Assertion failure: !exprBody, at jsfun.cpp

RESOLVED FIXED in mozilla25

Status

()

Core
JavaScript Engine
--
critical
RESOLVED FIXED
5 years ago
4 years ago

People

(Reporter: gkw, Assigned: jorendorff)

Tracking

(Blocks: 1 bug, {assertion, regression, testcase})

Trunk
mozilla25
x86_64
Mac OS X
assertion, regression, testcase
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(firefox24 affected)

Details

(Whiteboard: [jsbugmon:update])

Attachments

(4 attachments)

(Reporter)

Description

5 years ago
Created attachment 765207 [details]
stack

disassemble("-r", Function("()=>e,d"))

asserts js debug shell on m-c changeset 8ea92aeab783 without any CLI arguments at Assertion failure: !exprBody, at jsfun.cpp
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   http://hg.mozilla.org/mozilla-central/rev/bf3ce88c6ea3
user:        Jason Orendorff
date:        Sun Mar 17 20:42:36 2013 -0700
summary:     Bug 846406 - Implement arrow functions. r=bhackett. Changes to Y.js r=brendan.

This iteration took 11.746 seconds to run.
(Reporter)

Comment 2

5 years ago
jorendorff, is bug 846406 a possible regressor?
Blocks: 846406
Flags: needinfo?(jorendorff)
(Assignee)

Comment 3

5 years ago
Yes.
Assignee: general → jorendorff
Flags: needinfo?(jorendorff)
(Assignee)

Comment 4

5 years ago
Created attachment 765474 [details] [diff] [review]
v1

This is a cute bug.

disassemble() is special because it calls FunctionToString on the function ()=>e, nested within the other function. I don't think anything else can get a reference to that nested function to stringify it.

FunctionToString contains some code that determines whether the function being stringified was created with the Function() constructor, and that code was correct pre-arrows. Arrows broke it. The fuzzer found the amazingly specific bug.
Attachment #765474 - Flags: review?(ejpbruel)
(Assignee)

Comment 5

5 years ago
Eddy, Jim, is it important to get this into FF24? The new Debugger.Source stuff never calls FunctionToString, does it?

Comment 6

5 years ago
No, we only ask for substrings of the ScriptSource object directly; we don't deal with functions much.
Comment on attachment 765474 [details] [diff] [review]
v1

Review of attachment 765474 [details] [diff] [review]:
-----------------------------------------------------------------

Stealing

::: js/src/jsfun.cpp
@@ +632,4 @@
>          // The source data for functions created by calling the Function
> +        // constructor is only the function's body.  This depends on the fact,
> +        // asserted below, that in Function("function x() {}"), the inner
> +        // function's sourceStart points to the '(', not the 'f'.

Nit: s/f/x/ here, or s/x/f/ above
Attachment #765474 - Flags: review?(ejpbruel) → review+
https://hg.mozilla.org/mozilla-central/rev/bcc823a6bca8
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla25
(Reporter)

Comment 9

5 years ago
This had previously landed on inbound in:

http://hg.mozilla.org/integration/mozilla-inbound/rev/bcc823a6bca8
Created attachment 795557 [details]
[crash-signature] Machine-readable crash signature
status-firefox24: --- → affected
Created attachment 800047 [details]
[crash-signature] Machine-readable crash signature
(Assignee)

Comment 12

4 years ago
Christian, this isn't still happening, is it?

We're not going to backport this fix unless it would help you.
(In reply to Jason Orendorff [:jorendorff] from comment #12)
> Christian, this isn't still happening, is it?

Just on beta :)

> We're not going to backport this fix unless it would help you.

No, that's fine. I am just marking this as "affected" on beta, and attach a signature, so the fuzzer knows that this bug still affects beta and can be ignored.
You need to log in before you can comment on or make changes to this bug.