Closed Bug 1934211 Opened 2 months ago Closed 2 months ago

Assertion failure: declList->isKind(ParseNodeKind::LetDecl) (var declarations without initializers handled above, and const declarations must have initializers), at frontend/BytecodeEmitter.cpp:4218

Categories

(Core :: JavaScript Engine, defect, P3)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
135 Branch
Tracking Flags:
Tracking Status
firefox-esr115 --- unaffected
firefox-esr128 --- unaffected
firefox133 --- unaffected
firefox134 --- disabled
firefox135 --- fixed

People

(Reporter: decoder, Unassigned)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:update,bisected,confirmed])

Attachments

(2 files)

Detailed Crash Information
3.47 KB, text/plain
Details
Testcase
18 bytes, text/plain
Details

The following testcase crashes on mozilla-central revision 20241129-ed73389dc144 (debug build, run with --fuzzing-safe --enable-explicit-resource-management):

for (using x;;) {}

Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  0x00005555577cf238 in js::frontend::BytecodeEmitter::emitSingleDeclaration(js::frontend::ListNode*, js::frontend::NameNode*, js::frontend::ParseNode*) ()
#1  0x00005555577cea48 in js::frontend::BytecodeEmitter::emitDeclarationList(js::frontend::ListNode*) ()
#2  0x00005555577c1489 in js::frontend::BytecodeEmitter::emitTree(js::frontend::ParseNode*, js::frontend::ValueUsage, js::frontend::BytecodeEmitter::EmitLineNumberNote) ()
#3  0x00005555577d5e32 in js::frontend::BytecodeEmitter::emitCStyleFor(js::frontend::ForNode*, js::frontend::EmitterScope const*) ()
#4  0x00005555577d3092 in js::frontend::BytecodeEmitter::emitLexicalScope(js::frontend::LexicalScopeNode*) ()
#5  0x00005555577c1dc4 in js::frontend::BytecodeEmitter::emitTree(js::frontend::ParseNode*, js::frontend::ValueUsage, js::frontend::BytecodeEmitter::EmitLineNumberNote) ()
#6  0x00005555577d8e0f in js::frontend::BytecodeEmitter::emitStatementList(js::frontend::ListNode*) ()
#7  0x00005555577c1c68 in js::frontend::BytecodeEmitter::emitTree(js::frontend::ParseNode*, js::frontend::ValueUsage, js::frontend::BytecodeEmitter::EmitLineNumberNote) ()
#8  0x00005555577c59d2 in js::frontend::BytecodeEmitter::emitScript(js::frontend::ParseNode*) ()
#9  0x00005555577ef979 in ScriptCompiler<mozilla::Utf8Unit>::compile(JSContext*, js::frontend::SharedContext*) ()
[...]
#16 0x0000555556e378ec in Shell(JSContext*, js::cli::OptionParser*) ()
#17 0x0000555556e2e4db in main ()
rax	0x55555585f178	93824995422584
rbx	0x7fffffffc020	140737488338976
rcx	0x5555588ab1e0	93825046065632
rdx	0x1	1
rsi	0x0	0
rdi	0x7ffff7bef7d0	140737349875664
rbp	0x7fffffffb3f0	140737488335856
rsp	0x7fffffffb390	140737488335760
r8	0x0	0
r9	0x3	3
r10	0x0	0
r11	0x0	0
r12	0x0	0
r13	0x7fffffffb390	140737488335760
r14	0x7ffff46cf060	140737294168160
r15	0x7ffff46cf0a0	140737294168224
rip	0x5555577cf238 <js::frontend::BytecodeEmitter::emitSingleDeclaration(js::frontend::ListNode*, js::frontend::NameNode*, js::frontend::ParseNode*)+1048>
=> 0x5555577cf238 <_ZN2js8frontend15BytecodeEmitter21emitSingleDeclarationEPNS0_8ListNodeEPNS0_8NameNodeEPNS0_9ParseNodeE+1048>:	movl   $0x107a,0x0
   0x5555577cf243 <_ZN2js8frontend15BytecodeEmitter21emitSingleDeclarationEPNS0_8ListNodeEPNS0_8NameNodeEPNS0_9ParseNodeE+1059>:	callq  0x555556ec97b0 <abort>

Found with "manual fuzzing" ;)

Attached file Testcase
Blocks: 1569081

Verified bug as reproducible on mozilla-central 20241129154020-b8a69414f282.
The bug appears to have been introduced in the following build range:

Start: c1acf137ed794e8b553c1f40512d21090d1a9b7c (20241114072145)
End: e299ddd844812c1cd97440fd74eb94e0736fbbe9 (20241114100954)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=c1acf137ed794e8b553c1f40512d21090d1a9b7c&tochange=e299ddd844812c1cd97440fd74eb94e0736fbbe9

Whiteboard: [bugmon:update,bisect] → [bugmon:update,bisected,confirmed]

Oh wow this was super fast!

Working on this!

Severity: -- → S3
Priority: -- → P3

This is fixed now due to https://bugzilla.mozilla.org/show_bug.cgi?id=1935283 the issue here was the same we were not SyntaxError-ing on using decls without a binding list which is fixed and on latest central this gives:

 0:00.46 /Users/debadreechatterjee/Documents/personal/mozilla-unified/obj-debug-js-aarch64-apple-darwin24.1.0/dist/bin/js --enable-explicit-resource-management test.js
test.js:1:12 SyntaxError: missing = in using declaration:
test.js:1:12 for (using x;;) {}
test.js:1:12 ...........^

Hence closing this as resolved! hope thats ok!

Thank you!

Status: NEW → RESOLVED
Closed: 2 months ago
Resolution: --- → FIXED

Verified bug as fixed on rev mozilla-central 20241206092831-34cbc79fe32c.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Status: RESOLVED → VERIFIED
Keywords: bugmon
Depends on: 1935283
status-firefox135: fix-optionalfixed
Target Milestone: --- → 135 Branch
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: