The following testcase crashes on mozilla-central revision dd2a1d737a64 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --thread-count=2 --ion-offthread-compile=off --ion-eager --baseline-eager): var lfcode = new Array(); lfcode.push = loadFile; lfcode.push(")"); lfcode.push(` assertThrowsInstanceOf(function () {}, TypeError); var g = newGlobal(); `); getLcovInfo(g); function loadFile(lfVarx) { try { evaluate(lfVarx, { noScriptRval : true, compileAndGo : true }); } catch (lfVare) {} } Backtrace: Program received signal SIGSEGV, Segmentation fault. GenerateLcovInfo (cx=cx@entry=0x7ffff6907000, comp=<optimized out>, out=...) at js/src/jsopcode.cpp:2015 #0 GenerateLcovInfo (cx=cx@entry=0x7ffff6907000, comp=<optimized out>, out=...) at js/src/jsopcode.cpp:2015 #1 0x0000000000bc1ed5 in js::GetCodeCoverageSummary (cx=cx@entry=0x7ffff6907000, length=length@entry=0x7fffffffc6a0) at js/src/jsopcode.cpp:2247 #2 0x000000000060db61 in GetLcovInfo (cx=0x7ffff6907000, argc=<optimized out>, vp=0x7fffffffc928) at js/src/builtin/TestingFunctions.cpp:2748 #3 0x00000000006cf452 in js::CallJSNative (cx=0x7ffff6907000, native=0x60d9d0 <GetLcovInfo(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235 #4 0x00000000006bfcd0 in js::Invoke (cx=cx@entry=0x7ffff6907000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:763 #5 0x00000000006c1c5d in js::Invoke (cx=cx@entry=0x7ffff6907000, thisv=..., fval=..., argc=argc@entry=1, argv=argv@entry=0x7fffffffcdd8, rval=..., rval@entry=...) at js/src/vm/Interpreter.cpp:818 #6 0x000000000090e54a in js::jit::DoCallFallback (cx=0x7ffff6907000, frame=0x7fffffffce18, stub_=<optimized out>, argc=<optimized out>, vp=0x7fffffffcdc8, res=...) at js/src/jit/BaselineIC.cpp:9363 #7 0x00007ffff7feeedf in ?? () #8 0x0000000000000000 in ?? () rax 0x0 0 rbx 0x7ffff7e62300 140737352442624 rcx 0x2 2 rdx 0x1 1 rsi 0xe30a6c 14879340 rdi 0x7ffff461303e 140737293398078 rbp 0x7fffffffc5f0 140737488340464 rsp 0x7fffffffbf10 140737488338704 r8 0x0 0 r9 0x7ffff6a00218 140737331069464 r10 0x7ffff6a00120 140737331069216 r11 0x7ffff46001f8 140737293320696 r12 0x7fffffffc010 140737488338960 r13 0x0 0 r14 0x0 0 r15 0x7ffff6907000 140737330049024 rip 0xbc1449 <GenerateLcovInfo(JSContext*, JSCompartment*, js::GenericPrinter&)+2265> => 0xbc1449 <GenerateLcovInfo(JSContext*, JSCompartment*, js::GenericPrinter&)+2265>: movzbl (%rax),%eax 0xbc144c <GenerateLcovInfo(JSContext*, JSCompartment*, js::GenericPrinter&)+2268>: test %al,%al

JSBugMon: Bisection requested, result: === Treeherder Build Bisection Results by autoBisect === The "good" changeset has the timestamp "20150828162149" and the hash "dc527a84746753b31b862f748f8f4c977a35db3d". The "bad" changeset has the timestamp "20150828163447" and the hash "70a4840a6680e14e9bbbaa8d84e06bf9c6da4650". Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=dc527a84746753b31b862f748f8f4c977a35db3d&tochange=70a4840a6680e14e9bbbaa8d84e06bf9c6da4650

The problem comes from the fact that we do alllocate the JSScript before throwing because of a Syntax error, which happens when we evaluate ")" as some code. Thus when we iterate over the zone to find the top-level JSScript, these scripts are also matching and we end up serializing the source notes associated with these invalid scripts. This patch fix this issue by checking that we do have some bytecode associated with the JSScript. Is there a proper way to do that?

Comment on attachment 8660790 [details] [diff] [review] GenerateLcovInfo: Check if the JSScript have associated bytecode before spewing their content. Review of attachment 8660790 [details] [diff] [review]: ----------------------------------------------------------------- ::: js/src/jsopcode.cpp @@ +2112,5 @@ > continue; > > + // If we evaluate some code which contains a syntax error, then we > + // might produce a JSScript which has no associated bytecode. This > + // line filter out these kind of scripts. filters out this kind