Closed
Bug 1848244
Opened 2 years ago
Closed 2 years ago
Assertion failure: isMemberExpression || isCallExpression (Unknown ParseNodeKind for OptionalChain) at frontend/BytecodeEmitter.cpp:8495
Categories
(Core :: JavaScript Engine, defect, P3)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
120 Branch
| Tracking | Status | |
|---|---|---|
| firefox120 | --- | fixed |
People
(Reporter: lukas.bernhard, Assigned: bthrall)
References
(Blocks 1 open bug)
Details
Attachments
(1 file)
Steps to reproduce:
On git commit 77dd6aa3810610949a5ff925e24de2f8c11377fd the attached sample asserts in the js-shell when invoked as obj-x86_64-pc-linux-gnu/dist/bin/js --fuzzing-safe crash.js
function main() {
(0 ? 0 : -1n)?.g;
}
main();
#0 js::frontend::BytecodeEmitter::emitOptionalTree (this=this@entry=0x7fffffffbd58,
pn=0x7ffff66d8208, oe=..., valueUsage=valueUsage@entry=js::frontend::ValueUsage::WantValue)
at js/src/frontend/BytecodeEmitter.cpp:8494
#1 0x0000555557a15eb0 in js::frontend::BytecodeEmitter::emitOptionalDotExpression (
this=0x7fffffffbd58, prop=0x7ffff66d82a8, poe=..., isSuper=false, oe=...)
at js/src/frontend/BytecodeEmitter.cpp:8570
#2 0x0000555557a136d5 in js::frontend::BytecodeEmitter::emitOptionalTree (
this=this@entry=0x7fffffffbd58, pn=pn@entry=0x7ffff66d82a8, oe=...,
valueUsage=valueUsage@entry=js::frontend::ValueUsage::IgnoreValue)
at js/src/frontend/BytecodeEmitter.cpp:8414
#3 0x0000555557a18a71 in js::frontend::BytecodeEmitter::emitOptionalChain (
this=this@entry=0x7fffffffbd58, optionalChain=<optimized out>,
valueUsage=valueUsage@entry=js::frontend::ValueUsage::IgnoreValue)
at js/src/frontend/BytecodeEmitter.cpp:8538
#4 0x00005555579fb854 in js::frontend::BytecodeEmitter::emitTree (this=this@entry=0x7fffffffbd58,
pn=pn@entry=0x7ffff66d82e0, valueUsage=valueUsage@entry=js::frontend::ValueUsage::IgnoreValue,
emitLineNote=emitLineNote@entry=js::frontend::BytecodeEmitter::EMIT_LINENOTE)
at js/src/frontend/BytecodeEmitter.cpp:12049
#5 0x0000555557a11b7e in js::frontend::BytecodeEmitter::emitExpressionStatement (
this=this@entry=0x7fffffffbd58, exprStmt=0x7ffff66d8310)
at js/src/frontend/BytecodeEmitter.cpp:6934
#6 0x00005555579fb693 in js::frontend::BytecodeEmitter::emitTree (this=this@entry=0x7fffffffbd58,
pn=pn@entry=0x7ffff66d8310, valueUsage=valueUsage@entry=js::frontend::ValueUsage::WantValue,
emitLineNote=emitLineNote@entry=js::frontend::BytecodeEmitter::EMIT_LINENOTE)
at js/src/frontend/BytecodeEmitter.cpp:11879
#7 0x0000555557a119bf in js::frontend::BytecodeEmitter::emitStatementList (
this=this@entry=0x7fffffffbd58, stmtList=<optimized out>)
at js/src/frontend/BytecodeEmitter.cpp:6879
#8 0x00005555579fb884 in js::frontend::BytecodeEmitter::emitTree (this=this@entry=0x7fffffffbd58,
pn=pn@entry=0x7ffff66d8128, valueUsage=valueUsage@entry=js::frontend::ValueUsage::WantValue,
emitLineNote=emitLineNote@entry=js::frontend::BytecodeEmitter::EMIT_LINENOTE)
at js/src/frontend/BytecodeEmitter.cpp:11870
#9 0x0000555557a0bff9 in js::frontend::BytecodeEmitter::emitLexicalScope (
this=this@entry=0x7fffffffbd58, lexicalScope=<optimized out>)
at js/src/frontend/BytecodeEmitter.cpp:4941
#10 0x00005555579fb5e9 in js::frontend::BytecodeEmitter::emitTree (this=this@entry=0x7fffffffbd58,
pn=0x7ffff66d8340, valueUsage=valueUsage@entry=js::frontend::ValueUsage::WantValue,
emitLineNote=emitLineNote@entry=js::frontend::BytecodeEmitter::EMIT_LINENOTE)
at js/src/frontend/BytecodeEmitter.cpp:12134
#11 0x0000555557a00d9f in js::frontend::BytecodeEmitter::emitFunctionScript (
this=this@entry=0x7fffffffbd58, funNode=funNode@entry=0x7ffff66d8020)
at js/src/frontend/BytecodeEmitter.cpp:2513
#12 0x0000555557a225d7 in CompileLazyFunctionToStencilMaybeInstantiate<mozilla::Utf8Unit> (
maybeCx=maybeCx@entry=0x7ffff662e100, fc=fc@entry=0x7fffffffcc00, tempLifoAlloc=..., input=...,
scopeCache=scopeCache@entry=0x7ffff662d340, units=0x7ffff5532a57, length=28, output=...)
at js/src/frontend/BytecodeCompiler.cpp:1454
#13 0x00005555579f04b3 in DelazifyCanonicalScriptedFunctionImpl<mozilla::Utf8Unit> (
cx=0x7ffff662e100, fc=0x7fffffffcc00, scopeCache=0x7ffff662d340, fun=..., lazy=...,
ss=0x7ffff66974a0) at js/src/frontend/BytecodeCompiler.cpp:1582
#14 js::frontend::DelazifyCanonicalScriptedFunction (cx=<optimized out>, cx@entry=0x7ffff662e100,
fc=fc@entry=0x7fffffffcc00, fun=fun@entry=...)
at js/src/frontend/BytecodeCompiler.cpp:1602
#15 0x00005555573c9905 in JSFunction::delazifyLazilyInterpretedFunction (cx=0x7ffff662e100, fun=...)
at js/src/vm/JSFunction.cpp:1096
#16 0x0000555557104ec6 in JSFunction::getOrCreateScript (cx=0x7ffff662e100, fun=...)
at js/src/vm/JSFunction.h:420
#17 0x00005555573c977f in JSFunction::delazifyLazilyInterpretedFunction (cx=0x7ffff662e100, fun=...)
at js/src/vm/JSFunction.cpp:1083
#18 0x0000555557104ec6 in JSFunction::getOrCreateScript (cx=0x7ffff662e100, fun=...)
at js/src/vm/JSFunction.h:420
#19 0x00005555571af3d9 in js::Interpret (cx=0x7ffff79f8a20 <_IO_stdfile_2_lock>, state=...)
at js/src/vm/Interpreter.cpp:3408
#20 0x000055555719ee49 in MaybeEnterInterpreterTrampoline (cx=0x7ffff79f8a20 <_IO_stdfile_2_lock>,
cx@entry=0x7ffff662e100, state=...) at js/src/vm/Interpreter.cpp:400
#21 0x000055555719eaff in js::RunScript (cx=cx@entry=0x7ffff662e100, state=...)
at js/src/vm/Interpreter.cpp:458
#22 0x00005555571a1d5b in js::ExecuteKernel (cx=cx@entry=0x7ffff662e100, script=script@entry=...,
envChainArg=envChainArg@entry=..., evalInFrame=evalInFrame@entry=..., result=...)
at js/src/vm/Interpreter.cpp:845
#23 0x00005555571a21d0 in js::Execute (cx=cx@entry=0x7ffff662e100, script=..., envChain=...,
rval=rval@entry=...) at js/src/vm/Interpreter.cpp:877
#24 0x0000555557304942 in ExecuteScript (cx=cx@entry=0x7ffff662e100, envChain=..., script=...,
rval=rval@entry=...) at js/src/vm/CompilationAndEvaluation.cpp:493
#25 0x0000555557304b7c in JS_ExecuteScript (cx=cx@entry=0x7ffff662e100, scriptArg=scriptArg@entry=...)
at js/src/vm/CompilationAndEvaluation.cpp:517
#26 0x00005555570e0956 in RunFile (cx=0x7ffff662e100, filename=<optimized out>, file=<optimized out>,
compileMethod=CompileUtf8::DontInflate, compileOnly=false, fullParse=<optimized out>)
at js/src/shell/js.cpp:1099
#27 0x00005555570dfe4d in Process (cx=cx@entry=0x7ffff662e100, filename=0x0,
forceTTY=<optimized out>, kind=kind@entry=FileScript)
at js/src/shell/js.cpp:1679
#28 0x000055555709b38e in ProcessArgs (cx=0x7ffff662e100, op=0x7fffffffdcd8)
at js/src/shell/js.cpp:10736
#29 Shell (cx=0x7ffff662e100, op=op@entry=0x7fffffffdcd8)
at js/src/shell/js.cpp:10960
|
Reporter | |
Updated•2 years ago
|
|
||
Updated•2 years ago
|
Severity: -- → S3
Flags: needinfo?(bthrall)
Priority: -- → P3
|
Assignee | |
Updated•2 years ago
|
Assignee: nobody → bthrall
Flags: needinfo?(bthrall)
|
|
Assignee | |
Comment 1•2 years ago
|
||
One alternative to wrapping the expression in parentheses to get back to a
MemberExpression is to check if folding results in a disallowed expression (not
a MemberExpression or CallExpression), and restoring the unfolded expression if
so. Wrapping in parentheses lets us keep the folding optimization, so it seems
better.
|
||
Updated•2 years ago
|
Attachment #9351099 -
Attachment description: Bug 1848244 - Restore MemberExpression in OptionalDotExpr after folding r=mgaudet → Bug 1848244 - Maintain parentheses in OptionalDotExpr after folding r=mgaudet
|
|
Assignee | |
Comment 3•2 years ago
|
||
:anba, do you have some time to review my updated patch?
Flags: needinfo?(andrebargull)
|
||
Updated•2 years ago
|
Flags: needinfo?(andrebargull)
Pushed by bthrall@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/85e1b1bbb39d
Maintain parentheses in OptionalDotExpr after folding r=arai,anba
|
||
Comment 5•2 years ago
|
||
| bugherder | ||
Status: NEW → RESOLVED
Closed: 2 years ago
status-firefox120:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 120 Branch
You need to log in
before you can comment on or make changes to this bug.
Description
•