Closed Bug 1794589 Opened 2 years ago Closed 2 years ago

Assertion failure: !this->errorContext->hadErrors(), at frontend/BytecodeCompiler.cpp:797

Categories

(Core :: JavaScript Engine, defect, P2)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1794288
Tracking Flags:
Tracking Status
firefox107 --- wontfix

People

(Reporter: decoder, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:update,bisected,confirmed])

Attachments

(2 files)

Detailed Crash Information
1.80 KB, text/plain
Details
Testcase
101 bytes, text/plain
Details

The following testcase crashes on mozilla-central revision 20221011-5cbd3d92a78c (debug build, run with --fuzzing-safe --ion-offthread-compile=off):

code = ` 
  function foo() {
    return x;
    y;
  }
`;
oomTest(function() {
  parseModule(code)
});

Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  0x00005555574d9604 in ModuleCompiler<char16_t>::compile(JSContext*, js::ErrorContext*) ()
#1  0x00005555574d9058 in bool ParseModuleToStencilAndMaybeInstantiate<char16_t>(JSContext*, js::ErrorContext*, unsigned long, js::frontend::CompilationInput&, js::frontend::ScopeBindingCache*, JS::SourceText<char16_t>&, mozilla::Variant<mozilla::UniquePtr<js::frontend::ExtensibleCompilationStencil, JS::DeletePolicy<js::frontend::ExtensibleCompilationStencil> >, RefPtr<js::frontend::CompilationStencil>, js::frontend::CompilationGCOutput*>&) ()
#2  0x00005555574a3241 in js::frontend::CompileModule(JSContext*, js::ErrorContext*, unsigned long, JS::ReadOnlyCompileOptions const&, JS::SourceText<char16_t>&) ()
#3  0x0000555556bd7aed in ParseModule(JSContext*, unsigned int, JS::Value*) ()
#4  0x0000164ece0d5393 in ?? ()
[...]
#7  0x0000000000000000 in ?? ()
rax	0x5555558f96f3	93824996054771
rbx	0x7fffffffa428	140737488331816
rcx	0x5555582f47a8	93825040074664
rdx	0x0	0
rsi	0x7ffff7105770	140737338431344
rdi	0x7ffff7104540	140737338426688
rbp	0x7fffffffa240	140737488331328
rsp	0x7fffffff9d90	140737488330128
r8	0x7ffff7105770	140737338431344
r9	0x7ffff7f99800	140737353717760
r10	0x0	0
r11	0x0	0
r12	0x7ffff4f03020	140737302769696
r13	0x7ffff602ef00	140737320775424
r14	0x7fffffffa401	140737488331777
r15	0x7fffffffad48	140737488334152
rip	0x5555574d9604 <ModuleCompiler<char16_t>::compile(JSContext*, js::ErrorContext*)+612>
=> 0x5555574d9604 <_ZN14ModuleCompilerIDsE7compileEP9JSContextPN2js12ErrorContextE+612>:	movl   $0x31d,0x0
   0x5555574d960f <_ZN14ModuleCompilerIDsE7compileEP9JSContextPN2js12ErrorContextE+623>:	callq  0x555556c3b370 <abort>
Attached file Testcase
Severity: -- → S3
Flags: needinfo?(bthrall)
Priority: -- → P2
Blocks: stencil-nav
Flags: needinfo?(bthrall)

Bugmon Analysis
Verified bug as reproducible on mozilla-central 20221011093208-5cbd3d92a78c.
The bug appears to have been introduced in the following build range:

Start: 50157da10bda15d65de462d77d9e0b0538bf54cb (20220928073715)
End: 0ac06d10a688469f9dee764c08fd1f3b18240544 (20220928074337)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=50157da10bda15d65de462d77d9e0b0538bf54cb&tochange=0ac06d10a688469f9dee764c08fd1f3b18240544

Whiteboard: [bugmon:update,bisect] → [bugmon:update,bisected,confirmed]

This is caused by an OOM while reporting a warning; the problem is just being exposed by a call to hadErrors() instead of cx->isExceptionPending(), so it is a duplicate of 1794288.

Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → DUPLICATE

No valid actions for resolution (DUPLICATE).
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Keywords: bugmon
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: