Closed Bug 1651512 Opened 3 months ago Closed 3 months ago

Assertion failure: key->isKind(ParseNodeKind::StringExpr) || key->isKind(ParseNodeKind::NumberExpr) || key->isKind(ParseNodeKind::BigIntExpr), at builtin/ReflectParse.cpp:3180

Categories

(Core :: JavaScript Engine, defect, P2)

x86_64
Linux
defect

Tracking

()

VERIFIED FIXED
mozilla80
Tracking Status
firefox-esr68 --- unaffected
firefox-esr78 --- unaffected
firefox78 --- unaffected
firefox79 --- unaffected
firefox80 --- fixed

People

(Reporter: decoder, Assigned: mgaudet)

References

(Regression)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:update,bisected,confirmed])

Attachments

(2 files)

The following testcase crashes on mozilla-central revision 20200708-34fb169ef962 (debug build, run with --fuzzing-safe --ion-offthread-compile=off --enable-private-fields):

let classStringExpression = `(
  class {
    static #m = 'test262';
  }
)`;
let evalClass = function () {
  return Reflect.parse(classStringExpression);
};
evalClass();

Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  0x0000555555c05a4a in (anonymous namespace)::ASTSerializer::propertyName(js::frontend::ParseNode*, JS::MutableHandle<JS::Value>) ()
#1  0x0000555555bec8eb in (anonymous namespace)::ASTSerializer::statement(js::frontend::ParseNode*, JS::MutableHandle<JS::Value>) ()
#2  0x0000555555bfad85 in (anonymous namespace)::ASTSerializer::classDefinition(js::frontend::ClassNode*, bool, JS::MutableHandle<JS::Value>) ()
#3  0x0000555555bf097a in (anonymous namespace)::ASTSerializer::expression(js::frontend::ParseNode*, JS::MutableHandle<JS::Value>) ()
#4  0x0000555555bebf2f in (anonymous namespace)::ASTSerializer::statement(js::frontend::ParseNode*, JS::MutableHandle<JS::Value>) ()
#5  0x0000555555beae10 in (anonymous namespace)::ASTSerializer::statements(js::frontend::ListNode*, JS::RootedVector<JS::Value>&) ()
#6  0x0000555555bea86e in (anonymous namespace)::ASTSerializer::program(js::frontend::ListNode*, JS::MutableHandle<JS::Value>) ()
#7  0x0000555555bbc4af in reflect_parse(JSContext*, unsigned int, JS::Value*) ()
#8  0x0000555555942e42 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) ()
[...]
#20 0x00005555557b9cda in main ()
rax	0x555557042eb3	93825020473011
rbx	0x7ffff4a9e410	140737298162704
rcx	0x5555583b8840	93825040877632
rdx	0x0	0
rsi	0x7ffff7105770	140737338431344
rdi	0x7ffff7104540	140737338426688
rbp	0x7fffffff9860	140737488328800
rsp	0x7fffffff9860	140737488328800
r8	0x7ffff7105770	140737338431344
r9	0x7ffff7f9bd40	140737353727296
r10	0x58	88
r11	0x7ffff6dac7a0	140737334921120
r12	0x7ffff4a9e410	140737298162704
r13	0x7fffffff9b60	140737488329568
r14	0x7fffffff9930	140737488329008
r15	0x7fffffffb740	140737488336704
rip	0x555555c05a4a <(anonymous namespace)::ASTSerializer::propertyName(js::frontend::ParseNode*, JS::MutableHandle<JS::Value>)+298>
=> 0x555555c05a4a <_ZN12_GLOBAL__N_113ASTSerializer12propertyNameEPN2js8frontend9ParseNodeEN2JS13MutableHandleINS5_5ValueEEE+298>:	movl   $0xc6c,0x0
   0x555555c05a55 <_ZN12_GLOBAL__N_113ASTSerializer12propertyNameEPN2js8frontend9ParseNodeEN2JS13MutableHandleINS5_5ValueEEE+309>:	callq  0x5555558485fe <abort>
Attached file Testcase

Hi Mathew, I presume this fuzz bug is for you ;)

Severity: -- → S4
Flags: needinfo?(mgaudet)
Priority: -- → P2
Assignee: nobody → mgaudet
Status: NEW → ASSIGNED
Flags: needinfo?(mgaudet)
Pushed by mgaudet@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/705dcdc597d4
Reflect.parse support for private fields r=jorendorff

Backed out changeset 705dcdc597d4 (bug 1651512) for parse related bustage

Push with failure: https://treeherder.mozilla.org/#/jobs?repo=autoland&group_state=expanded&selectedTaskRun=Lgr6Op6sRbqAAfS198WxNQ.0&searchStr=spidermonkey&tochange=5cff164097d9d5eb441d7908ceaf370b865258c1&fromchange=7d0519f34ef81243ba842b6bbc6de7e9e6e87f62

Backout link: https://hg.mozilla.org/integration/autoland/rev/c6b199445789dddba190ad6990d33dc68bd226f7

Failure log: https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=309372987&repo=autoland&lineNumber=48524

...
[task 2020-07-10T20:21:59.079Z] TEST-PASS | non262/Math/cosh-exact.js | (args: "") [0.1 s]
[task 2020-07-10T20:21:59.082Z] TEST-KNOWN-FAIL | non262/reflect-parse/PatternAsserts.js | (args: "") | (SKIP) [0.0 s]
[task 2020-07-10T20:21:59.088Z] TEST-PASS | non262/Math/fround.js | (args: "") [0.2 s]
[task 2020-07-10T20:21:59.088Z] TEST-PASS | non262/fields/await-identifier-script.js | (args: "") [0.1 s]
[task 2020-07-10T20:21:59.089Z] TEST-PASS | non262/fields/await-identifier-module-1.js | (args: "") [0.1 s]
[task 2020-07-10T20:21:59.095Z] TEST-PASS | non262/fields/await-identifier-module-2.js | (args: "") [0.1 s]
[task 2020-07-10T20:21:59.096Z] TEST-PASS | non262/fields/await-identifier-module-3.js | (args: "") [0.1 s]
[task 2020-07-10T20:21:59.116Z] TEST-PASS | non262/fields/unimplemented.js | (args: "") [0.1 s]
[task 2020-07-10T20:21:59.116Z] TEST-KNOWN-FAIL | non262/reflect-parse/Match.js | (args: "") | (SKIP) [0.0 s]
[task 2020-07-10T20:21:59.144Z] TEST-PASS | non262/fields/scopes.js | (args: "") [0.1 s]
[task 2020-07-10T20:21:59.149Z] TEST-PASS | non262/fields/bug1587574.js | (args: "") [0.1 s]
[task 2020-07-10T20:21:59.155Z] TEST-PASS | non262/Set/iterator-thisv-error.js | (args: "") [0.1 s]
[task 2020-07-10T20:21:59.179Z] TEST-PASS | non262/Set/forEach-selfhosted-behavior.js | (args: "") [0.1 s]
[task 2020-07-10T20:21:59.179Z] TEST-PASS | non262/Set/getter-name.js | (args: "") [0.1 s]
[task 2020-07-10T20:21:59.208Z] TEST-PASS | non262/Set/NaN-as-key.js | (args: "") [0.1 s]
[task 2020-07-10T20:21:59.208Z] TEST-PASS | non262/reflect-parse/location.js | (args: "") [0.1 s]
[task 2020-07-10T20:21:59.218Z] TEST-PASS | non262/reflect-parse/proxyArgs.js | (args: "") [0.1 s]
[task 2020-07-10T20:21:59.225Z] TEST-PASS | non262/Set/symbols.js | (args: "") [0.1 s]
[task 2020-07-10T20:21:59.225Z] TEST-PASS | non262/reflect-parse/computedPropNames.js | (args: "") [0.1 s]
[task 2020-07-10T20:21:59.235Z] TEST-PASS | non262/reflect-parse/object-spread.js | (args: "") [0.1 s]
[task 2020-07-10T20:21:59.243Z] TEST-PASS | non262/reflect-parse/object-rest.js | (args: "") [0.2 s]
[task 2020-07-10T20:21:59.247Z] TEST-PASS | non262/reflect-parse/statements.js | (args: "") [0.2 s]
[task 2020-07-10T20:21:59.248Z] TEST-PASS | non262/reflect-parse/basicBuilder.js | (args: "") [0.1 s]
[task 2020-07-10T20:21:59.250Z] TEST-KNOWN-FAIL | non262/reflect-parse/PatternBuilders.js | (args: "") | (SKIP) [0.0 s]
[task 2020-07-10T20:21:59.273Z] TEST-PASS | non262/reflect-parse/alternateBuilder.js | (args: "") [0.1 s]
[task 2020-07-10T20:21:59.292Z] TEST-PASS | non262/reflect-parse/expression.js | (args: "") [0.2 s]
[task 2020-07-10T20:21:59.296Z] TEST-PASS | non262/reflect-parse/async.js | (args: "") [0.2 s]
[task 2020-07-10T20:21:59.310Z] TEST-PASS | non262/reflect-parse/destructuring__proto__.js | (args: "") [0.1 s]
[task 2020-07-10T20:21:59.320Z] ## non262/reflect-parse/class-fields.js: rc = 3, run time = 0.137034
[task 2020-07-10T20:21:59.320Z] assertLocalStmt@/builds/worker/checkouts/gecko/js/src/tests/non262/reflect-parse/PatternAsserts.js:31:36
[task 2020-07-10T20:21:59.320Z] assertLocalExpr@/builds/worker/checkouts/gecko/js/src/tests/non262/reflect-parse/PatternAsserts.js:35:20
[task 2020-07-10T20:21:59.320Z] assertExpr@/builds/worker/checkouts/gecko/js/src/tests/non262/reflect-parse/PatternAsserts.js:75:20
[task 2020-07-10T20:21:59.320Z] testClassFields@/builds/worker/checkouts/gecko/js/src/tests/non262/reflect-parse/class-fields.js:19:15
[task 2020-07-10T20:21:59.320Z] runtest@/builds/worker/checkouts/gecko/js/src/tests/non262/reflect-parse/shell.js:59:9
[task 2020-07-10T20:21:59.320Z] @/builds/worker/checkouts/gecko/js/src/tests/non262/reflect-parse/class-fields.js:24:8
[task 2020-07-10T20:21:59.320Z] 
[task 2020-07-10T20:21:59.320Z] /builds/worker/checkouts/gecko/js/src/tests/non262/reflect-parse/PatternAsserts.js:31:35 SyntaxError: private fields are not currently supported
[task 2020-07-10T20:21:59.320Z] Stack:
[task 2020-07-10T20:21:59.320Z]   runtest@/builds/worker/checkouts/gecko/js/src/tests/non262/reflect-parse/shell.js:64:9
[task 2020-07-10T20:21:59.320Z]   @/builds/worker/checkouts/gecko/js/src/tests/non262/reflect-parse/class-fields.js:24:8
[task 2020-07-10T20:21:59.320Z] TEST-UNEXPECTED-FAIL | non262/reflect-parse/class-fields.js | (args: "") [0.1 s]
[task 2020-07-10T20:21:59.348Z] TEST-PASS | non262/reflect-parse/builderExceptions.js | (args: "") [0.1 s]
...
Flags: needinfo?(mgaudet)
Flags: needinfo?(mgaudet)
Pushed by mgaudet@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/f23336ed9408
Reflect.parse support for private fields r=jorendorff
Whiteboard: [bugmon:update,bisect] → [bugmon:update,bisected,confirmed]
Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20200713095122-2c8bc998c107.
The bug appears to have been introduced in the following build range:
> Start: 21605186687e044a1421b41f94260800d241ccd0 (20200707193047)
> End: d2498e0b9cf65a66d71125a19f1863b7798413ad (20200707193455)
> Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=21605186687e044a1421b41f94260800d241ccd0&tochange=d2498e0b9cf65a66d71125a19f1863b7798413ad
Status: ASSIGNED → RESOLVED
Closed: 3 months ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla80
Status: RESOLVED → VERIFIED
Keywords: bugmon
Bugmon Analysis:
Verified bug as fixed on rev mozilla-central 20200714153520-bca48c382991.
Removing bugmon keyword as no further action possible.
Please review the bug and re-add the keyword for further analysis.
You need to log in before you can comment on or make changes to this bug.