Closed
Bug 1651512
Opened 4 years ago
Closed 4 years ago
Assertion failure: key->isKind(ParseNodeKind::StringExpr) || key->isKind(ParseNodeKind::NumberExpr) || key->isKind(ParseNodeKind::BigIntExpr), at builtin/ReflectParse.cpp:3180
Categories
(Core :: JavaScript Engine, defect, P2)
Tracking
()
VERIFIED
FIXED
mozilla80
Tracking | Status | |
---|---|---|
firefox-esr68 | --- | unaffected |
firefox-esr78 | --- | unaffected |
firefox78 | --- | unaffected |
firefox79 | --- | unaffected |
firefox80 | --- | fixed |
People
(Reporter: decoder, Assigned: mgaudet)
References
(Regression)
Details
(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:update,bisected,confirmed])
Attachments
(2 files)
The following testcase crashes on mozilla-central revision 20200708-34fb169ef962 (debug build, run with --fuzzing-safe --ion-offthread-compile=off --enable-private-fields):
let classStringExpression = `(
class {
static #m = 'test262';
}
)`;
let evalClass = function () {
return Reflect.parse(classStringExpression);
};
evalClass();
Backtrace:
received signal SIGSEGV, Segmentation fault.
#0 0x0000555555c05a4a in (anonymous namespace)::ASTSerializer::propertyName(js::frontend::ParseNode*, JS::MutableHandle<JS::Value>) ()
#1 0x0000555555bec8eb in (anonymous namespace)::ASTSerializer::statement(js::frontend::ParseNode*, JS::MutableHandle<JS::Value>) ()
#2 0x0000555555bfad85 in (anonymous namespace)::ASTSerializer::classDefinition(js::frontend::ClassNode*, bool, JS::MutableHandle<JS::Value>) ()
#3 0x0000555555bf097a in (anonymous namespace)::ASTSerializer::expression(js::frontend::ParseNode*, JS::MutableHandle<JS::Value>) ()
#4 0x0000555555bebf2f in (anonymous namespace)::ASTSerializer::statement(js::frontend::ParseNode*, JS::MutableHandle<JS::Value>) ()
#5 0x0000555555beae10 in (anonymous namespace)::ASTSerializer::statements(js::frontend::ListNode*, JS::RootedVector<JS::Value>&) ()
#6 0x0000555555bea86e in (anonymous namespace)::ASTSerializer::program(js::frontend::ListNode*, JS::MutableHandle<JS::Value>) ()
#7 0x0000555555bbc4af in reflect_parse(JSContext*, unsigned int, JS::Value*) ()
#8 0x0000555555942e42 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) ()
[...]
#20 0x00005555557b9cda in main ()
rax 0x555557042eb3 93825020473011
rbx 0x7ffff4a9e410 140737298162704
rcx 0x5555583b8840 93825040877632
rdx 0x0 0
rsi 0x7ffff7105770 140737338431344
rdi 0x7ffff7104540 140737338426688
rbp 0x7fffffff9860 140737488328800
rsp 0x7fffffff9860 140737488328800
r8 0x7ffff7105770 140737338431344
r9 0x7ffff7f9bd40 140737353727296
r10 0x58 88
r11 0x7ffff6dac7a0 140737334921120
r12 0x7ffff4a9e410 140737298162704
r13 0x7fffffff9b60 140737488329568
r14 0x7fffffff9930 140737488329008
r15 0x7fffffffb740 140737488336704
rip 0x555555c05a4a <(anonymous namespace)::ASTSerializer::propertyName(js::frontend::ParseNode*, JS::MutableHandle<JS::Value>)+298>
=> 0x555555c05a4a <_ZN12_GLOBAL__N_113ASTSerializer12propertyNameEPN2js8frontend9ParseNodeEN2JS13MutableHandleINS5_5ValueEEE+298>: movl $0xc6c,0x0
0x555555c05a55 <_ZN12_GLOBAL__N_113ASTSerializer12propertyNameEPN2js8frontend9ParseNodeEN2JS13MutableHandleINS5_5ValueEEE+309>: callq 0x5555558485fe <abort>
Reporter | ||
Comment 1•4 years ago
|
||
Comment 2•4 years ago
|
||
Hi Mathew, I presume this fuzz bug is for you ;)
Severity: -- → S4
Flags: needinfo?(mgaudet)
Priority: -- → P2
Assignee | ||
Comment 3•4 years ago
|
||
Updated•4 years ago
|
Assignee: nobody → mgaudet
Status: NEW → ASSIGNED
Assignee | ||
Updated•4 years ago
|
Flags: needinfo?(mgaudet)
Pushed by mgaudet@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/705dcdc597d4
Reflect.parse support for private fields r=jorendorff
Comment 5•4 years ago
|
||
Backed out changeset 705dcdc597d4 (bug 1651512) for parse related bustage
Backout link: https://hg.mozilla.org/integration/autoland/rev/c6b199445789dddba190ad6990d33dc68bd226f7
Failure log: https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=309372987&repo=autoland&lineNumber=48524
...
[task 2020-07-10T20:21:59.079Z] TEST-PASS | non262/Math/cosh-exact.js | (args: "") [0.1 s]
[task 2020-07-10T20:21:59.082Z] TEST-KNOWN-FAIL | non262/reflect-parse/PatternAsserts.js | (args: "") | (SKIP) [0.0 s]
[task 2020-07-10T20:21:59.088Z] TEST-PASS | non262/Math/fround.js | (args: "") [0.2 s]
[task 2020-07-10T20:21:59.088Z] TEST-PASS | non262/fields/await-identifier-script.js | (args: "") [0.1 s]
[task 2020-07-10T20:21:59.089Z] TEST-PASS | non262/fields/await-identifier-module-1.js | (args: "") [0.1 s]
[task 2020-07-10T20:21:59.095Z] TEST-PASS | non262/fields/await-identifier-module-2.js | (args: "") [0.1 s]
[task 2020-07-10T20:21:59.096Z] TEST-PASS | non262/fields/await-identifier-module-3.js | (args: "") [0.1 s]
[task 2020-07-10T20:21:59.116Z] TEST-PASS | non262/fields/unimplemented.js | (args: "") [0.1 s]
[task 2020-07-10T20:21:59.116Z] TEST-KNOWN-FAIL | non262/reflect-parse/Match.js | (args: "") | (SKIP) [0.0 s]
[task 2020-07-10T20:21:59.144Z] TEST-PASS | non262/fields/scopes.js | (args: "") [0.1 s]
[task 2020-07-10T20:21:59.149Z] TEST-PASS | non262/fields/bug1587574.js | (args: "") [0.1 s]
[task 2020-07-10T20:21:59.155Z] TEST-PASS | non262/Set/iterator-thisv-error.js | (args: "") [0.1 s]
[task 2020-07-10T20:21:59.179Z] TEST-PASS | non262/Set/forEach-selfhosted-behavior.js | (args: "") [0.1 s]
[task 2020-07-10T20:21:59.179Z] TEST-PASS | non262/Set/getter-name.js | (args: "") [0.1 s]
[task 2020-07-10T20:21:59.208Z] TEST-PASS | non262/Set/NaN-as-key.js | (args: "") [0.1 s]
[task 2020-07-10T20:21:59.208Z] TEST-PASS | non262/reflect-parse/location.js | (args: "") [0.1 s]
[task 2020-07-10T20:21:59.218Z] TEST-PASS | non262/reflect-parse/proxyArgs.js | (args: "") [0.1 s]
[task 2020-07-10T20:21:59.225Z] TEST-PASS | non262/Set/symbols.js | (args: "") [0.1 s]
[task 2020-07-10T20:21:59.225Z] TEST-PASS | non262/reflect-parse/computedPropNames.js | (args: "") [0.1 s]
[task 2020-07-10T20:21:59.235Z] TEST-PASS | non262/reflect-parse/object-spread.js | (args: "") [0.1 s]
[task 2020-07-10T20:21:59.243Z] TEST-PASS | non262/reflect-parse/object-rest.js | (args: "") [0.2 s]
[task 2020-07-10T20:21:59.247Z] TEST-PASS | non262/reflect-parse/statements.js | (args: "") [0.2 s]
[task 2020-07-10T20:21:59.248Z] TEST-PASS | non262/reflect-parse/basicBuilder.js | (args: "") [0.1 s]
[task 2020-07-10T20:21:59.250Z] TEST-KNOWN-FAIL | non262/reflect-parse/PatternBuilders.js | (args: "") | (SKIP) [0.0 s]
[task 2020-07-10T20:21:59.273Z] TEST-PASS | non262/reflect-parse/alternateBuilder.js | (args: "") [0.1 s]
[task 2020-07-10T20:21:59.292Z] TEST-PASS | non262/reflect-parse/expression.js | (args: "") [0.2 s]
[task 2020-07-10T20:21:59.296Z] TEST-PASS | non262/reflect-parse/async.js | (args: "") [0.2 s]
[task 2020-07-10T20:21:59.310Z] TEST-PASS | non262/reflect-parse/destructuring__proto__.js | (args: "") [0.1 s]
[task 2020-07-10T20:21:59.320Z] ## non262/reflect-parse/class-fields.js: rc = 3, run time = 0.137034
[task 2020-07-10T20:21:59.320Z] assertLocalStmt@/builds/worker/checkouts/gecko/js/src/tests/non262/reflect-parse/PatternAsserts.js:31:36
[task 2020-07-10T20:21:59.320Z] assertLocalExpr@/builds/worker/checkouts/gecko/js/src/tests/non262/reflect-parse/PatternAsserts.js:35:20
[task 2020-07-10T20:21:59.320Z] assertExpr@/builds/worker/checkouts/gecko/js/src/tests/non262/reflect-parse/PatternAsserts.js:75:20
[task 2020-07-10T20:21:59.320Z] testClassFields@/builds/worker/checkouts/gecko/js/src/tests/non262/reflect-parse/class-fields.js:19:15
[task 2020-07-10T20:21:59.320Z] runtest@/builds/worker/checkouts/gecko/js/src/tests/non262/reflect-parse/shell.js:59:9
[task 2020-07-10T20:21:59.320Z] @/builds/worker/checkouts/gecko/js/src/tests/non262/reflect-parse/class-fields.js:24:8
[task 2020-07-10T20:21:59.320Z]
[task 2020-07-10T20:21:59.320Z] /builds/worker/checkouts/gecko/js/src/tests/non262/reflect-parse/PatternAsserts.js:31:35 SyntaxError: private fields are not currently supported
[task 2020-07-10T20:21:59.320Z] Stack:
[task 2020-07-10T20:21:59.320Z] runtest@/builds/worker/checkouts/gecko/js/src/tests/non262/reflect-parse/shell.js:64:9
[task 2020-07-10T20:21:59.320Z] @/builds/worker/checkouts/gecko/js/src/tests/non262/reflect-parse/class-fields.js:24:8
[task 2020-07-10T20:21:59.320Z] TEST-UNEXPECTED-FAIL | non262/reflect-parse/class-fields.js | (args: "") [0.1 s]
[task 2020-07-10T20:21:59.348Z] TEST-PASS | non262/reflect-parse/builderExceptions.js | (args: "") [0.1 s]
...
Flags: needinfo?(mgaudet)
Assignee | ||
Updated•4 years ago
|
Flags: needinfo?(mgaudet)
Pushed by mgaudet@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/f23336ed9408
Reflect.parse support for private fields r=jorendorff
Updated•4 years ago
|
Whiteboard: [bugmon:update,bisect] → [bugmon:update,bisected,confirmed]
Comment 7•4 years ago
|
||
Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20200713095122-2c8bc998c107.
The bug appears to have been introduced in the following build range:
> Start: 21605186687e044a1421b41f94260800d241ccd0 (20200707193047)
> End: d2498e0b9cf65a66d71125a19f1863b7798413ad (20200707193455)
> Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=21605186687e044a1421b41f94260800d241ccd0&tochange=d2498e0b9cf65a66d71125a19f1863b7798413ad
Comment 8•4 years ago
|
||
bugherder |
Status: ASSIGNED → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla80
Comment 9•4 years ago
|
||
Bugmon Analysis:
Verified bug as fixed on rev mozilla-central 20200714153520-bca48c382991.
Removing bugmon keyword as no further action possible.
Please review the bug and re-add the keyword for further analysis.
Updated•4 years ago
|
status-firefox78:
--- → unaffected
status-firefox79:
--- → unaffected
status-firefox-esr68:
--- → unaffected
status-firefox-esr78:
--- → unaffected
Flags: in-testsuite+
Regressed by: 1642476
Updated•4 years ago
|
Has Regression Range: --- → yes
You need to log in
before you can comment on or make changes to this bug.
Description
•