Closed
Bug 1650340
Opened 4 years ago
Closed 4 years ago
Assertion failure: isMemberExpression || isCallExpression || isOptionalExpression (Unknown ParseNodeKind for OptionalChain), at frontend/BytecodeEmitter.cpp:7982
Categories
(Core :: JavaScript Engine, defect, P1)
Tracking
()
VERIFIED
FIXED
mozilla80
| Tracking | Status | |
|---|---|---|
| firefox-esr68 | --- | unaffected |
| firefox-esr78 | --- | wontfix |
| firefox78 | --- | wontfix |
| firefox79 | --- | wontfix |
| firefox80 | --- | fixed |
People
(Reporter: decoder, Assigned: yulia)
References
(Regression)
Details
(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:update,bisected,confirmed])
Attachments
(2 files)
The following testcase crashes on mozilla-central revision 20200703-b48777a21aab (debug build, run with --no-threads --fuzzing-safe):
delete undefined ?.x[y+1]
Backtrace:
received signal SIGSEGV, Segmentation fault.
0x0000555556153970 in js::frontend::BytecodeEmitter::emitOptionalTree(js::frontend::ParseNode*, js::frontend::OptionalEmitter&, js::frontend::ValueUsage) ()
#0 0x0000555556153970 in js::frontend::BytecodeEmitter::emitOptionalTree(js::frontend::ParseNode*, js::frontend::OptionalEmitter&, js::frontend::ValueUsage) ()
#1 0x0000555556153269 in js::frontend::BytecodeEmitter::emitDeleteElementInOptChain(js::frontend::PropertyByValueBase*, js::frontend::OptionalEmitter&) ()
#2 0x0000555556153001 in js::frontend::BytecodeEmitter::emitDeleteOptionalChain(js::frontend::UnaryNode*) ()
#3 0x000055555613c500 in js::frontend::BytecodeEmitter::emitTree(js::frontend::ParseNode*, js::frontend::ValueUsage, js::frontend::BytecodeEmitter::EmitLineNumberNote, bool) ()
#4 0x000055555615247f in js::frontend::BytecodeEmitter::emitExpressionStatement(js::frontend::UnaryNode*) ()
#5 0x000055555613c9d0 in js::frontend::BytecodeEmitter::emitTree(js::frontend::ParseNode*, js::frontend::ValueUsage, js::frontend::BytecodeEmitter::EmitLineNumberNote, bool) ()
#6 0x0000555556152302 in js::frontend::BytecodeEmitter::emitStatementList(js::frontend::ListNode*) ()
#7 0x000055555613c9b0 in js::frontend::BytecodeEmitter::emitTree(js::frontend::ParseNode*, js::frontend::ValueUsage, js::frontend::BytecodeEmitter::EmitLineNumberNote, bool) ()
#8 0x000055555613ffe8 in js::frontend::BytecodeEmitter::emitScript(js::frontend::ParseNode*) ()
#9 0x0000555556166dcc in js::frontend::ScriptCompiler<mozilla::Utf8Unit>::compileScript(js::frontend::CompilationInfo&, js::frontend::SharedContext*) ()
[...]
#16 0x00005555557b9c85 in main ()
rax 0x55555708201d 93825020731421
rbx 0x0 0
rcx 0x555558383840 93825040660544
rdx 0x0 0
rsi 0x7ffff7105770 140737338431344
rdi 0x7ffff7104540 140737338426688
rbp 0x7fffffffa630 140737488332336
rsp 0x7fffffffa5e0 140737488332256
r8 0x7ffff7105770 140737338431344
r9 0x7ffff7f9bd40 140737353727296
r10 0x58 88
r11 0x7ffff6dac7a0 140737334921120
r12 0x7ffff6085160 140737321128288
r13 0x0 0
r14 0x7fffffffa690 140737488332432
r15 0x7fffffffaa60 140737488333408
rip 0x555556153970 <js::frontend::BytecodeEmitter::emitOptionalTree(js::frontend::ParseNode*, js::frontend::OptionalEmitter&, js::frontend::ValueUsage)+864>
=> 0x555556153970 <_ZN2js8frontend15BytecodeEmitter16emitOptionalTreeEPNS0_9ParseNodeERNS0_15OptionalEmitterENS0_10ValueUsageE+864>: movl $0x1f2e,0x0
0x55555615397b <_ZN2js8frontend15BytecodeEmitter16emitOptionalTreeEPNS0_9ParseNodeERNS0_15OptionalEmitterENS0_10ValueUsageE+875>: callq 0x55555584855e <abort>
|
Reporter | |
Comment 1•4 years ago
|
||
|
||
Updated•4 years ago
|
Flags: needinfo?(ystartsev)
|
||
Comment 2•4 years ago
|
||
:decoder, since this bug is a regression, could you fill (if possible) the regressed_by field?
For more information, please visit auto_nag documentation.
Flags: needinfo?(choller)
|
Assignee | |
Updated•4 years ago
|
Assignee: nobody → ystartsev
Flags: needinfo?(ystartsev)
|
||
Updated•4 years ago
|
Whiteboard: [bugmon:update,bisect] → [bugmon:update,bisected,confirmed]
|
|
||
Comment 3•4 years ago
|
||
Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20200703153532-c050478f22e6.
Failed to bisect testcase (Unable to launch the end build!):
> Start: b7030ce607ec56690829e8fb6dbcd27dd54a044c (20190705064618)
> End: b48777a21aabc35311956a1a1395a5dbba8c1a77 (20200703035655)
> BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=False, coverage=False, valgrind=False)|
|
Assignee | |
Comment 4•4 years ago
|
||
|
|
Reporter | |
Comment 5•4 years ago
|
||
(In reply to Release mgmt bot [:sylvestre / :calixte / :marco for bugbug] from comment #2)
:decoder, since this bug is a regression, could you fill (if possible) the regressed_by field?
For more information, please visit auto_nag documentation.
Forwarding to the assigned developer.
Flags: needinfo?(choller) → needinfo?(ystartsev)
|
||
Updated•4 years ago
|
Has Regression Range: --- → yes
|
||
Updated•4 years ago
|
Severity: -- → S3
Priority: -- → P1
Pushed by ystartsev@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/8f611a0f8ba3 Fix deleteElementInOptionalChain; r=jorendorff
|
||
Comment 7•4 years ago
|
||
| bugherder | ||
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla80
|
|
||
Updated•4 years ago
|
|
|
||
Comment 8•4 years ago
|
||
Bugmon Analysis: Bug marked as FIXED but still reproduces on mozilla-central 20200714153520-bca48c382991.
|
|
||
Comment 9•4 years ago
|
||
The fix for this one also landed in a later merge.
Status: REOPENED → RESOLVED
Closed: 4 years ago → 4 years ago
Resolution: --- → FIXED
|
|
||
Comment 10•4 years ago
|
||
Bugmon Analysis: Verified bug as fixed on rev mozilla-central 20200715093718-d4c6cd2e13bb. Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
|
||
Updated•4 years ago
|
status-firefox78:
--- → wontfix
status-firefox79:
--- → wontfix
status-firefox-esr68:
--- → unaffected
status-firefox-esr78:
--- → wontfix
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•