Closed
Bug 1593415
Opened 5 years ago
Closed 5 years ago
Assertion failure: false, at js/src/builtin/ReflectParse.cpp:3092 with nullish coalescing
Categories
(Core :: JavaScript Engine, defect, P1)
Tracking
()
RESOLVED
FIXED
mozilla72
| Tracking | Status | |
|---|---|---|
| firefox-esr68 | --- | unaffected |
| firefox70 | --- | unaffected |
| firefox71 | --- | unaffected |
| firefox72 | --- | fixed |
People
(Reporter: gkw, Assigned: yulia)
References
(Regression)
Details
(4 keywords, Whiteboard: [jsbugmon:update])
Attachments
(3 files)
The following testcase crashes on mozilla-central revision 518df4329a20 (build with --enable-debug --disable-optimize, run with --fuzzing-safe --no-threads --no-baseline --no-ion):
// Adapted from randomly chosen test: js/src/tests/test262/language/expressions/coalesce/short-circuit-number-string.js
Reflect.parse("x ?? x");
Backtrace:
#0 0x0000555be8d09e53 in (anonymous namespace)::ASTSerializer::expression (this=0x7fff44862a10, pn=0x7f440431a0c0, dst=...) at js/src/builtin/ReflectParse.cpp:3092
#1 0x0000555be8d01fdc in (anonymous namespace)::ASTSerializer::statement (this=0x7fff44862a10, pn=0x7f440431a100, dst=...) at js/src/builtin/ReflectParse.cpp:2281
#2 0x0000555be8d01c6a in (anonymous namespace)::ASTSerializer::sourceElement (this=0x7fff44862a10, pn=0x7f440431a100, dst=...) at js/src/builtin/ReflectParse.cpp:1896
#3 0x0000555be8d01add in (anonymous namespace)::ASTSerializer::statements (this=0x7fff44862a10, stmtList=0x7f440431a020, elts=...) at js/src/builtin/ReflectParse.cpp:1846
#4 0x0000555be8d00f8b in (anonymous namespace)::ASTSerializer::program (this=0x7fff44862a10, node=0x7f440431a020, dst=...) at js/src/builtin/ReflectParse.cpp:1891
#5 0x0000555be8cdcd40 in reflect_parse (cx=0x7f4404527000, argc=1, vp=0x7f44042fd0a0) at js/src/builtin/ReflectParse.cpp:3692
/snip
For detailed crash information, see attachment.
|
Reporter | |
Comment 1•5 years ago
|
||
|
|
Reporter | |
Comment 2•5 years ago
|
||
autobisectjs shows this is probably related to the following changeset:
The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/28aa763e7834
user: yulia
date: Thu Oct 31 17:16:31 2019 +0000
summary: Bug 1566141 - Nullish coalesce operator tokens r=jorendorff
Yulia, is bug 1566141 a likely regressor?
Flags: needinfo?(ystartsev)
|
|
Reporter | |
Updated•5 years ago
|
Summary: Assertion failure: false, at js/src/builtin/ReflectParse.cpp:3092 → Assertion failure: false, at js/src/builtin/ReflectParse.cpp:3092 with nullish coalescing
|
Assignee | |
Comment 3•5 years ago
|
||
Yes, bug 1566141 is the regressor here, thanks for the catch.
Flags: needinfo?(ystartsev)
|
|
Assignee | |
Comment 4•5 years ago
|
||
|
||
Updated•5 years ago
|
Priority: -- → P1
Pushed by ystartsev@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/f004d41231db
fix reflection for nullish coalescing; r=jorendorff
|
||
Comment 6•5 years ago
|
||
| bugherder | ||
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla72
|
||
Updated•5 years ago
|
Assignee: nobody → ystartsev
|
||
Comment 7•5 years ago
|
||
Can we land a test for this?
status-firefox70:
--- → unaffected
status-firefox71:
--- → unaffected
status-firefox-esr68:
--- → unaffected
Flags: needinfo?(ystartsev)
Flags: in-testsuite?
|
|
Assignee | |
Comment 8•5 years ago
|
||
I am at a conference this week but i will look into that once I am back.
|
|
Assignee | |
Comment 9•5 years ago
|
||
|
||
Comment 11•5 years ago
|
||
Pushed by ystartsev@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/b35b1431e4e2
add test and refine reflection for nullish coalescing r=jorendorff
|
|
||
Comment 12•5 years ago
|
||
| bugherder | ||
You need to log in
before you can comment on or make changes to this bug.
Description
•