Closed
Bug 1661454
Opened 4 years ago
Closed 4 years ago
Assertion failure: false (tryDeclareVarHelper<DryRunInnermostScopeOnly>( name, kind, DeclaredNameInfo::npos, &redeclaredKind, &unused)), at /builds/worker/checkouts/gecko/js/src/frontend/ParseContext.cpp:383
Categories
(Core :: JavaScript Engine, defect, P1)
Tracking
()
VERIFIED
FIXED
82 Branch
| Tracking | Status | |
|---|---|---|
| firefox-esr68 | --- | unaffected |
| firefox-esr78 | --- | unaffected |
| firefox80 | --- | unaffected |
| firefox81 | --- | unaffected |
| firefox82 | --- | verified |
People
(Reporter: decoder, Assigned: tcampbell)
References
(Regression)
Details
(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:update,bisected,confirmed])
Attachments
(2 files)
The following testcase crashes on mozilla-central revision 20200826-61ed3192760a (debug build, run with --fuzzing-safe --cpu-count=2 --ion-offthread-compile=off):
function loadFile(lfVarx) {
oomTest(() => eval(lfVarx));
}
loadFile("");
loadFile(`
for (let j92 = 0; j92 < 4; j92++) {
function g37() { j92; }
}
`);
Backtrace:
received signal SIGSEGV, Segmentation fault.
#0 js::frontend::ParseContext::isVarRedeclaredInInnermostScope (this=0x7fffffff8838, name=<optimized out>, kind=js::frontend::DeclarationKind::VarForAnnexBLexicalFunction) at js/src/frontend/ParseContext.cpp:382
#1 js::frontend::ParseContext::annexBAppliesToLexicalFunctionInInnermostScope (this=0x7fffffff8838, funbox=<optimized out>) at js/src/frontend/ParseContext.cpp:351
#2 0x00005555575342a9 in js::frontend::ParseContext::Scope::propagateAndMarkAnnexBFunctionBoxes (this=<optimized out>, pc=0x7fffffff8838) at js/src/frontend/ParseContext.cpp:201
#3 0x00005555574bc8f0 in js::frontend::Parser<js::frontend::FullParseHandler, char16_t>::evalBody (this=0x7fffffff92a8, evalsc=<optimized out>) at js/src/frontend/Parser.cpp:1597
#4 0x0000555557505a65 in js::frontend::ScriptCompiler<char16_t>::compileScript (this=0x7fffffff8d88, compilationInfo=..., sc=0x7fffffff9890) at js/src/frontend/BytecodeCompiler.cpp:466
#5 0x00005555574d2232 in CreateEvalScript<char16_t> (compilationInfo=..., evalsc=..., srcBuf=...) at js/src/frontend/BytecodeCompiler.cpp:246
#6 js::frontend::CompileEvalScript (compilationInfo=..., evalsc=..., srcBuf=...) at js/src/frontend/BytecodeCompiler.cpp:261
#7 0x0000555556d3f8a4 in EvalKernel (cx=<optimized out>, v=..., evalType=<optimized out>, caller=..., env=..., pc=<optimized out>, vp=...) at js/src/builtin/Eval.cpp:346
#8 0x0000555556d3fff7 in js::DirectEval (cx=<optimized out>, v=..., vp=...) at js/src/builtin/Eval.cpp:490
#9 0x0000555557764e2d in js::jit::DoCallFallback (cx=0x7ffff6027000, frame=0x7fffffffb000, stub=0x7ffff59d30e8, argc=1, vp=0x7fffffffafb0, res=...) at js/src/jit/BaselineIC.cpp:3004
#10 0x000000c6de2c0233 in ?? ()
[...]
rax 0x55555584c7dd 93824995346397
rbx 0x7ffff5658740 140737310459712
rcx 0x555558520aa8 93825042352808
rdx 0x0 0
rsi 0x7ffff7105770 140737338431344
rdi 0x7ffff7104540 140737338426688
rbp 0x7fffffff8730 140737488324400
rsp 0x7fffffff86c0 140737488324288
r8 0x7ffff7105770 140737338431344
r9 0x7ffff7f9de00 140737353735680
r10 0x58 88
r11 0x7ffff6dac7a0 140737334921120
r12 0x7fffffff8838 140737488324664
r13 0x7ffff566d320 140737310544672
r14 0x7fffffff8838 140737488324664
r15 0x7ffff56405e0 140737310361056
rip 0x55555753476a <js::frontend::ParseContext::annexBAppliesToLexicalFunctionInInnermostScope(js::frontend::FunctionBox*)+714>
=> 0x55555753476a <js::frontend::ParseContext::annexBAppliesToLexicalFunctionInInnermostScope(js::frontend::FunctionBox*)+714>: movl $0x17f,0x0
0x555557534775 <js::frontend::ParseContext::annexBAppliesToLexicalFunctionInInnermostScope(js::frontend::FunctionBox*)+725>: callq 0x555556bd985e <abort()>
|
Reporter | |
Comment 1•4 years ago
|
||
|
Assignee | |
Updated•4 years ago
|
Assignee: nobody → tcampbell
|
||
Updated•4 years ago
|
Has Regression Range: --- → yes
|
||
Updated•4 years ago
|
Whiteboard: [bugmon:update,bisect] → [bugmon:update,bisected,confirmed]
|
|
||
Comment 2•4 years ago
|
||
Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20200827093043-44ee384376ce.
The bug appears to have been introduced in the following build range:
> Start: 8a2f6318ffa3d94a93c01b4f8cc7c320634346c7 (20200825235900)
> End: e87bcd8a1f949b155dff0cc0c7cbad7f4fe03f77 (20200826010630)
> Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=8a2f6318ffa3d94a93c01b4f8cc7c320634346c7&tochange=e87bcd8a1f949b155dff0cc0c7cbad7f4fe03f77
|
||
Updated•4 years ago
|
Severity: -- → S3
|
|
Assignee | |
Comment 3•4 years ago
|
||
Until we have a complete system for scope shapshotting, there is still a
window for OOM to happening while computing annex-B redeclaration behaviour
within eval. Work around this by propegating the OOM to further up to caller.
Pushed by tcampbell@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/56ce346234d1 Propegate OOM from isVarRedeclaredInInnermostScope. r=arai
|
||
Comment 5•4 years ago
|
||
Set release status flags based on info from the regressing bug 1660798
status-firefox80:
--- → unaffected
status-firefox81:
--- → unaffected
status-firefox-esr68:
--- → unaffected
status-firefox-esr78:
--- → unaffected
|
||
Comment 6•4 years ago
|
||
| bugherder | ||
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → 82 Branch
|
|
||
Updated•4 years ago
|
|
|
||
Comment 7•4 years ago
|
||
Bugmon Analysis: Verified bug as fixed on rev mozilla-central 20200828153126-56166cae2e26. Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
You need to log in
before you can comment on or make changes to this bug.
Description
•