Assertion failure: !fun->baseScript()->getFieldInitializers().valid, at frontend/Parser.cpp:2738


Core :: JavaScript Engine




The following testcase crashes on mozilla-central revision 20200608-63dc5e9b1b02 (debug build, run with --fuzzing-safe --ion-offthread-compile=off):

function evalWithCache(code, ctx) {
  code = code instanceof Object ? code : cacheEntry(code); = newGlobal();
  ctx_save = Object.create(ctx, { saveIncrementalBytecode: { value: true } }); = 0;
  var res1 = evaluate(code, ctx_save); = 1;
  var res2 = evaluate(code, Object.create(ctx_save, { loadBytecode: { value: true } }));
    function f(x) {
        function ifTrue() {};
        function ifFalse() {
            class y {
                constructor() {}
        if (x) return ifTrue();
        else  return ifFalse();
    f((generation % 2) == 0);
`, {});


It might be harmless, but I'll mark it s-s anyway for now, because it is unclear to me what potential impact this has (violating parser invariants through the load/saveBytecode feature).

Attached file Testcase

Ted can you investigate this issue?

SaveIncrementalBytecode followed by loadBytecode which get executed differently the second time is actually an expected behavior which can reproduced in the web with the JSBC. Getting a different execution can be achieved in the web by using a time/random-based condition.

This is a benign issue with a overly strict assert. I'll fix the XDR (and parser) code to be more consistent about these invariants. Will open up bug once I finish patch and am sure.

Assertion was checking for double-init, but the value is never read back before the real initialization so this doesn't have any issues in opt builds.

FieldInitializers is only defined for functions that have a compiled
enclosing script. We should avoid setting the value when it is not defined.
Update initFromLazyFunction so that fieldInitializers are only read for the
function being delazified. Fix XDR to not track fieldInitializers for lazy
functions with lazy parent functions by checking for exisitance of an

Also ensure fieldInitializers are set correctly when cloning scripts. In
practice, we delazify entire script tree before cloning but this is a footgun
none the less.

Similar to previous patch, this info is not set on functions with lazy
enclosing functions. Also, inline FunctionBox::setTypeForExposedFunctions
into its only caller.

Depends on D79282

Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20200611093454-10ad7868f3ca.
The bug appears to have been introduced in the following build range:
> Start: b03dd4aa0e28b0f52d8a6a1846c35d029f08ac40 (20200414134316)
> End: c289ac40b54681da3699feda5790410e3be00a58 (20200414134513)
> Pushlog:
Regressed by: 1628828
Pushed by
Cleanup FieldInitializers initialization. r=mgaudet
Avoid setting lazy function TI type during XDR. r=mgaudet
