Closed
Bug 1672729
Opened 4 years ago
Closed 4 years ago
Assertion failure: line >= sc->extent().lineno, at frontend/BytecodeEmitter.cpp:570
Categories
(Core :: JavaScript Engine, defect, P1)
Tracking
()
VERIFIED
FIXED
84 Branch
| Tracking | Status | |
|---|---|---|
| firefox-esr78 | --- | unaffected |
| firefox82 | --- | unaffected |
| firefox83 | --- | unaffected |
| firefox84 | --- | verified |
People
(Reporter: decoder, Assigned: tcampbell)
References
(Regression)
Details
(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:update,bisected,confirmed])
Attachments
(3 files)
The following testcase crashes on mozilla-central revision 20201022-03de9a8a6f7c (debug build, run with --fuzzing-safe --ion-offthread-compile=off):
function x() {
return {
next: function() {
return {
value: class {
'line\
continuation'
}
};
}
};
};
Backtrace:
received signal SIGSEGV, Segmentation fault.
#0 0x00005555575259d9 in js::frontend::BytecodeEmitter::updateLineNumberNotes(unsigned int) ()
#1 0x000055555753bdef in js::frontend::BytecodeEmitter::emitGetFunctionThis(mozilla::Maybe<unsigned int> const&) ()
#2 0x000055555753bc77 in js::frontend::BytecodeEmitter::emitGetFunctionThis(js::frontend::NameNode*) ()
#3 0x000055555752abe7 in js::frontend::BytecodeEmitter::emitTree(js::frontend::ParseNode*, js::frontend::ValueUsage, js::frontend::BytecodeEmitter::EmitLineNumberNote, bool) ()
#4 0x00005555575355d6 in js::frontend::BytecodeEmitter::emitAssignmentOrInit(js::frontend::ParseNodeKind, js::frontend::ParseNode*, js::frontend::ParseNode*) ()
#5 0x000055555752a44d in js::frontend::BytecodeEmitter::emitTree(js::frontend::ParseNode*, js::frontend::ValueUsage, js::frontend::BytecodeEmitter::EmitLineNumberNote, bool) ()
#6 0x000055555753e001 in js::frontend::BytecodeEmitter::emitExpressionStatement(js::frontend::UnaryNode*) ()
#7 0x000055555752a9d0 in js::frontend::BytecodeEmitter::emitTree(js::frontend::ParseNode*, js::frontend::ValueUsage, js::frontend::BytecodeEmitter::EmitLineNumberNote, bool) ()
#8 0x000055555753de82 in js::frontend::BytecodeEmitter::emitStatementList(js::frontend::ListNode*) ()
#9 0x000055555752a9a0 in js::frontend::BytecodeEmitter::emitTree(js::frontend::ParseNode*, js::frontend::ValueUsage, js::frontend::BytecodeEmitter::EmitLineNumberNote, bool) ()
#10 0x0000555557537b71 in js::frontend::BytecodeEmitter::emitLexicalScope(js::frontend::LexicalScopeNode*) ()
#11 0x000055555752a7bc in js::frontend::BytecodeEmitter::emitTree(js::frontend::ParseNode*, js::frontend::ValueUsage, js::frontend::BytecodeEmitter::EmitLineNumberNote, bool) ()
#12 0x000055555752eb5e in js::frontend::BytecodeEmitter::emitFunctionScript(js::frontend::FunctionNode*, js::frontend::TopLevelFunction) ()
#13 0x000055555753b024 in js::frontend::BytecodeEmitter::emitFunction(js::frontend::FunctionNode*, bool, js::frontend::ListNode*) ()
#14 0x000055555752aa09 in js::frontend::BytecodeEmitter::emitTree(js::frontend::ParseNode*, js::frontend::ValueUsage, js::frontend::BytecodeEmitter::EmitLineNumberNote, bool) ()
#15 0x0000555557545e15 in js::frontend::BytecodeEmitter::emitCreateMemberInitializers(js::frontend::ClassEmitter&, js::frontend::ListNode*, js::frontend::BytecodeEmitter::FieldPlacement) ()
#16 0x00005555575310e1 in js::frontend::BytecodeEmitter::emitClass(js::frontend::ClassNode*, js::frontend::BytecodeEmitter::ClassNameKind, js::frontend::ParserAtom const*) ()
#17 0x0000555557544fdb in js::frontend::BytecodeEmitter::emitPropertyList(js::frontend::ListNode*, js::frontend::PropertyEmitter&, js::frontend::PropListType, bool)::$_6::operator()() const ()
#18 0x0000555557544a5f in js::frontend::BytecodeEmitter::emitPropertyList(js::frontend::ListNode*, js::frontend::PropertyEmitter&, js::frontend::PropListType, bool) ()
#19 0x0000555557547569 in js::frontend::BytecodeEmitter::emitObject(js::frontend::ListNode*, bool) ()
#20 0x000055555752a69d in js::frontend::BytecodeEmitter::emitTree(js::frontend::ParseNode*, js::frontend::ValueUsage, js::frontend::BytecodeEmitter::EmitLineNumberNote, bool) ()
#21 0x000055555753c2d7 in js::frontend::BytecodeEmitter::emitReturn(js::frontend::UnaryNode*) ()
#22 0x000055555752ac9c in js::frontend::BytecodeEmitter::emitTree(js::frontend::ParseNode*, js::frontend::ValueUsage, js::frontend::BytecodeEmitter::EmitLineNumberNote, bool) ()
#23 0x000055555753de82 in js::frontend::BytecodeEmitter::emitStatementList(js::frontend::ListNode*) ()
#24 0x000055555752a9a0 in js::frontend::BytecodeEmitter::emitTree(js::frontend::ParseNode*, js::frontend::ValueUsage, js::frontend::BytecodeEmitter::EmitLineNumberNote, bool) ()
#25 0x0000555557537b71 in js::frontend::BytecodeEmitter::emitLexicalScope(js::frontend::LexicalScopeNode*) ()
#26 0x000055555752a7bc in js::frontend::BytecodeEmitter::emitTree(js::frontend::ParseNode*, js::frontend::ValueUsage, js::frontend::BytecodeEmitter::EmitLineNumberNote, bool) ()
#27 0x000055555752eb5e in js::frontend::BytecodeEmitter::emitFunctionScript(js::frontend::FunctionNode*, js::frontend::TopLevelFunction) ()
#28 0x000055555753b024 in js::frontend::BytecodeEmitter::emitFunction(js::frontend::FunctionNode*, bool, js::frontend::ListNode*) ()
#29 0x000055555752aa09 in js::frontend::BytecodeEmitter::emitTree(js::frontend::ParseNode*, js::frontend::ValueUsage, js::frontend::BytecodeEmitter::EmitLineNumberNote, bool) ()
#30 0x0000555557544fdb in js::frontend::BytecodeEmitter::emitPropertyList(js::frontend::ListNode*, js::frontend::PropertyEmitter&, js::frontend::PropListType, bool)::$_6::operator()() const ()
#31 0x0000555557544a5f in js::frontend::BytecodeEmitter::emitPropertyList(js::frontend::ListNode*, js::frontend::PropertyEmitter&, js::frontend::PropListType, bool) ()
#32 0x0000555557547569 in js::frontend::BytecodeEmitter::emitObject(js::frontend::ListNode*, bool) ()
#33 0x000055555752a69d in js::frontend::BytecodeEmitter::emitTree(js::frontend::ParseNode*, js::frontend::ValueUsage, js::frontend::BytecodeEmitter::EmitLineNumberNote, bool) ()
#34 0x000055555753c2d7 in js::frontend::BytecodeEmitter::emitReturn(js::frontend::UnaryNode*) ()
#35 0x000055555752ac9c in js::frontend::BytecodeEmitter::emitTree(js::frontend::ParseNode*, js::frontend::ValueUsage, js::frontend::BytecodeEmitter::EmitLineNumberNote, bool) ()
#36 0x000055555753de82 in js::frontend::BytecodeEmitter::emitStatementList(js::frontend::ListNode*) ()
#37 0x000055555752a9a0 in js::frontend::BytecodeEmitter::emitTree(js::frontend::ParseNode*, js::frontend::ValueUsage, js::frontend::BytecodeEmitter::EmitLineNumberNote, bool) ()
#38 0x0000555557537b71 in js::frontend::BytecodeEmitter::emitLexicalScope(js::frontend::LexicalScopeNode*) ()
#39 0x000055555752a7bc in js::frontend::BytecodeEmitter::emitTree(js::frontend::ParseNode*, js::frontend::ValueUsage, js::frontend::BytecodeEmitter::EmitLineNumberNote, bool) ()
#40 0x000055555752eb5e in js::frontend::BytecodeEmitter::emitFunctionScript(js::frontend::FunctionNode*, js::frontend::TopLevelFunction) ()
#41 0x000055555753b024 in js::frontend::BytecodeEmitter::emitFunction(js::frontend::FunctionNode*, bool, js::frontend::ListNode*) ()
#42 0x000055555752aa09 in js::frontend::BytecodeEmitter::emitTree(js::frontend::ParseNode*, js::frontend::ValueUsage, js::frontend::BytecodeEmitter::EmitLineNumberNote, bool) ()
#43 0x000055555752c744 in js::frontend::BytecodeEmitter::emitHoistedFunctionsInList(js::frontend::ListNode*) ()
#44 0x000055555752d994 in js::frontend::BytecodeEmitter::emitScript(js::frontend::ParseNode*) ()
[...]
#52 0x0000555556bb8aad in main ()
rax 0x555555816a25 93824995125797
rbx 0x7 7
rcx 0x5555585c7318 93825043034904
rdx 0x0 0
rsi 0x7ffff7105770 140737338431344
rdi 0x7ffff7104540 140737338426688
rbp 0x7fffffff8a80 140737488325248
rsp 0x7fffffff8a40 140737488325184
r8 0x7ffff7105770 140737338431344
r9 0x7ffff7f99dc0 140737353719232
r10 0x58 88
r11 0x7ffff6dac7a0 140737334921120
r12 0x6 6
r13 0x7fffffff9210 140737488327184
r14 0x7fffffff9201 140737488327169
r15 0x62 98
rip 0x5555575259d9 <js::frontend::BytecodeEmitter::updateLineNumberNotes(unsigned int)+441>
=> 0x5555575259d9 <_ZN2js8frontend15BytecodeEmitter21updateLineNumberNotesEj+441>: movl $0x23a,0x0
0x5555575259e4 <_ZN2js8frontend15BytecodeEmitter21updateLineNumberNotesEj+452>: callq 0x555556c477c6 <abort>
My first guess is that this is harmless and might lead to wrong line numbers somewhere, but I am not 100% sure, so marking s-s until a JS dev has investigated.
|
Reporter | |
Comment 1•4 years ago
|
||
|
Assignee | |
Updated•4 years ago
|
Assignee: nobody → tcampbell
|
|
Assignee | |
Updated•4 years ago
|
|
||
Updated•4 years ago
|
Has Regression Range: --- → yes
|
|
Assignee | |
Comment 2•4 years ago
|
||
The assert was added in preparation for https://phabricator.services.mozilla.com/D94116 which has not landed yet.
Group: javascript-core-security
Severity: -- → S4
Priority: -- → P1
|
||
Comment 3•4 years ago
|
||
Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20201022145409-5684c9b12b5e.
The bug appears to have been introduced in the following build range:
Start: 67b1590895ee34f8999f37bfd18a7c05ca3ad30b (20201020020149)
End: 4c7b8e1f6245f10a98c3bcb4fd46f5a288ed4730 (20201020024429)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=67b1590895ee34f8999f37bfd18a7c05ca3ad30b&tochange=4c7b8e1f6245f10a98c3bcb4fd46f5a288ed4730
Whiteboard: [bugmon:update,bisect] → [bugmon:update,bisected,confirmed]
|
|
Assignee | |
Comment 4•4 years ago
|
||
|
|
Assignee | |
Comment 5•4 years ago
|
||
For more consistent locations when generating JS field initializer lambdas,
set the lambda's location as the property name. This ensures that source
notes are inside the function body. When we are generating the initializer
code for simple fields without initializers, the Parser pos() points to the
field name, so including the name in the lambda's SourceExtent ensures the
generated source locations are within the body.
Depends on D94527
Pushed by tcampbell@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/d2ab65def6c6
Add tests for JS field initializer function positions. r=arai
https://hg.mozilla.org/integration/autoland/rev/8915b0ea73cf
Use class field property name as start of initializer. r=arai
|
||
Comment 7•4 years ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/d2ab65def6c6
https://hg.mozilla.org/mozilla-central/rev/8915b0ea73cf
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → 84 Branch
|
|
||
Comment 8•4 years ago
|
||
Bugmon Analysis:
Verified bug as fixed on rev mozilla-central 20201023214713-1980f87855fc.
Removing bugmon keyword as no further action possible.
Please review the bug and re-add the keyword for further analysis.
|
||
Updated•4 years ago
|
status-firefox82:
--- → unaffected
status-firefox83:
--- → unaffected
status-firefox-esr78:
--- → unaffected
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•