1702424 - Assertion failure: stackDepth_ >= 0, at frontend/BytecodeSection.cpp:177 with class private fields

Status: VERIFIED FIXED

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

The following testcase crashes on mozilla-central revision 20210401-5c46535ee223 (debug build, run with --fuzzing-safe --ion-offthread-compile=off --enable-private-methods):

class a {
    b
    #c() {
        d.#c ^= 'x'
    }
}

Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  0x00005555572f336b in js::frontend::BytecodeSection::updateDepth(js::frontend::BytecodeOffset) ()
#1  0x00005555572eaa39 in js::frontend::BytecodeEmitter::emit1(JSOp) ()
#2  0x00005555573661f5 in js::frontend::PrivateOpEmitter::emitAssignment() ()
#3  0x0000555557304ca6 in js::frontend::BytecodeEmitter::emitAssignmentOrInit(js::frontend::ParseNodeKind, js::frontend::ParseNode*, js::frontend::ParseNode*) ()
#4  0x00005555572f9018 in js::frontend::BytecodeEmitter::emitTree(js::frontend::ParseNode*, js::frontend::ValueUsage, js::frontend::BytecodeEmitter::EmitLineNumberNote) ()
#5  0x000055555730c93e in js::frontend::BytecodeEmitter::emitExpressionStatement(js::frontend::UnaryNode*) ()
#6  0x00005555572f93c1 in js::frontend::BytecodeEmitter::emitTree(js::frontend::ParseNode*, js::frontend::ValueUsage, js::frontend::BytecodeEmitter::EmitLineNumberNote) ()
#7  0x000055555730c7cf in js::frontend::BytecodeEmitter::emitStatementList(js::frontend::ListNode*) ()
#8  0x00005555572f96a1 in js::frontend::BytecodeEmitter::emitTree(js::frontend::ParseNode*, js::frontend::ValueUsage, js::frontend::BytecodeEmitter::EmitLineNumberNote) ()
#9  0x00005555573073ae in js::frontend::BytecodeEmitter::emitLexicalScope(js::frontend::LexicalScopeNode*) ()
#10 0x00005555572f977a in js::frontend::BytecodeEmitter::emitTree(js::frontend::ParseNode*, js::frontend::ValueUsage, js::frontend::BytecodeEmitter::EmitLineNumberNote) ()
#11 0x00005555572fddf2 in js::frontend::BytecodeEmitter::emitFunctionScript(js::frontend::FunctionNode*) ()
#12 0x0000555557309e1e in js::frontend::BytecodeEmitter::emitFunction(js::frontend::FunctionNode*, bool) ()
#13 0x00005555572f91b7 in js::frontend::BytecodeEmitter::emitTree(js::frontend::ParseNode*, js::frontend::ValueUsage, js::frontend::BytecodeEmitter::EmitLineNumberNote) ()
#14 0x0000555557313bfe in js::frontend::BytecodeEmitter::emitPropertyList(js::frontend::ListNode*, js::frontend::PropertyEmitter&, js::frontend::PropListType)::$_6::operator()() const ()
#15 0x00005555573138e6 in js::frontend::BytecodeEmitter::emitPropertyList(js::frontend::ListNode*, js::frontend::PropertyEmitter&, js::frontend::PropListType) ()
#16 0x000055555730050f in js::frontend::BytecodeEmitter::emitClass(js::frontend::ClassNode*, js::frontend::BytecodeEmitter::ClassNameKind, js::frontend::TaggedParserAtomIndex) ()
#17 0x00005555572f9183 in js::frontend::BytecodeEmitter::emitTree(js::frontend::ParseNode*, js::frontend::ValueUsage, js::frontend::BytecodeEmitter::EmitLineNumberNote) ()
#18 0x000055555730c7cf in js::frontend::BytecodeEmitter::emitStatementList(js::frontend::ListNode*) ()
#19 0x00005555572f96a1 in js::frontend::BytecodeEmitter::emitTree(js::frontend::ParseNode*, js::frontend::ValueUsage, js::frontend::BytecodeEmitter::EmitLineNumberNote) ()
#20 0x00005555572fcc68 in js::frontend::BytecodeEmitter::emitScript(js::frontend::ParseNode*) ()
#21 0x000055555732338a in js::frontend::ScriptCompiler<mozilla::Utf8Unit>::compile(JSContext*, js::frontend::SharedContext*) ()
[...]
#28 0x00005555569f71d1 in main ()
rax	0x55555575dd7f	93824994368895
rbx	0x7fffffffa7e0	140737488332768
rcx	0x5555580034c8	93825036989640
rdx	0x0	0
rsi	0x7ffff7105770	140737338431344
rdi	0x7ffff7104540	140737338426688
rbp	0x7fffffffa080	140737488330880
rsp	0x7fffffffa060	140737488330848
r8	0x7ffff7105770	140737338431344
r9	0x7ffff7f99840	140737353717824
r10	0x0	0
r11	0x0	0
r12	0x3	3
r13	0x7ffff4a0d5c8	140737297569224
r14	0x1e	30
r15	0x7fffffffa808	140737488332808
rip	0x5555572f336b <js::frontend::BytecodeSection::updateDepth(js::frontend::BytecodeOffset)+267>
=> 0x5555572f336b <_ZN2js8frontend15BytecodeSection11updateDepthENS0_14BytecodeOffsetE+267>:	movl   $0xb1,0x0
   0x5555572f3376 <_ZN2js8frontend15BytecodeSection11updateDepthENS0_14BytecodeOffsetE+278>:	callq  0x555556a8185f <abort>

Comment 1

[Christian Holler (:decoder)]

Attachment: Testcase

Comment 2

[Bugmon [:jkratzer for issues]]

Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20210401031248-5c46535ee223.
The bug appears to have been introduced in the following build range:

Start: 61363611f751aa82c6cb797108ae1044dbf85899 (20210330202751)
End: 4c69d3aabee4ad8dbd08cb8d10917f6998da2242 (20210330202936)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=61363611f751aa82c6cb797108ae1044dbf85899&tochange=4c69d3aabee4ad8dbd08cb8d10917f6998da2242

Comment 3

[Bugmon [:jkratzer for issues]]

Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20210401031248-5c46535ee223.
The bug appears to have been introduced in the following build range:

Start: 61363611f751aa82c6cb797108ae1044dbf85899 (20210330202751)
End: 4c69d3aabee4ad8dbd08cb8d10917f6998da2242 (20210330202936)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=61363611f751aa82c6cb797108ae1044dbf85899&tochange=4c69d3aabee4ad8dbd08cb8d10917f6998da2242

Comment 4

[Matthew Gaudet (he/him) [:mgaudet]]

Expression stack depth mismatch. The PrivateOpEmitter has unfortunately complex stack semantics, which makes this bug inevtitable.

I've added this test case (and related ones) to my fixup stack, and am marking this as RESOLVE FIXED, as it was fixed by backout.

Comment 5

[Bugmon [:jkratzer for issues]]

Bugmon Analysis:
Verified bug as fixed on rev mozilla-central 20210405212812-65dc61a78542.
Removing bugmon keyword as no further action possible.
Please review the bug and re-add the keyword for further analysis.

Comment 6

[BugBot [:suhaib / :marco/ :calixte]]

:mgaudet, since this bug contains a bisection range, could you fill (if possible) the regressed_by field?
For more information, please visit auto_nag documentation.