=jorendorff

Ashley, is bug 1553744 a likely regressor?

Flags: needinfo?(khyperia)
Regressed by: 1553744

Ugh, yep. I'm guessing asm.js is doing really strange things here.

(The fix is really simple and I already have it implemented, but I want to root cause it to figure out why use asm causes the constructor scope to be empty, considering we unconditionally add .initializers whenever we create the scope https://searchfox.org/mozilla-central/rev/7556a400affa9eb99e522d2d17c40689fa23a729/js/src/frontend/Parser.cpp#6892 )

Assignee: nobody → khyperia
Status: NEW → ASSIGNED
Flags: needinfo?(khyperia)
Priority: -- → P1

Right, I think use asm is just weird. There's no .initializers in the scope right out of the gate, finishLexicalScope in that code just returns an empty scope. Suure.

Type: task → defect
Pushed by ahauck@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/4ea4bed3417d
Don't assume the constructor scope has .initializers in it. r=jorendorff
Status: ASSIGNED → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla69
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: