Assertion failure: (lazy & MatchedFlagsMask) == (nonLazy & MatchedFlagsMask), at frontend/BytecodeCompiler.cpp:977
Categories
(Core :: JavaScript Engine, defect, P1)
Tracking
()
Tracking | Status | |
---|---|---|
firefox-esr68 | --- | unaffected |
firefox71 | --- | unaffected |
firefox72 | --- | unaffected |
firefox73 | --- | fixed |
People
(Reporter: decoder, Assigned: tcampbell)
References
(Regression)
Details
(4 keywords, Whiteboard: [jsbugmon:update,bisect])
Attachments
(2 files)
The following testcase crashes on mozilla-central revision 20191217-83fc8cf83221 (build with --enable-debug, run with --fuzzing-safe --ion-offthread-compile=off):
var lfLogBuffer = `
class TestEvalArrow extends class {} {
constructor() {
eval("(() => this)()");
}
}
new TestEvalArrow();
`;
let lfMod = parseModule(lfLogBuffer);
lfMod.declarationInstantiation();
lfMod.evaluation();
Backtrace:
received signal SIGSEGV, Segmentation fault.
0x00005555561774e3 in js::frontend::CompileLazyFunction(JSContext*, JS::Handle<js::LazyScript*>, char16_t const*, unsigned long) ()
#0 0x00005555561774e3 in js::frontend::CompileLazyFunction(JSContext*, JS::Handle<js::LazyScript*>, char16_t const*, unsigned long) ()
#1 0x0000555555c1124a in JSFunction::delazifyLazilyInterpretedFunction(JSContext*, JS::Handle<JSFunction*>) ()
#2 0x00005555557b0c2e in JSFunction::getOrCreateScript(JSContext*, JS::Handle<JSFunction*>) ()
#3 0x00005555558dfe3f in Interpret(JSContext*, js::RunState&) ()
#4 0x00005555558d5711 in js::RunScript(JSContext*, js::RunState&) ()
#5 0x00005555558edd75 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::AbstractFramePtr, JS::Value*) ()
#6 0x0000555555953990 in EvalKernel(JSContext*, JS::Handle<JS::Value>, EvalType, js::AbstractFramePtr, JS::Handle<JSObject*>, unsigned char*, JS::MutableHandle<JS::Value>) ()
#7 0x0000555555954be1 in js::DirectEval(JSContext*, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) ()
#8 0x00005555558df494 in Interpret(JSContext*, js::RunState&) ()
#9 0x00005555558d5711 in js::RunScript(JSContext*, js::RunState&) ()
#10 0x00005555558edd75 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::AbstractFramePtr, JS::Value*) ()
#11 0x00005555558ee3cd in js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) ()
#12 0x00005555559948f4 in js::ModuleObject::execute(JSContext*, JS::Handle<js::ModuleObject*>, JS::MutableHandle<JS::Value>) ()
#13 0x0000555555d53d80 in intrinsic_ExecuteModule(JSContext*, unsigned int, JS::Value*) ()
#14 0x00005555558eb6e2 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) ()
[...]
#25 0x000055555576ec31 in main ()
rax 0x555556f20e89 93825019285129
rbx 0x7fffffff92f0 140737488327408
rcx 0x555557ef8838 93825035896888
rdx 0x0 0
rsi 0x7ffff6efd770 140737336301424
rdi 0x7ffff6efc540 140737336296768
rbp 0x7fffffff9fd0 140737488330704
rsp 0x7fffffff91a0 140737488327072
r8 0x7ffff6efd770 140737336301424
r9 0x7ffff7f98d00 140737353714944
r10 0x58 88
r11 0x7ffff6ba47a0 140737332791200
r12 0x7ffff4900020 140737296465952
r13 0x0 0
r14 0x7fffffff93d0 140737488327632
r15 0x7fffffffa070 140737488330864
rip 0x5555561774e3 <js::frontend::CompileLazyFunction(JSContext*, JS::Handle<js::LazyScript*>, char16_t const*, unsigned long)+3923>
=> 0x5555561774e3 <_ZN2js8frontend19CompileLazyFunctionEP9JSContextN2JS6HandleIPNS_10LazyScriptEEEPKDsm+3923>: movl $0x3d1,0x0
0x5555561774ee <_ZN2js8frontend19CompileLazyFunctionEP9JSContextN2JS6HandleIPNS_10LazyScriptEEEPKDsm+3934>: callq 0x5555557f345e <abort>
Marking s-s until investigated.
Assignee | ||
Updated•5 years ago
|
Assignee | ||
Comment 1•5 years ago
•
|
||
Eval scripts inside modules should still be considered non-module code. Checking the scope-chain was the wrong way to determine if in module. I'll fix how the flag is computed.
(Note the assert was added a few hours later in Bug 1604064)
Updated•5 years ago
|
Assignee | ||
Comment 2•5 years ago
|
||
Clearing s-s. The flag is only computed wrong after script is compiled and then it isn't check. It is still a footgun, which is why the assert was added.
Updated•5 years ago
|
Assignee | ||
Comment 3•5 years ago
|
||
Since this flag is preserved on LazyScript, it is useful to track it on
SharedContext and initialize it consistently on lazy and non-lazy scripts.
This patch removes the plumbing of passing the ParseGoal through the parser
class hierarchy.
Assignee | ||
Comment 4•5 years ago
|
||
Fix an inconsistency where delazified functions inside evals inside modules
would think they came from a module. This trips an assert but the value is
otherwise never used (and was only added a few days ago).
Depends on D57661
Comment 7•5 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/49838d2097df
https://hg.mozilla.org/mozilla-central/rev/d6f23cb5c8a1
Updated•5 years ago
|
Description
•