Closed Bug 1934366 Opened 3 months ago Closed 2 months ago

Assertion failure: bi.kind() == BindingKind::Let || bi.kind() == BindingKind::Const (bad var scope BindingKind), at frontend/Parser.cpp:1438

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
135 Branch
Tracking Flags:
Tracking Status
firefox-esr128 --- unaffected
firefox133 --- unaffected
firefox134 --- disabled
firefox135 --- verified

People

(Reporter: decoder, Assigned: debadree333)

References

(Regression)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:update,bisected,confirmed])

Attachments

(3 files)

Detailed Crash Information
3.34 KB, text/plain
Details
Testcase
159 bytes, text/plain
Details
Bug 1934366 - Handle using bindings in var scope in parser. r?arai
48 bytes, text/x-phabricator-request
Details | Review

The following testcase crashes on mozilla-central revision 20241129-ed73389dc144 (debug build, run with --fuzzing-safe --cpu-count=2 --ion-offthread-compile=off --enable-explicit-resource-management):

var C80 = class {
  static async * #method({C80 = 0}) { 
    using x95 = 'object';
  } 
  static get method() {
    return this.#method;
  }
};
C80.method({});

Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  0x00005555577a71a9 in js::frontend::ParserBase::newVarScopeData(js::frontend::ParseContext::Scope&) ()
#1  0x000055555773266d in js::frontend::PerHandlerParser<js::frontend::FullParseHandler>::finishFunction(bool) ()
#2  0x0000555557730486 in js::frontend::GeneralParser<js::frontend::FullParseHandler, mozilla::Utf8Unit>::functionFormalParametersAndBody(js::frontend::InHandling, js::frontend::YieldHandling, js::frontend::FunctionNode**, js::frontend::FunctionSyntaxKind, mozilla::Maybe<unsigned int> const&, bool) ()
#3  0x00005555577a15ee in js::frontend::Parser<js::frontend::FullParseHandler, mozilla::Utf8Unit>::standaloneLazyFunction(js::frontend::CompilationInput&, unsigned int, bool, js::GeneratorKind, js::FunctionAsyncKind) ()
#4  0x00005555577f212a in bool CompileLazyFunctionToStencilMaybeInstantiate<mozilla::Utf8Unit>(JSContext*, js::FrontendContext*, js::LifoAlloc&, js::frontend::CompilationInput&, js::frontend::ScopeBindingCache*, mozilla::Utf8Unit const*, unsigned long, mozilla::Variant<RefPtr<js::frontend::CompilationStencil>, js::frontend::CompilationGCOutput*>&) ()
#5  0x00005555577b51af in js::frontend::DelazifyCanonicalScriptedFunction(JSContext*, js::FrontendContext*, JS::Handle<JSFunction*>) ()
#6  0x00005555571f0489 in JSFunction::delazifyLazilyInterpretedFunction(JSContext*, JS::Handle<JSFunction*>) ()
#7  0x0000555556e8f219 in JSFunction::getOrCreateScript(JSContext*, JS::Handle<JSFunction*>) ()
#8  0x00005555571f02fa in JSFunction::delazifyLazilyInterpretedFunction(JSContext*, JS::Handle<JSFunction*>) ()
#9  0x0000555556e8f219 in JSFunction::getOrCreateScript(JSContext*, JS::Handle<JSFunction*>) ()
#10 0x0000555556fdb97c in js::Interpret(JSContext*, js::RunState&) ()
[...]
#19 0x0000555556e2e4db in main ()
rax	0x5555558121f4	93824995107316
rbx	0xfb3f7	1029111
rcx	0x5555588ab1e0	93825046065632
rdx	0x1	1
rsi	0x0	0
rdi	0x7ffff7bef7d0	140737349875664
rbp	0x7fffffffb850	140737488336976
rsp	0x7fffffffb740	140737488336704
r8	0x0	0
r9	0x3	3
r10	0x0	0
r11	0x0	0
r12	0x7fffffffb760	140737488336736
r13	0xc131	49457
r14	0x7fffffffcc08	140737488342024
r15	0xe4eef	937711
rip	0x5555577a71a9 <js::frontend::ParserBase::newVarScopeData(js::frontend::ParseContext::Scope&)+873>
=> 0x5555577a71a9 <_ZN2js8frontend10ParserBase15newVarScopeDataERNS0_12ParseContext5ScopeE+873>:	movl   $0x59e,0x0
   0x5555577a71b4 <_ZN2js8frontend10ParserBase15newVarScopeDataERNS0_12ParseContext5ScopeE+884>:	callq  0x555556ec97b0 <abort>
Attached file Testcase

Verified bug as reproducible on mozilla-central 20241201095257-4df19decbcec.
The bug appears to have been introduced in the following build range:

Start: c1acf137ed794e8b553c1f40512d21090d1a9b7c (20241114072145)
End: e299ddd844812c1cd97440fd74eb94e0736fbbe9 (20241114100954)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=c1acf137ed794e8b553c1f40512d21090d1a9b7c&tochange=e299ddd844812c1cd97440fd74eb94e0736fbbe9

Whiteboard: [bugmon:update,bisect] → [bugmon:update,bisected,confirmed]

Debadree, it looks like this is related to explicit resource management. Can you take a look?

Flags: needinfo?(debadree333)
Regressed by: 1927195

Yes indeed I am taking a look will req a little bit of time but working on it!

Flags: needinfo?(debadree333)

Set release status flags based on info from the regressing bug 1927195

status-firefox133: --- → unaffected
status-firefox134: --- → affected
status-firefox-esr128: --- → unaffected
Assignee: nobody → debadree333
Status: NEW → ASSIGNED
Pushed by arai_a@mac.com: https://hg.mozilla.org/integration/autoland/rev/dd58b64efaf2 Handle using bindings in var scope in parser. r=arai

https://hg.mozilla.org/mozilla-central/rev/dd58b64efaf2

Status: ASSIGNED → RESOLVED
Closed: 2 months ago
Resolution: --- → FIXED
Target Milestone: --- → 135 Branch
Regressions: 1935105

The patch landed in nightly and beta is affected.
:debadree333, is this bug important enough to require an uplift?

  • If yes, please nominate the patch for beta approval. Also, don't forget to request an uplift for the patches in the regression caused by this fix.
  • If no, please set status-firefox134 to wontfix.

For more information, please visit BugBot documentation.

Flags: needinfo?(debadree333)

Verified bug as fixed on rev mozilla-central 20241203162108-d140333670bc.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Status: RESOLVED → VERIFIED
status-firefox135: fixedverified
Keywords: bugmon

Wouldn't firefox134 be unaffected? since this syntax is disabled? and the entire code is behind nightly flag?

Flags: needinfo?(debadree333)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: