Deficit spending doesn't extend to software engineering. It is time to rewrite the frontend. This bug is phase 1: bindings. The broad strokes of the idea are: - Remove use-def analysis from the Parser and only note what names are declared and used in each scope. Concretely, things like isDefn() and isUse() on ParseNodes are going away. Lexical dependencies are going away. Body-level names and block-level names will be treated uniformly. - During BCE, right before we start emitting a scope, the sets of names the Parser tracked will be packed and StaticScope objects will be allocated. Aliased-ness and slots will be computed at this time. All name-to-slot resolution will be done using the static scope chain as the single source of truth. - Both function and block scopes will use something like a packed Bindings structure as a record of all its bindings regardless of aliased-ness. - Both functions and block scopes will have a Shape for the environment (if one is needed), which will contain only aliased names. Details that I'm worried about and haven't thought about yet: - How to retain some kind of simplified dominance analysis to skip emitting TDZ checks. - Annex B synthesized scope weirdness.

\o/ ! Will this also make syntax parsing faster, since we're moving work from the parser to BCE?

In Rust? \o/ (only half joking really)

(In reply to Jan de Mooij [:jandem] from comment #1) > \o/ ! > > Will this also make syntax parsing faster, since we're moving work from the > parser to BCE? Syntax parsing currently just bails if there are any block-scoped bindings. I'm not sure if this will make syntax parsing faster, but it should make it applicable to more scripts and more future-proof.

(In reply to Jan de Mooij [:jandem] from comment #1) > Will this also make syntax parsing faster, since we're moving work from the > parser to BCE? Somewhat. |var| probably can be, but let/const bindings are unavoidably difficult to syntax-parse because their redeclaration is an early error. You *must* track scopes' bindings to implement that, using hash tables or complicated/slow data structures. Bail on let/const, and you can not keep binding info *at all* during syntax-parsing -- faster for non-let/const-using code. But if you handle them, non-let/const code becomes slower. It's not clear we've made the wrong tradeoff here, while let/const are uncommon in the wild. Simplifying all this should IMO make evaluating that tradeoff easier. (In reply to Tom Schuster [:evilpie] from comment #2) > In Rust? \o/ (only half joking really) :-) Responding to the half-serious part, I don't think we're at a point where critical new projects can consider Rust. It'd be nice to start using something Rust, if the build system support is there (I don't believe it is yet). But something smaller, easier, not with major implications/interactions across the board.

(In reply to Jeff Walden [:Waldo] (remove +bmo to email) from comment #4) > (In reply to Jan de Mooij [:jandem] from comment #1) > > Will this also make syntax parsing faster, since we're moving work from the > > parser to BCE? > > Somewhat. |var| probably can be, but let/const bindings are unavoidably > difficult to syntax-parse because their redeclaration is an early error. > You *must* track scopes' bindings to implement that, using hash tables or > complicated/slow data structures. > > Bail on let/const, and you can not keep binding info *at all* during > syntax-parsing -- faster for non-let/const-using code. But if you handle > them, non-let/const code becomes slower. It's not clear we've made the > wrong tradeoff here, while let/const are uncommon in the wild. > > Simplifying all this should IMO make evaluating that tradeoff easier. > The future will be more likely than not full of lets and consts. I don't think there's a tradeoff: we'll have to syntax parse lets and consts.

Eventually. Right now, tracking bindings info for let/const, versus just aborting early, probably wins on the web.

This totally doesn't work and is about half done. Just doing a dump here so there's something to show for progress.

Update snapshot.

As discussed I started looking into performance issues a bit. One thing I noticed is that several Sunspider tests are slower, for tofte at least that's because we now emit JSOP_IMPLICITTHIS for calls inside certain evals. See the micro-benchmark below. Emitting JSOP_UNDEFINED instead "fixes" this. The old code only emitted this op inside |with| I think. function g() {}; function f() { var x = 0; var t = new Date; eval("for (var i=0; i<10000000; i++) { g(); }"); print(new Date - t); } f();

(In reply to Jan de Mooij [:jandem] from comment #9) > As discussed I started looking into performance issues a bit. One thing I > noticed is that several Sunspider tests are slower, for tofte at least > that's because we now emit JSOP_IMPLICITTHIS for calls inside certain evals. > See the micro-benchmark below. > > Emitting JSOP_UNDEFINED instead "fixes" this. The old code only emitted this > op inside |with| I think. > > function g() {}; > function f() { > var x = 0; > var t = new Date; > eval("for (var i=0; i<10000000; i++) { g(); }"); > print(new Date - t); > } > f(); Good catch, fixed in the branch.

Here are the current performance numbers off of [1], where scope numbering and a single hash table is used to track name uses instead of stacks-of-hash tables to try to unregress octane-codeload. It got about a 1500 point win on octane-codeload, but there is still about a 6% regression from tip. I reckon the scope numbering needs to be extended to tracking declared names as well to get more wins. I'll devote a day or two to this when I get back from Europe, but no more. There are still a small number of correctness bugs left in js-tests, then it's off to the fuzzers and try builds. [1] https://github.com/syg/gecko-dev/tree/purgatio-scope-numbering2 SunSpider: REWRITE ============================================ RESULTS (means and 95% confidence intervals) -------------------------------------------- Total: 242.2ms +/- 2.7% -------------------------------------------- 3d: 33.3ms +/- 5.9% cube: 12.5ms +/- 5.6% morph: 5.4ms +/- 9.3% raytrace: 15.4ms +/- 12.2% access: 16.4ms +/- 9.0% binary-trees: 3.1ms +/- 13.1% fannkuch: 7.0ms +/- 15.2% nbody: 3.4ms +/- 17.7% nsieve: 2.9ms +/- 18.2% bitops: 13.1ms +/- 11.6% 3bit-bits-in-byte: 1.5ms +/- 33.7% bits-in-byte: 3.3ms +/- 20.5% bitwise-and: 3.1ms +/- 13.1% nsieve-bits: 5.2ms +/- 8.7% controlflow: 3.1ms +/- 20.2% recursive: 3.1ms +/- 20.2% crypto: 23.8ms +/- 10.1% aes: 15.5ms +/- 13.6% md5: 4.1ms +/- 5.5% sha1: 4.2ms +/- 22.4% date: 27.0ms +/- 9.6% format-tofte: 12.2ms +/- 12.3% format-xparb: 14.8ms +/- 10.4% math: 16.1ms +/- 6.8% cordic: 2.9ms +/- 14.0% partial-sums: 10.5ms +/- 9.2% spectral-norm: 2.7ms +/- 17.9% regexp: 15.1ms +/- 9.6% dna: 15.1ms +/- 9.6% string: 94.3ms +/- 3.5% base64: 6.6ms +/- 13.7% fasta: 8.3ms +/- 15.2% tagcloud: 27.2ms +/- 5.1% unpack-code: 40.9ms +/- 3.1% validate-input: 11.3ms +/- 11.9% MASTER ============================================ RESULTS (means and 95% confidence intervals) -------------------------------------------- Total: 246.7ms +/- 2.1% -------------------------------------------- 3d: 33.0ms +/- 5.0% cube: 12.4ms +/- 3.0% morph: 5.5ms +/- 9.2% raytrace: 15.1ms +/- 10.3% access: 17.0ms +/- 14.8% binary-trees: 2.9ms +/- 18.2% fannkuch: 7.3ms +/- 16.0% nbody: 3.8ms +/- 17.3% nsieve: 3.0ms +/- 25.1% bitops: 12.5ms +/- 12.1% 3bit-bits-in-byte: 1.3ms +/- 26.6% bits-in-byte: 2.8ms +/- 16.1% bitwise-and: 2.6ms +/- 29.5% nsieve-bits: 5.8ms +/- 14.0% controlflow: 3.4ms +/- 10.9% recursive: 3.4ms +/- 10.9% crypto: 23.5ms +/- 7.5% aes: 15.5ms +/- 10.9% md5: 4.1ms +/- 5.5% sha1: 3.9ms +/- 10.4% date: 28.7ms +/- 5.6% format-tofte: 15.3ms +/- 9.1% format-xparb: 13.4ms +/- 6.3% math: 17.3ms +/- 9.9% cordic: 2.8ms +/- 16.1% partial-sums: 12.0ms +/- 12.9% spectral-norm: 2.5ms +/- 15.1% regexp: 15.5ms +/- 9.5% dna: 15.5ms +/- 9.5% string: 95.8ms +/- 2.7% base64: 6.3ms +/- 5.5% fasta: 8.7ms +/- 17.3% tagcloud: 26.4ms +/- 4.3% unpack-code: 41.3ms +/- 3.2% validate-input: 13.1ms +/- 19.0% Octane: REWRITE ============================================ Richards: 30391 DeltaBlue: 58210 Crypto: 27168 RayTrace: 102932 EarleyBoyer: 28736 RegExp: 3705 Splay: 17046 SplayLatency: 19404 NavierStokes: 34987 Mandreel: 27330 MandreelLatency: 37483 Gameboy: 44424 CodeLoad: 16406 Box2D: 54436 zlib: 76907 Typescript: 26957 ---- Score (version 9): 30333 MASTER ============================================ Richards: 30109 DeltaBlue: 60610 Crypto: 27334 RayTrace: 101970 EarleyBoyer: 29028 RegExp: 3773 Splay: 16820 SplayLatency: 20231 NavierStokes: 35022 Mandreel: 28557 MandreelLatency: 35356 Gameboy: 44690 CodeLoad: 17172 Box2D: 52332 zlib: 77453 Typescript: 27117 ---- Score (version 9): 30516

I fixed the octane regressions: Richards: 30215 DeltaBlue: 61761 Crypto: 28094 RayTrace: 101304 EarleyBoyer: 29862 RegExp: 3720 Splay: 16355 SplayLatency: 18863 NavierStokes: 35284 Mandreel: 29160 MandreelLatency: 39565 Gameboy: 46391 CodeLoad: 17654 Box2D: 48016 zlib: 77453 Typescript: 25932 ---- Score (version 9): 30581

This is unreviewable, but read what you can, I suppose. jorendorff, Waldo, efaust, and mrrrgn for the frontend stuff. jorendorff and Waldo for the VM stuff. terrence for the new GC kind and GC changes.

Spelled purgatio wrong, also accidentally committed a TODO file.

Comment on attachment 8776230 [details] [diff] [review] Rewrite the frontend: bindings. Review of attachment 8776230 [details] [diff] [review]: ----------------------------------------------------------------- ::: js/public/GCHashTable.h @@ +236,5 @@ > namespace JS { > > // A GCHashSet is a HashSet with an additional trace method that knows > // be traced to be kept alive will generally want to use this GCHashSet > +// specialization in lieu of HashSet. Heh. Thanks! ::: js/src/jsgc.cpp @@ +279,5 @@ > #define EXPAND_THING_SIZE(allocKind, traceKind, type, sizedType) \ > sizeof(sizedType), > FOR_EACH_ALLOCKIND(EXPAND_THING_SIZE) > #undef EXPAND_THING_SIZE > +}; D'oh! ::: js/src/vm/HelperThreads.cpp @@ -264,5 @@ > ScriptParseTask::parse() > { > SourceBufferHolder srcBuf(chars, length, SourceBufferHolder::NoOwnership); > - > - // ! WARNING WARNING WARNING ! Wow.

Comment on attachment 8777200 [details] [diff] [review] Report memory metrics for Scopes. Review of attachment 8777200 [details] [diff] [review]: ----------------------------------------------------------------- All looks good except for one thing. In JSReporter::CollectReports() you are missing a REPORT_BYTES call for rtStats.zTotals.unusedGCThings.scope. Do you get an assertion when you run the memory reporter? I tried to make the assertions so tight that you couldn't fail to add one of the various REPORT calls without getting a failure. (BTW, I found that missing case by grepping for all occurrences of \<objectGroup\> and \<objectGroupsGCHeap\> and \<objectGroupsMallocHeap\> and making sure you had corresponding code for scopes. That was the only missing case I found, but it wouldn't hurt for you to double-check it yourself.)

(In reply to Nicholas Nethercote [:njn] from comment #17) > Comment on attachment 8777200 [details] [diff] [review] > Report memory metrics for Scopes. > > Review of attachment 8777200 [details] [diff] [review]: > ----------------------------------------------------------------- > > All looks good except for one thing. In JSReporter::CollectReports() you are > missing a REPORT_BYTES call for rtStats.zTotals.unusedGCThings.scope. Do you > get an assertion when you run the memory reporter? I tried to make the > assertions so tight that you couldn't fail to add one of the various REPORT > calls without getting a failure. I did not get an assertion when dumping memory without the REPORT_BYTES.

Please fuzz.

(In reply to Shu-yu Guo [:shu] from comment #19) > Created attachment 8777702 [details] [diff] [review] > Rollup for fuzzing > > Please fuzz. Should apply on top of changeset 1576e7bc1bec.

Comment on attachment 8777702 [details] [diff] [review] Rollup for fuzzing (function() { "use asm"; function f() { try {} catch (e) {} try {} catch (e) {} } return f })() $ ./js-dbg-64-dm-clang-intlDisabled-darwin-1263355-c19-mc-1576e7bc1bec-3d118bd9c426-1576e7bc1bec --fuzzing-safe --no-threads --no-baseline --no-ion testcase.js Assertion failure: p && p->value()->kind() == DeclarationKind::SimpleCatchParameter, at /Users/skywalker/trees/mozilla-central/js/src/frontend/Parser.cpp:226 Full configuration command with needed environment variables is: CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin14.5.0 --disable-jemalloc --enable-debug --enable-more-deterministic --without-intl-api --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests

for (let b in [0]) { let b = b ? 0 : 1 } Run with --fuzzing-safe --no-threads --no-baseline --no-ion: Assertion failure: script->isDerivedClassConstructor(), at vm/Interpreter.cpp:3361 eval(); try {} catch (abc) {}; Run with --fuzzing-safe --no-threads --no-baseline --no-ion -D: Assertion failure: isAllocAllowed(), at gc/Allocator.cpp:201

Please also rebase to m-c tip again when these issues are fixed, assuming the fix for fuzzblocker bug 1291887 lands on m-c. Thanks!

f = ([a = class b extends b {}, b] = [void 0]) => {}; f() Assertion failure: *scopeForUsedNamesStack_ == overrideScope_, at /home/andre/hg/mozilla-central/js/src/frontend/Parser.h:274 function f(a = (eval("var b"))) {} f() Assertion failure: cx->interpreterRegs().pc == frame.script()->code(), at /home/andre/hg/mozilla-central/js/src/vm/EnvironmentObject.cpp:272 new class extends Object { constructor(a = (()=>{delete super[super()]})()) { } } Hit MOZ_CRASH(unexpected env chain for GetSuperEnvFunction) at /home/andre/hg/mozilla-central/js/src/vm/Interpreter.cpp:1513

(new class extends Array {constructor(a=()=>eval("super()")){ var f = ()=>super(); f() }})(0) Assertion failure: loc.environmentCoordinate().hops() == 0, at /home/andre/hg/mozilla-central/js/src/frontend/BytecodeEmitter.cpp:3058

let a; for(let {a = new class extends Array { constructor(){super(a)} }} of [[]]) { } Assertion failure: loc.kind() == NameLocation::Kind::Dynamic, at /home/andre/hg/mozilla-central/js/src/frontend/BytecodeEmitter.cpp:3970 let a; for(let {a = new class extends Array { constructor(){super[a]} }} of [[]]) { } Assertion failure: sc->thisBinding() == ThisBinding::Function, at /home/andre/hg/mozilla-central/js/src/frontend/BytecodeEmitter.cpp:6831 let a; for(let {a = new class extends Array { constructor(b = (a = eval("()=>super()"))){} }} of [[]]) { } Assertion failure: hasDefaultsScope, at /home/andre/hg/mozilla-central/js/src/frontend/BytecodeEmitter.cpp:8471

function f(m, k = class C extends Array { }, p = m()) { } f() Assertion failure: !parser->usedNames.hasUse(hasUseExactlyInScope), at /home/andre/hg/mozilla-central/js/src/frontend/Parser.cpp:194

> function f(a = (eval("var b"))) {} > f() I'll look at this today.

I'll take a look at as many of the classes related bugs as I can.

Thanks anba :)

(In reply to Shu-yu Guo [:shu] from comment #30) > Thanks anba :) \o/ function assertNotSame(expected, actual, message = "") { } function g3(h = () => arguments) { function arguments() { } assertNotSame(arguments, h()); } g3(); Assertion failure: !script()->functionNonDelazifying()->needsDefaultsEnvironment(), at /home/andre/hg/mozilla-central/js/src/jit/IonBuilder.cpp:2154 syntaxParse(` if (scriptArgs.length === 0) { } var file = scriptArgs[0]; `); Assertion failure: collection_, at /home/andre/hg/mozilla-central/js/src/frontend/NameCollections.h:312

Andre, that's a nice fuzzer you're using to find all these!

// jsfunfuzz-generated gczeal(9); for (var i in function(){}); s = newGlobal(); aa = f(); function f(x) { evalcx(x, s) } function h(x) { f(x) } // Adapted from randomly chosen test: js/src/jit-test/tests/debug/resumption-05.js h("\ var g = newGlobal();\ g.debuggeeGlobal = this;\ g.eval(\"(\" + function() {\ var dbg = Debugger(debuggeeGlobal);\ dbg.onDebuggerStatement = function(frame) {\ frame.eval(\"f\")\ }\ } + \")()\");\ debugger;\ "); z; Run with --fuzzing-safe --no-threads --no-baseline --no-ion: Assertion failure: false (IsAboutToBeFinalized(&scope_)), at vm/EnvironmentObject.cpp:1231

Comment on attachment 8777702 [details] [diff] [review] Rollup for fuzzing I'm clearing the feedback request here until the issues already found have been fixed. Shu, can you please feedback? me again once you have a new patch for testing? Thanks!

function g() { for (var j = 0; j < 999; ++j) { try { k } catch (e) { try { r } catch (e) {} } } } function h(code) { try { f = Function(code) } catch (r) {}; try { f() } catch (r) {} eval("") } h("m=function(){};g(m,[,])") h("=") h("=") h("=") h("startgc(1,'shrinking')") h("gcparam(\"maxBytes\",gcparam(\"gcBytes\")+4);for(r;;i++){}") Run with --fuzzing-safe --no-threads --no-baseline --no-ion: Crash [@ JSScript::isForEval]

// Adapted from randomly chosen test: js/src/jit-test/tests/parser/yield-in-formal-destructuring.js function f({ [e]: {} }) {} Run with --fuzzing-safe --no-threads --no-baseline --no-ion: Assertion failure: funbox->hasDefaultsScope && funbox->defaultsScopeBindings(), at js/src/frontend/BytecodeEmitter.cpp:938

One of anba's fuzz tests, let a; for(let {a = new class extends Array { constructor(){super(a)} }} of [[]]) { } is caused by the stupid LHS cloning of for-in/of targets. Since the default expression in the destructuring contains a function, the cloning didn't clone bindings correctly when cloning the FunctionBox. I think I removed all other uses of cloning except this one already, so this kills all cloning.

Applies on top of m-c 763fe887c37c

This is an automated crash issue comment: Summary: Assertion failure: NameIsOnEnvironment(si.scope(), name), at js/src/frontend/BytecodeEmitter.cpp:636 Build version: mozilla-central revision e78975b53563+ Build flags: --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug --enable-optimize Runtime options: --fuzzing-safe --ion-offthread-compile=off Testcase: let m = parseModule(` var i = 0; addThis(); function addThis() statusmessages[i] = Number; `); m.declarationInstantiation(); m.evaluation(); Backtrace: received signal SIGSEGV, Segmentation fault. 0x0000000000cadf38 in js::frontend::BytecodeEmitter::EmitterScope::searchInEnclosingScope (name=name@entry=0x7fffef700a00, scope=<optimized out>, hops=hops@entry=0 '\000') at js/src/frontend/BytecodeEmitter.cpp:636 #0 0x0000000000cadf38 in js::frontend::BytecodeEmitter::EmitterScope::searchInEnclosingScope (name=name@entry=0x7fffef700a00, scope=<optimized out>, hops=hops@entry=0 '\000') at js/src/frontend/BytecodeEmitter.cpp:636 #1 0x0000000000cbc31e in js::frontend::BytecodeEmitter::EmitterScope::searchAndCache (this=this@entry=0x7fffffffbad0, bce=<optimized out>, bce@entry=0x7fffffffbe30, name=name@entry=0x7fffef700a00) at js/src/frontend/BytecodeEmitter.cpp:766 #2 0x0000000000ce4d0e in js::frontend::BytecodeEmitter::EmitterScope::lookup (this=0x7fffffffbad0, bce=bce@entry=0x7fffffffbe30, name=name@entry=0x7fffef700a00) at js/src/frontend/BytecodeEmitter.cpp:508 #3 0x0000000000ce69e7 in js::frontend::BytecodeEmitter::lookupName (name=<optimized out>, this=<optimized out>) at js/src/frontend/BytecodeEmitter.cpp:1523 #4 js::frontend::BytecodeEmitter::emitGetName (this=0x7fffffffbe30, name=0x7fffef700a00, callContext=<optimized out>) at js/src/frontend/BytecodeEmitter.h:534 #5 0x0000000000cc39c5 in js::frontend::BytecodeEmitter::emitGetName (callContext=false, pn=0x7ffff69a5138, this=0x7fffffffbe30) at js/src/frontend/BytecodeEmitter.cpp:3009 #6 js::frontend::BytecodeEmitter::emitTree (this=this@entry=0x7fffffffbe30, pn=0x7ffff69a5138, emitLineNote=emitLineNote@entry=js::frontend::BytecodeEmitter::EMIT_LINENOTE) at js/src/frontend/BytecodeEmitter.cpp:9135 #7 0x0000000000cc4633 in js::frontend::BytecodeEmitter::emitElemOperands (this=0x7fffffffbe30, pn=0x7ffff69a5168, opts=js::frontend::BytecodeEmitter::EmitElemOption::Get) at js/src/frontend/BytecodeEmitter.cpp:3400 #8 0x0000000000cd247b in js::frontend::BytecodeEmitter::emitAssignment (this=this@entry=0x7fffffffbe30, lhs=0x7ffff69a5168, op=JSOP_NOP, rhs=0x7ffff69a5198) at js/src/frontend/BytecodeEmitter.cpp:4851 #9 0x0000000000cc3810 in js::frontend::BytecodeEmitter::emitTree (this=this@entry=0x7fffffffbe30, pn=0x7ffff69a51c8, emitLineNote=emitLineNote@entry=js::frontend::BytecodeEmitter::EMIT_LINENOTE) at js/src/frontend/BytecodeEmitter.cpp:8939 #10 0x0000000000cccb68 in js::frontend::BytecodeEmitter::emitReturn (this=0x7fffffffbe30, pn=0x7ffff69a51f8) at js/src/frontend/BytecodeEmitter.cpp:6964 #11 0x0000000000cc3e8b in js::frontend::BytecodeEmitter::emitTree (this=0x7fffffffbe30, pn=pn@entry=0x7ffff69a51f8, emitLineNote=js::frontend::BytecodeEmitter::EMIT_LINENOTE) at js/src/frontend/BytecodeEmitter.cpp:8887 #12 0x0000000000cc9e23 in js::frontend::BytecodeEmitter::emitLexicalScopeBody (this=<optimized out>, body=body@entry=0x7ffff69a51f8, emitLineNote=emitLineNote@entry=js::frontend::BytecodeEmitter::EMIT_LINENOTE) at js/src/frontend/BytecodeEmitter.cpp:5556 #13 0x0000000000cd427a in js::frontend::BytecodeEmitter::emitLexicalScope (this=this@entry=0x7fffffffbe30, pn=pn@entry=0x7ffff69a5228) at js/src/frontend/BytecodeEmitter.cpp:5570 #14 0x0000000000cc3fcb in js::frontend::BytecodeEmitter::emitTree (this=this@entry=0x7fffffffbe30, pn=pn@entry=0x7ffff69a5228, emitLineNote=emitLineNote@entry=js::frontend::BytecodeEmitter::EMIT_LINENOTE) at js/src/frontend/BytecodeEmitter.cpp:9062 #15 0x0000000000cd18fb in js::frontend::BytecodeEmitter::emitFunctionBody (this=0x7fffffffbe30, funBody=0x7ffff69a5228) at js/src/frontend/BytecodeEmitter.cpp:8623 #16 0x0000000000cc30e2 in js::frontend::BytecodeEmitter::emitFunctionFormalParametersAndBody (this=this@entry=0x7fffffffbe30, pn=pn@entry=0x7ffff69a50d8) at js/src/frontend/BytecodeEmitter.cpp:8485 #17 0x0000000000cc3cbb in js::frontend::BytecodeEmitter::emitTree (this=this@entry=0x7fffffffbe30, pn=pn@entry=0x7ffff69a50d8, emitLineNote=emitLineNote@entry=js::frontend::BytecodeEmitter::EMIT_LINENOTE) at js/src/frontend/BytecodeEmitter.cpp:8822 #18 0x0000000000cc50e2 in js::frontend::BytecodeEmitter::emitFunctionScript (this=this@entry=0x7fffffffbe30, body=0x7ffff69a50d8) at js/src/frontend/BytecodeEmitter.cpp:4156 #19 0x0000000000cc78d1 in js::frontend::CompileLazyFunction (cx=cx@entry=0x7ffff693f000, lazy=..., lazy@entry=..., chars=<optimized out>, length=<optimized out>) at js/src/frontend/BytecodeCompiler.cpp:674 #20 0x000000000090338c in JSFunction::createScriptForLazilyInterpretedFunction (cx=0x7ffff693f000, fun=fun@entry=...) at js/src/jsfun.cpp:1505 #21 0x00000000004647d4 in JSFunction::getOrCreateScript (this=<optimized out>, cx=<optimized out>) at js/src/jsfun.h:397 #22 0x0000000000acb1de in Interpret (cx=0x7ffff693f000, state=...) at js/src/vm/Interpreter.cpp:2919 #23 0x0000000000ad6c35 in js::RunScript (cx=cx@entry=0x7ffff693f000, state=...) at js/src/vm/Interpreter.cpp:400 #24 0x0000000000adf601 in js::ExecuteKernel (cx=cx@entry=0x7ffff693f000, script=..., script@entry=..., envChainArg=..., newTargetValue=..., evalInFrame=..., evalInFrame@entry=..., result=result@entry=0x7fffef307140) at js/src/vm/Interpreter.cpp:681 #25 0x0000000000adfa48 in js::Execute (cx=cx@entry=0x7ffff693f000, script=..., script@entry=..., envChainArg=..., rval=rval@entry=0x7fffef307140) at js/src/vm/Interpreter.cpp:714 #26 0x0000000000c1babf in js::ModuleObject::evaluate (cx=cx@entry=0x7ffff693f000, self=..., self@entry=..., rval=rval@entry=...) at js/src/builtin/ModuleObject.cpp:915 #27 0x0000000000b2fc64 in intrinsic_EvaluateModule (cx=cx@entry=0x7ffff693f000, argc=<optimized out>, vp=0x7fffef307140) at js/src/vm/SelfHosting.cpp:2201 #28 0x0000000000ae6a4b in js::CallJSNative (cx=cx@entry=0x7ffff693f000, native=0xb2fbd0 <intrinsic_EvaluateModule(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235 [...] #45 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:7523

This is an automated crash issue comment: Summary: Assertion failure: loc->kind() != NameLocation::Kind::FrameSlot, at js/src/frontend/BytecodeEmitter.cpp:773 Build version: mozilla-central revision e78975b53563+ Build flags: --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug --enable-optimize Runtime options: --fuzzing-safe Testcase: let m = parseModule(` var expect = ''; var [ ... of ] = ( ... of ) => expect; `); Backtrace: received signal SIGSEGV, Segmentation fault. 0x0000000000cbc62e in js::frontend::BytecodeEmitter::EmitterScope::searchAndCache (this=this@entry=0x7fffffffb950, bce=<optimized out>, bce@entry=0x7fffffffbc40, name=name@entry=0x7fffef791e20) at js/src/frontend/BytecodeEmitter.cpp:773 #0 0x0000000000cbc62e in js::frontend::BytecodeEmitter::EmitterScope::searchAndCache (this=this@entry=0x7fffffffb950, bce=<optimized out>, bce@entry=0x7fffffffbc40, name=name@entry=0x7fffef791e20) at js/src/frontend/BytecodeEmitter.cpp:773 #1 0x0000000000ce4d0e in js::frontend::BytecodeEmitter::EmitterScope::lookup (this=0x7fffffffb950, bce=bce@entry=0x7fffffffbc40, name=name@entry=0x7fffef791e20) at js/src/frontend/BytecodeEmitter.cpp:508 #2 0x0000000000ce69e7 in js::frontend::BytecodeEmitter::lookupName (name=<optimized out>, this=<optimized out>) at js/src/frontend/BytecodeEmitter.cpp:1523 #3 js::frontend::BytecodeEmitter::emitGetName (this=0x7fffffffbc40, name=0x7fffef791e20, callContext=<optimized out>) at js/src/frontend/BytecodeEmitter.h:534 #4 0x0000000000cc39c5 in js::frontend::BytecodeEmitter::emitGetName (callContext=false, pn=0x7ffff69a5318, this=0x7fffffffbc40) at js/src/frontend/BytecodeEmitter.cpp:3009 #5 js::frontend::BytecodeEmitter::emitTree (this=this@entry=0x7fffffffbc40, pn=0x7ffff69a5318, emitLineNote=emitLineNote@entry=js::frontend::BytecodeEmitter::EMIT_LINENOTE) at js/src/frontend/BytecodeEmitter.cpp:9135 #6 0x0000000000cccb68 in js::frontend::BytecodeEmitter::emitReturn (this=0x7fffffffbc40, pn=0x7ffff69a5348) at js/src/frontend/BytecodeEmitter.cpp:6964 #7 0x0000000000cc3e8b in js::frontend::BytecodeEmitter::emitTree (this=0x7fffffffbc40, pn=pn@entry=0x7ffff69a5348, emitLineNote=js::frontend::BytecodeEmitter::EMIT_LINENOTE) at js/src/frontend/BytecodeEmitter.cpp:8887 #8 0x0000000000cc9e23 in js::frontend::BytecodeEmitter::emitLexicalScopeBody (this=<optimized out>, body=body@entry=0x7ffff69a5348, emitLineNote=emitLineNote@entry=js::frontend::BytecodeEmitter::EMIT_LINENOTE) at js/src/frontend/BytecodeEmitter.cpp:5556 #9 0x0000000000cd427a in js::frontend::BytecodeEmitter::emitLexicalScope (this=this@entry=0x7fffffffbc40, pn=pn@entry=0x7ffff69a5378) at js/src/frontend/BytecodeEmitter.cpp:5570 #10 0x0000000000cc3fcb in js::frontend::BytecodeEmitter::emitTree (this=this@entry=0x7fffffffbc40, pn=pn@entry=0x7ffff69a5378, emitLineNote=emitLineNote@entry=js::frontend::BytecodeEmitter::EMIT_LINENOTE) at js/src/frontend/BytecodeEmitter.cpp:9062 #11 0x0000000000cd18fb in js::frontend::BytecodeEmitter::emitFunctionBody (this=0x7fffffffbc40, funBody=0x7ffff69a5378) at js/src/frontend/BytecodeEmitter.cpp:8623 #12 0x0000000000cc30e2 in js::frontend::BytecodeEmitter::emitFunctionFormalParametersAndBody (this=this@entry=0x7fffffffbc40, pn=pn@entry=0x7ffff69a52b8) at js/src/frontend/BytecodeEmitter.cpp:8485 #13 0x0000000000cc3cbb in js::frontend::BytecodeEmitter::emitTree (this=this@entry=0x7fffffffbc40, pn=pn@entry=0x7ffff69a52b8, emitLineNote=emitLineNote@entry=js::frontend::BytecodeEmitter::EMIT_LINENOTE) at js/src/frontend/BytecodeEmitter.cpp:8822 #14 0x0000000000cc50e2 in js::frontend::BytecodeEmitter::emitFunctionScript (this=this@entry=0x7fffffffbc40, body=0x7ffff69a52b8) at js/src/frontend/BytecodeEmitter.cpp:4156 #15 0x0000000000cc5c18 in js::frontend::BytecodeEmitter::emitFunction (this=this@entry=0x7fffffffc508, pn=pn@entry=0x7ffff69a5200, needsProto=needsProto@entry=false) at js/src/frontend/BytecodeEmitter.cpp:6643 #16 0x0000000000cc38dd in js::frontend::BytecodeEmitter::emitTree (this=this@entry=0x7fffffffc508, pn=0x7ffff69a5200, emitLineNote=emitLineNote@entry=js::frontend::BytecodeEmitter::EMIT_LINENOTE) at js/src/frontend/BytecodeEmitter.cpp:8817 #17 0x0000000000ccc8c4 in js::frontend::BytecodeEmitter::emitDeclarationList (this=this@entry=0x7fffffffc508, declList=declList@entry=0x7ffff69a5110) at js/src/frontend/BytecodeEmitter.cpp:4721 #18 0x0000000000cc37c3 in js::frontend::BytecodeEmitter::emitTree (this=this@entry=0x7fffffffc508, pn=pn@entry=0x7ffff69a5110, emitLineNote=emitLineNote@entry=js::frontend::BytecodeEmitter::EMIT_LINENOTE) at js/src/frontend/BytecodeEmitter.cpp:9068 #19 0x0000000000ccd74e in js::frontend::BytecodeEmitter::emitStatementList (this=0x7fffffffc508, pn=<optimized out>) at js/src/frontend/BytecodeEmitter.cpp:7234 #20 0x0000000000cc3a3b in js::frontend::BytecodeEmitter::emitTree (this=this@entry=0x7fffffffc508, pn=pn@entry=0x7ffff69a5050, emitLineNote=emitLineNote@entry=js::frontend::BytecodeEmitter::EMIT_LINENOTE) at js/src/frontend/BytecodeEmitter.cpp:8907 #21 0x0000000000cd70ad in js::frontend::BytecodeEmitter::emitScript (this=0x7fffffffc508, body=body@entry=0x7ffff69a5050) at js/src/frontend/BytecodeEmitter.cpp:4098 #22 0x0000000000cd8425 in BytecodeCompiler::compileModule (this=this@entry=0x7fffffffc940) at js/src/frontend/BytecodeCompiler.cpp:414 #23 0x0000000000cd897d in js::frontend::CompileModule (cx=cx@entry=0x7ffff693f000, optionsInput=..., srcBuf=..., alloc=..., sourceObjectOut=sourceObjectOut@entry=0x0) at js/src/frontend/BytecodeCompiler.cpp:602 #24 0x0000000000cd8b69 in js::frontend::CompileModule (cx=cx@entry=0x7ffff693f000, options=..., srcBuf=...) at js/src/frontend/BytecodeCompiler.cpp:613 #25 0x0000000000453239 in ParseModule (cx=cx@entry=0x7ffff693f000, argc=<optimized out>, vp=0x7fffef307090) at js/src/shell/js.cpp:3610 #26 0x0000000000ae6a4b in js::CallJSNative (cx=cx@entry=0x7ffff693f000, native=0x452f20 <ParseModule(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235 [...] #39 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:7523

Comment on attachment 8778736 [details] [diff] [review] Rollup for fuzzing v2 Feedback- based on last comment. Unfortunately, these two crashes occur very frequently (> 2x per minute with only 2 machines), so I have to stop testing until they have been fixed. Please feedback? again with new patch once you have it. I'll be glad to give it another round of testing then :)

function f14(g = 0) { { function g() { return "g" } } } f14(); Assertion failure: lhsLoc->bindingKind() == BindingKind::Var || lhsLoc->bindingKind() == BindingKind::FormalParameter, at /home/andre/hg/mozilla-central/js/src/frontend/BytecodeEmitter.cpp:6578

(function(p = null){ var q; (function() { q })(); })(); Assertion failure: this->is<T>(), at /home/andre/hg/mozilla-central/js/src/jsobj.h:562

{ function c() {} } class c { } Assertion failure: !pc->sc()->strict(), at /home/andre/hg/mozilla-central/js/src/frontend/Parser.cpp:155

Round 3.

New version with fixes for fuzz tests incorporated.

Are we adding the found fuzzer test cases to the test suite?

(In reply to Shu-yu Guo [:shu] from comment #45) > Created attachment 8779069 [details] [diff] [review] > 0001-Bug-1263355-Rewrite-the-frontend-bindings.patch > > Round 3. This applies to m-c rev e78975b53563.

Comment on attachment 8778618 [details] [diff] [review] Stop cloning LHS for for-in/of loops. Review of attachment 8778618 [details] [diff] [review]: ----------------------------------------------------------------- Hm, I guess this is totally doable now that we don't need a separate node to record the binding's existence, that can't be a definition. Woo! ::: js/src/frontend/BytecodeEmitter.cpp @@ +6338,5 @@ > int loopDepth = this->stackDepth; > #endif > > // Emit code to assign result.value to the iteration variable. > + if (!emit1(JSOP_DUP)) // ITER RESULT RESULT If the emitAssignment can't be so aligned, I would modify its alignment *only* -- or put the annotation on the return-line. Wouldn't bother realigning the entire function, it's not something we've done before for this sort of thing -- and we've aligned this stuff consistently across function bodies, believe it or not. ::: js/src/frontend/FullParseHandler.h @@ +580,5 @@ > ParseNode* newForHead(ParseNodeKind kind, ParseNode* pn1, ParseNode* pn2, ParseNode* pn3, > const TokenPos& pos) > { > MOZ_ASSERT(kind == PNK_FORIN || kind == PNK_FOROF || kind == PNK_FORHEAD); > + MOZ_ASSERT_IF(kind == PNK_FORIN || kind == PNK_FOROF, !pn2); With newForHead split in two per Parser.cpp comments, this assert doesn't need to exist because the argument can just be removed. ::: js/src/frontend/ParseNode.cpp @@ +356,2 @@ > // the for-loop (and null if not). The second child is the expression or > // pattern assigned every loop, and the third child is the expression This "second child" bit needs changing, and in the rest of the comment below. ::: js/src/frontend/ParseNode.h @@ +248,5 @@ > * pn_right: body > * PNK_COMPREHENSIONFOR pn_left: either PNK_FORIN or PNK_FOROF > * binary pn_right: body > + * PNK_FORIN ternary pn_kid1: declaration or expression to left of 'in' > + * pn_kid2: null At least file a bug to remove this mandatory-null kid in the future, please (same for PNK_FOROF). ::: js/src/frontend/Parser.cpp @@ +5220,5 @@ > > // Parser::declaration consumed everything up to the closing ')'. That > // token follows an {Assignment,}Expression, so the next token must be > // consumed as if an operator continued the expression, i.e. as None. > modifier = TokenStream::None; Effectively at this point, outside the block we have MUST_MATCH_TOKEN(')') and then newForHead. Both the if-block and the else-block set |modifier| so the shared MMT has the right modifier. So we have two assignments and one MMT. But we could instead have two MMT directly using the |modifier| assignment RHS. This would be more compact, and because of the lack of indirection through a name, it would be more readable. And with that change made, we could have newForHead for for(;;) loops, and we could have newForInOfHead (accepting only two kids) for for(...in/of...) loops, and perform each in the proper block. This eliminates the confusion of the pn{1,2,3} names and having to share them between both blocks, which is a huge readability stumbling block. So please do all this while you're changing this.

(In reply to Ryan VanderMeulen [:RyanVM] from comment #47) > Are we adding the found fuzzer test cases to the test suite? Yes, I've been adding them to jit-tests as they pop up.

Applies on top of m-c 720b5d2c84d5

Comment on attachment 8779153 [details] [diff] [review] Rollup for fuzzing v4 // Adapted from randomly chosen test: js/src/jit-test/tests/debug/bug1272908.js g = newGlobal(); g.parent = this; g.eval("(" + function() { Debugger(parent).onExceptionUnwind = function(frame) frame.eval("") } + ")()"); function ERROR(msg) { throw new Error("boom"); } var dbg = new Debugger; dbg.onNewGlobalObject = ERROR; oomTest(function() { newGlobal(); }) Run with --fuzzing-safe --no-threads --no-baseline --no-ion: Assertion failure: !cx->isExceptionPending(), at js/src/vm/Debugger.cpp:2009

with patch v4

(function() { "use asm"; var [] = 0; })() Run with --fuzzing-safe --no-threads --no-baseline --no-ion: Assertion failure: isKind(PNK_FUNCTION) || isKind(PNK_NAME), at js/src/frontend/ParseNode-inl.h:20

Still on top of m-c 720b5d2c84d5

Comment on attachment 8779243 [details] [diff] [review] Rollup for fuzzing v5 // Adapted from randomly chosen test: js/src/jit-test/tests/debug/Frame-onPop-error-scope-unwind-02.js var g = newGlobal(); var dbg = new Debugger(g); dbg.onEnterFrame = function(f) { (f.environment.getVariable("e") == 0); }; g.eval("" + function f() { try { throw 42; } catch (e) { noSuchFn(e); } }); g.eval("f();"); Run with --fuzzing-safe --no-threads --no-baseline --no-ion: Assertion failure: maybecx->isThrowingOutOfMemory(), at js/src/jscntxt.cpp:901

This is an automated crash issue comment: Summary: Assertion failure: script->isDerivedClassConstructor(), at js/src/vm/Interpreter.cpp:3366 Build version: mozilla-central revision 720b5d2c84d5+ Build flags: --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug --enable-optimize Runtime options: --fuzzing-safe --ion-offthread-compile=off Testcase: let m = parseModule(` const root = newGlobal(); minorgc(); root.eval(); `); m.declarationInstantiation(); m.evaluation(); Backtrace: received signal SIGSEGV, Segmentation fault. 0x0000000000ad5243 in Interpret (cx=0x7ffff693f000, state=...) at js/src/vm/Interpreter.cpp:3366 #0 0x0000000000ad5243 in Interpret (cx=0x7ffff693f000, state=...) at js/src/vm/Interpreter.cpp:3366 #1 0x0000000000ad5f45 in js::RunScript (cx=cx@entry=0x7ffff693f000, state=...) at js/src/vm/Interpreter.cpp:400 #2 0x0000000000ade911 in js::ExecuteKernel (cx=cx@entry=0x7ffff693f000, script=..., script@entry=..., envChainArg=..., newTargetValue=..., evalInFrame=..., evalInFrame@entry=..., result=result@entry=0x7fffef307140) at js/src/vm/Interpreter.cpp:681 #3 0x0000000000aded58 in js::Execute (cx=cx@entry=0x7ffff693f000, script=..., script@entry=..., envChainArg=..., rval=rval@entry=0x7fffef307140) at js/src/vm/Interpreter.cpp:714 #4 0x0000000000c1b41f in js::ModuleObject::evaluate (cx=cx@entry=0x7ffff693f000, self=..., self@entry=..., rval=rval@entry=...) at js/src/builtin/ModuleObject.cpp:915 #5 0x0000000000b2f574 in intrinsic_EvaluateModule (cx=cx@entry=0x7ffff693f000, argc=<optimized out>, vp=0x7fffef307140) at js/src/vm/SelfHosting.cpp:2201 #6 0x0000000000ae5d5b in js::CallJSNative (cx=cx@entry=0x7ffff693f000, native=0xb2f4e0 <intrinsic_EvaluateModule(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235 [...]

This is an automated crash issue comment: Summary: Assertion failure: lookupName(name).hasKnownSlot(), at js/src/frontend/BytecodeEmitter.cpp:4005 Build version: mozilla-central revision 720b5d2c84d5+ Build flags: --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug --enable-optimize Runtime options: --fuzzing-safe Testcase: function TestFunction_4(get, b, [] = status, d, e) { var arguments = "FAIL"; } Backtrace: received signal SIGSEGV, Segmentation fault. 0x0000000000cbed30 in js::frontend::BytecodeEmitter::emitInitializeFunctionSpecialName (this=this@entry=0x7fffffffc9c0, name=..., initialOp=initialOp@entry=JSOP_ARGUMENTS) at js/src/frontend/BytecodeEmitter.cpp:4005 #0 0x0000000000cbed30 in js::frontend::BytecodeEmitter::emitInitializeFunctionSpecialName (this=this@entry=0x7fffffffc9c0, name=..., initialOp=initialOp@entry=JSOP_ARGUMENTS) at js/src/frontend/BytecodeEmitter.cpp:4005 #1 0x0000000000cbef6f in js::frontend::BytecodeEmitter::emitInitializeFunctionSpecialNames (this=0x7fffffffc9c0) at js/src/frontend/BytecodeEmitter.cpp:8622 #2 0x0000000000cc4d6f in js::frontend::BytecodeEmitter::emitFunctionFormalParametersAndBody (this=this@entry=0x7fffffffc9c0, pn=pn@entry=0x7ffff69a5190) at js/src/frontend/BytecodeEmitter.cpp:8424 #3 0x0000000000cc5bfb in js::frontend::BytecodeEmitter::emitTree (this=this@entry=0x7fffffffc9c0, pn=pn@entry=0x7ffff69a5190, emitLineNote=emitLineNote@entry=js::frontend::BytecodeEmitter::EMIT_LINENOTE) at js/src/frontend/BytecodeEmitter.cpp:8841 #4 0x0000000000cc6fe2 in js::frontend::BytecodeEmitter::emitFunctionScript (this=this@entry=0x7fffffffc9c0, body=0x7ffff69a5190) at js/src/frontend/BytecodeEmitter.cpp:4166 #5 0x0000000000cc7aa8 in js::frontend::BytecodeEmitter::emitFunction (this=this@entry=0x7fffffffced8, pn=pn@entry=0x7ffff69a5050, needsProto=needsProto@entry=false) at js/src/frontend/BytecodeEmitter.cpp:6662 #6 0x0000000000cc581d in js::frontend::BytecodeEmitter::emitTree (this=this@entry=0x7fffffffced8, pn=pn@entry=0x7ffff69a5050, emitLineNote=emitLineNote@entry=js::frontend::BytecodeEmitter::EMIT_LINENOTE) at js/src/frontend/BytecodeEmitter.cpp:8836 #7 0x0000000000cd13ce in js::frontend::BytecodeEmitter::emitStatementList (this=0x7fffffffced8, pn=<optimized out>) at js/src/frontend/BytecodeEmitter.cpp:7253 #8 0x0000000000cc597b in js::frontend::BytecodeEmitter::emitTree (this=this@entry=0x7fffffffced8, pn=pn@entry=0x7ffff69a5020, emitLineNote=emitLineNote@entry=js::frontend::BytecodeEmitter::EMIT_LINENOTE) at js/src/frontend/BytecodeEmitter.cpp:8926 #9 0x0000000000ccbf1d in js::frontend::BytecodeEmitter::emitScript (this=0x7fffffffced8, body=body@entry=0x7ffff69a5020) at js/src/frontend/BytecodeEmitter.cpp:4108 #10 0x0000000000ccc64f in BytecodeCompiler::compileScript (this=this@entry=0x7fffffffd280, environment=environment@entry=..., sc=sc@entry=0x7fffffffd230) at js/src/frontend/BytecodeCompiler.cpp:349 #11 0x0000000000cccc74 in BytecodeCompiler::compileGlobalScript (scopeKind=<optimized out>, this=0x7fffffffd280) at js/src/frontend/BytecodeCompiler.cpp:376 #12 js::frontend::CompileGlobalScript (cx=cx@entry=0x7ffff693f000, alloc=..., scopeKind=scopeKind@entry=js::ScopeKind::Global, options=..., srcBuf=..., extraSct=extraSct@entry=0x0, sourceObjectOut=0x0) at js/src/frontend/BytecodeCompiler.cpp:568 #13 0x00000000008b3f65 in Compile (cx=cx@entry=0x7ffff693f000, options=..., scopeKind=scopeKind@entry=js::ScopeKind::Global, srcBuf=..., script=..., script@entry=...) at js/src/jsapi.cpp:3891 [...]

This is an automated crash issue comment: Summary: Assertion failure: kind_ != Kind::Dynamic, at js/src/frontend/NameAnalysisTypes.h:323 Build version: mozilla-central revision 720b5d2c84d5+ Build flags: --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug --enable-optimize Runtime options: --fuzzing-safe --ion-offthread-compile=off Testcase: var lfLogBuffer = ` function testcase( [] = (function() { return x++; }), get, target, ... f1) { return function () { } ( ... 2 || (this) ? (yield) : (yield)) ; } `; lfLogBuffer = lfLogBuffer.split('\n'); var lfCodeBuffer = ""; while (true) { var line = lfLogBuffer.shift(); if (line == null) { break; } else { lfCodeBuffer += line + "\n"; } } if (lfCodeBuffer) loadFile(lfCodeBuffer); function loadFile(lfVarx) { eval(lfVarx); } Backtrace: received signal SIGSEGV, Segmentation fault. 0x0000000000cdc3cc in js::frontend::NameLocation::bindingKind (this=<optimized out>) at js/src/frontend/NameAnalysisTypes.h:323 #0 0x0000000000cdc3cc in js::frontend::NameLocation::bindingKind (this=<optimized out>) at js/src/frontend/NameAnalysisTypes.h:323 #1 0x0000000000cd208f in js::frontend::BytecodeEmitter::isRestParameter (result=0x7fffffffb27f, pn=0x7ffff69a5660, this=<optimized out>) at js/src/frontend/BytecodeEmitter.cpp:7573 #2 js::frontend::BytecodeEmitter::emitOptimizeSpread (this=0x7fffffffba10, arg0=0x7ffff69a5660, jmp=0x7fffffffb310, emitted=0x7fffffffb30f) at js/src/frontend/BytecodeEmitter.cpp:7599 #3 0x0000000000cd43c4 in js::frontend::BytecodeEmitter::emitCallOrNew (this=this@entry=0x7fffffffba10, pn=pn@entry=0x7ffff69a5570) at js/src/frontend/BytecodeEmitter.cpp:7781 #4 0x0000000000cc5923 in js::frontend::BytecodeEmitter::emitTree (this=this@entry=0x7fffffffba10, pn=0x7ffff69a5570, emitLineNote=emitLineNote@entry=js::frontend::BytecodeEmitter::EMIT_LINENOTE) at js/src/frontend/BytecodeEmitter.cpp:9076 #5 0x0000000000cd07e8 in js::frontend::BytecodeEmitter::emitReturn (this=0x7fffffffba10, pn=0x7ffff69a5720) at js/src/frontend/BytecodeEmitter.cpp:6983 #6 0x0000000000cc5dcb in js::frontend::BytecodeEmitter::emitTree (this=this@entry=0x7fffffffba10, pn=pn@entry=0x7ffff69a5720, emitLineNote=emitLineNote@entry=js::frontend::BytecodeEmitter::EMIT_LINENOTE) at js/src/frontend/BytecodeEmitter.cpp:8906 #7 0x0000000000cd13ce in js::frontend::BytecodeEmitter::emitStatementList (this=0x7fffffffba10, pn=<optimized out>) at js/src/frontend/BytecodeEmitter.cpp:7253 #8 0x0000000000cc597b in js::frontend::BytecodeEmitter::emitTree (this=0x7fffffffba10, pn=pn@entry=0x7ffff69a5488, emitLineNote=js::frontend::BytecodeEmitter::EMIT_LINENOTE) at js/src/frontend/BytecodeEmitter.cpp:8926 #9 0x0000000000ccbd93 in js::frontend::BytecodeEmitter::emitLexicalScopeBody (this=<optimized out>, body=body@entry=0x7ffff69a5488, emitLineNote=emitLineNote@entry=js::frontend::BytecodeEmitter::EMIT_LINENOTE) at js/src/frontend/BytecodeEmitter.cpp:5566 #10 0x0000000000cd7e1a in js::frontend::BytecodeEmitter::emitLexicalScope (this=this@entry=0x7fffffffba10, pn=pn@entry=0x7ffff69a5750) at js/src/frontend/BytecodeEmitter.cpp:5580 #11 0x0000000000cc5f0b in js::frontend::BytecodeEmitter::emitTree (this=this@entry=0x7fffffffba10, pn=pn@entry=0x7ffff69a5750, emitLineNote=emitLineNote@entry=js::frontend::BytecodeEmitter::EMIT_LINENOTE) at js/src/frontend/BytecodeEmitter.cpp:9081 #12 0x0000000000cd549b in js::frontend::BytecodeEmitter::emitFunctionBody (this=0x7fffffffba10, funBody=0x7ffff69a5750) at js/src/frontend/BytecodeEmitter.cpp:8642 #13 0x0000000000cc53f3 in js::frontend::BytecodeEmitter::emitFunctionFormalParametersAndBody (this=this@entry=0x7fffffffba10, pn=pn@entry=0x7ffff69a5190) at js/src/frontend/BytecodeEmitter.cpp:8473 #14 0x0000000000cc5bfb in js::frontend::BytecodeEmitter::emitTree (this=this@entry=0x7fffffffba10, pn=pn@entry=0x7ffff69a5190, emitLineNote=emitLineNote@entry=js::frontend::BytecodeEmitter::EMIT_LINENOTE) at js/src/frontend/BytecodeEmitter.cpp:8841 #15 0x0000000000cc6fe2 in js::frontend::BytecodeEmitter::emitFunctionScript (this=this@entry=0x7fffffffba10, body=0x7ffff69a5190) at js/src/frontend/BytecodeEmitter.cpp:4166 #16 0x0000000000cc7aa8 in js::frontend::BytecodeEmitter::emitFunction (this=this@entry=0x7fffffffc028, pn=pn@entry=0x7ffff69a5050, needsProto=needsProto@entry=false) at js/src/frontend/BytecodeEmitter.cpp:6662 #17 0x0000000000cc581d in js::frontend::BytecodeEmitter::emitTree (this=this@entry=0x7fffffffc028, pn=pn@entry=0x7ffff69a5050, emitLineNote=emitLineNote@entry=js::frontend::BytecodeEmitter::EMIT_LINENOTE) at js/src/frontend/BytecodeEmitter.cpp:8836 #18 0x0000000000ccac55 in js::frontend::BytecodeEmitter::emitHoistedFunctionsInList (this=0x7fffffffc028, list=list@entry=0x7ffff69a5020) at js/src/frontend/BytecodeEmitter.cpp:5546 #19 0x0000000000ccbda6 in js::frontend::BytecodeEmitter::emitLexicalScopeBody (this=0x7fffffffc028, body=body@entry=0x7ffff69a5020, emitLineNote=emitLineNote@entry=js::frontend::BytecodeEmitter::EMIT_LINENOTE) at js/src/frontend/BytecodeEmitter.cpp:5561 #20 0x0000000000cd7e1a in js::frontend::BytecodeEmitter::emitLexicalScope (this=this@entry=0x7fffffffc028, pn=pn@entry=0x7ffff69a57c0) at js/src/frontend/BytecodeEmitter.cpp:5580 #21 0x0000000000cc5f0b in js::frontend::BytecodeEmitter::emitTree (this=this@entry=0x7fffffffc028, pn=pn@entry=0x7ffff69a57c0, emitLineNote=emitLineNote@entry=js::frontend::BytecodeEmitter::EMIT_LINENOTE) at js/src/frontend/BytecodeEmitter.cpp:9081 #22 0x0000000000ccbf1d in js::frontend::BytecodeEmitter::emitScript (this=0x7fffffffc028, body=body@entry=0x7ffff69a57c0) at js/src/frontend/BytecodeEmitter.cpp:4108 #23 0x0000000000ccc64f in BytecodeCompiler::compileScript (this=this@entry=0x7fffffffc400, environment=environment@entry=..., sc=sc@entry=0x7fffffffc390) at js/src/frontend/BytecodeCompiler.cpp:349 #24 0x0000000000ccca67 in BytecodeCompiler::compileEvalScript (enclosingScope=..., environment=..., this=0x7fffffffc400) at js/src/frontend/BytecodeCompiler.cpp:384 #25 js::frontend::CompileEvalScript (cx=cx@entry=0x7ffff693f000, alloc=..., environment=environment@entry=..., enclosingScope=enclosingScope@entry=..., options=..., srcBuf=..., extraSct=0x0, sourceObjectOut=0x0) at js/src/frontend/BytecodeCompiler.cpp:583 #26 0x00000000009ef535 in EvalKernel (cx=cx@entry=0x7ffff693f000, v=..., v@entry=..., evalType=evalType@entry=DIRECT_EVAL, caller=..., env=env@entry=..., pc=<optimized out>, vp=...) at js/src/builtin/Eval.cpp:318 #27 0x00000000009efcd1 in js::DirectEval (cx=0x7ffff693f000, v=..., vp=...) at js/src/builtin/Eval.cpp:438 [...]

This is an automated crash issue comment: Summary: Assertion failure: is<T>(), at js/src/vm/Scope.h:222 Build version: mozilla-central revision 720b5d2c84d5+ Build flags: --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug --enable-optimize Runtime options: --fuzzing-safe --ion-offthread-compile=off Testcase: let m = parseModule(` gczeal(4,1); class base {} class derived extends base {} `); m.declarationInstantiation(); m.evaluation(); Backtrace: received signal SIGSEGV, Segmentation fault. 0x0000000000ab3888 in js::Scope::as<js::LexicalScope> (this=<optimized out>) at js/src/vm/Scope.h:222 #0 0x0000000000ab3888 in js::Scope::as<js::LexicalScope> (this=<optimized out>) at js/src/vm/Scope.h:222 #1 js::ReportRuntimeLexicalError (cx=0x7ffff693f000, errorNumber=71, script=..., pc=<optimized out>) at js/src/vm/Interpreter.cpp:4992 #2 0x0000000000ad3d65 in js::ReportUninitializedLexical (pc=<optimized out>, script=..., cx=<optimized out>) at js/src/vm/Interpreter-inl.h:111 #3 js::CheckUninitializedLexical (val=..., pc=<optimized out>, script=..., cx=<optimized out>) at js/src/vm/Interpreter-inl.h:129 #4 Interpret (cx=0x7ffff693f000, state=...) at js/src/vm/Interpreter.cpp:3292 #5 0x0000000000ad5f45 in js::RunScript (cx=cx@entry=0x7ffff693f000, state=...) at js/src/vm/Interpreter.cpp:400 #6 0x0000000000ade911 in js::ExecuteKernel (cx=cx@entry=0x7ffff693f000, script=..., script@entry=..., envChainArg=..., newTargetValue=..., evalInFrame=..., evalInFrame@entry=..., result=result@entry=0x7fffef307140) at js/src/vm/Interpreter.cpp:681 #7 0x0000000000aded58 in js::Execute (cx=cx@entry=0x7ffff693f000, script=..., script@entry=..., envChainArg=..., rval=rval@entry=0x7fffef307140) at js/src/vm/Interpreter.cpp:714 #8 0x0000000000c1b41f in js::ModuleObject::evaluate (cx=cx@entry=0x7ffff693f000, self=..., self@entry=..., rval=rval@entry=...) at js/src/builtin/ModuleObject.cpp:915 #9 0x0000000000b2f574 in intrinsic_EvaluateModule (cx=cx@entry=0x7ffff693f000, argc=<optimized out>, vp=0x7fffef307140) at js/src/vm/SelfHosting.cpp:2201 #10 0x0000000000ae5d5b in js::CallJSNative (cx=cx@entry=0x7ffff693f000, native=0xb2f4e0 <intrinsic_EvaluateModule(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235 [...]

This is an automated crash issue comment: Summary: Hit MOZ_CRASH(No binding) at js/src/jsopcode.cpp:1375 Build version: mozilla-central revision 720b5d2c84d5+ Build flags: --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug --enable-optimize Runtime options: --fuzzing-safe Testcase: function test(a, b, c, d, e, {} = "zmi") { var r = 0 r += Math.min(a, b, c, r.script.getLineOffsets(g.line0 + 3), e); } test(); Backtrace: received signal SIGSEGV, Segmentation fault. 0x000000000096d122 in (anonymous namespace)::ExpressionDecompiler::getLocal (pc=<optimized out>, local=<optimized out>, this=<optimized out>) at js/src/jsopcode.cpp:1375 #0 0x000000000096d122 in (anonymous namespace)::ExpressionDecompiler::getLocal (pc=<optimized out>, local=<optimized out>, this=<optimized out>) at js/src/jsopcode.cpp:1375 #1 (anonymous namespace)::ExpressionDecompiler::decompilePC (this=this@entry=0x7fffffffd200, pc=<optimized out>) at js/src/jsopcode.cpp:1187 #2 0x000000000097054b in (anonymous namespace)::ExpressionDecompiler::decompilePCForStackOperand (this=this@entry=0x7fffffffd200, pc=<optimized out>, pc@entry=0x7fffef4cffb1 "5", i=i@entry=-1) at js/src/jsopcode.cpp:1140 #3 0x000000000096cbdb in (anonymous namespace)::ExpressionDecompiler::decompilePC (this=this@entry=0x7fffffffd200, pc=0x7fffef4cffb1 "5") at js/src/jsopcode.cpp:1200 #4 0x000000000096efe6 in DecompileExpressionFromStack (cx=cx@entry=0x7ffff693f000, spindex=<optimized out>, skipStackHits=skipStackHits@entry=0, v=..., v@entry=..., res=res@entry=0x7fffffffd758) at js/src/jsopcode.cpp:1492 #5 0x000000000096f1db in js::DecompileValueGenerator (cx=cx@entry=0x7ffff693f000, spindex=spindex@entry=1, v=v@entry=..., fallbackArg=..., skipStackHits=skipStackHits@entry=0) at js/src/jsopcode.cpp:1505 #6 0x00000000008c5809 in js::ReportIsNullOrUndefined (cx=cx@entry=0x7ffff693f000, spindex=spindex@entry=1, v=..., v@entry=..., fallback=..., fallback@entry=...) at js/src/jscntxt.cpp:806 #7 0x000000000096bfb7 in js::ToObjectSlow (cx=0x7ffff693f000, val=..., reportScanStack=<optimized out>) at js/src/jsobj.cpp:3195 #8 0x0000000000ada74c in js::GetProperty (cx=0x7ffff693f000, v=..., name=..., vp=...) at js/src/vm/Interpreter.cpp:4211 #9 0x0000000000acac90 in GetPropertyOperation (vp=..., lval=..., pc=<optimized out>, script=..., fp=<optimized out>, cx=<optimized out>) at js/src/vm/Interpreter.cpp:190 #10 Interpret (cx=0x7ffff693f000, state=...) at js/src/vm/Interpreter.cpp:2624 [...]

This is an automated crash issue comment: Summary: Assertion failure: v.isUndefined(), at js/src/jsnum.cpp:1607 Build version: mozilla-central revision 720b5d2c84d5+ Build flags: --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug --enable-optimize Runtime options: --fuzzing-safe Testcase: let m = parseModule(` try { var z = (gczeal(9)); } catch (z) {} const HALF_COUNT = 7500; for (var i = 0; i < HALF_COUNT; i++) var handler = { ownKeys(t) {} }; `); m.declarationInstantiation(); m.evaluation(); Backtrace: received signal SIGSEGV, Segmentation fault. 0x000000000095c3ca in js::ToNumberSlow (cx=0x7ffff693f000, v=..., out=0x7fffffffc060) at js/src/jsnum.cpp:1607 #0 0x000000000095c3ca in js::ToNumberSlow (cx=0x7ffff693f000, v=..., out=0x7fffffffc060) at js/src/jsnum.cpp:1607 #1 0x000000000080f9df in js::LessThanOperation (res=0x7fffffffc0df, rhs=..., lhs=..., cx=0x7ffff693f000) at js/src/vm/Interpreter-inl.h:681 #2 js::jit::LessThan (cx=cx@entry=0x7ffff693f000, lhs=lhs@entry=..., rhs=rhs@entry=..., res=res@entry=0x7fffffffc0df) at js/src/jit/VMFunctions.cpp:270 #3 0x00000000007eee3e in js::jit::DoCompareFallback (cx=0x7ffff693f000, payload=<optimized out>, stub_=<optimized out>, lhs=..., rhs=..., ret=...) at js/src/jit/SharedIC.cpp:1615 #4 0x00007ffff7e40c3a in ?? () [...] #24 0x0000000000000000 in ?? ()

This is an automated crash issue comment: Summary: Assertion failure: !isExtensible() && v.isPrivateGCThing(), at js/src/vm/EnvironmentObject.h:427 Build version: mozilla-central revision 720b5d2c84d5+ Build flags: --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug --enable-optimize Runtime options: --fuzzing-safe --ion-offthread-compile=off Testcase: const libdir = "/srv/repos/mozilla-central/js/src/jit-test/lib/"; load(libdir + "evalInFrame.js"); evalInFrame(1, "a = 43"); let a = 42; Backtrace: received signal SIGSEGV, Segmentation fault. 0x0000000000a6a7c0 in js::LexicalEnvironmentObject::scope (this=0x7fffef776040) at js/src/vm/EnvironmentObject.h:427 #0 0x0000000000a6a7c0 in js::LexicalEnvironmentObject::scope (this=0x7fffef776040) at js/src/vm/EnvironmentObject.h:427 #1 0x0000000000a2d4f4 in js::DebugEnvironmentProxy::isOptimizedOut (this=0x7fffef778180) at js/src/vm/EnvironmentObject.cpp:2255 #2 0x0000000000a463b2 in (anonymous namespace)::DebugEnvironmentProxyHandler::set (this=<optimized out>, cx=0x7ffff693f000, proxy=..., id=..., v=..., receiver=..., result=...) at js/src/vm/EnvironmentObject.cpp:2029 #3 0x00000000009c161c in js::Proxy::set (cx=0x7ffff693f000, proxy=..., id=..., v=..., receiver_=..., result=...) at js/src/proxy/Proxy.cpp:334 #4 0x000000000094957f in JSObject::nonNativeSetProperty (cx=cx@entry=0x7ffff693f000, obj=..., id=..., v=..., receiver=..., result=...) at js/src/jsobj.cpp:1042 #5 0x0000000000afcc2e in js::SetProperty (cx=cx@entry=0x7ffff693f000, obj=..., id=..., id@entry=..., v=..., v@entry=..., receiver=..., receiver@entry=..., result=...) at js/src/vm/NativeObject.h:1494 #6 0x0000000000afd4dc in js::SetNameOperation (cx=0x7ffff693f000, script=<optimized out>, pc=<optimized out>, env=..., val=...) at js/src/vm/Interpreter-inl.h:289 #7 0x0000000000aca9d1 in Interpret (cx=0x7ffff693f000, state=...) at js/src/vm/Interpreter.cpp:2683 #8 0x0000000000ad5f45 in js::RunScript (cx=cx@entry=0x7ffff693f000, state=...) at js/src/vm/Interpreter.cpp:400 #9 0x0000000000ade911 in js::ExecuteKernel (cx=cx@entry=0x7ffff693f000, script=..., script@entry=..., envChainArg=..., newTargetValue=..., evalInFrame=..., result=result@entry=0x7fffffffcaa0) at js/src/vm/Interpreter.cpp:681 #10 0x0000000000a57799 in EvaluateInEnv (rval=..., lineno=<optimized out>, filename=<optimized out>, pc=<optimized out>, frame=..., env=..., cx=0x7ffff693f000, chars=...) at js/src/vm/Debugger.cpp:7906 #11 DebuggerGenericEval (cx=cx@entry=0x7ffff693f000, bindings=..., bindings@entry=..., options=..., vp=..., dbg=0x7ffff6985800, scope=..., iter=0x7fffffffcf38, chars=...) at js/src/vm/Debugger.cpp:7991 #12 0x0000000000a5870d in DebuggerFrame_eval (cx=cx@entry=0x7ffff693f000, argc=<optimized out>, vp=<optimized out>) at js/src/vm/Debugger.cpp:8013 #13 0x0000000000ae5d5b in js::CallJSNative (cx=cx@entry=0x7ffff693f000, native=0xa582d0 <DebuggerFrame_eval(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235 #14 0x0000000000ad60f3 in js::InternalCallOrConstruct (cx=cx@entry=0x7ffff693f000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:454 #15 0x0000000000ad6446 in InternalCall (cx=cx@entry=0x7ffff693f000, args=...) at js/src/vm/Interpreter.cpp:499 #16 0x0000000000ad659e in js::Call (cx=cx@entry=0x7ffff693f000, fval=..., fval@entry=..., thisv=..., args=..., rval=...) at js/src/vm/Interpreter.cpp:518 #17 0x0000000000a03dab in js::Wrapper::call (this=this@entry=0x1d9b860 <js::CrossCompartmentWrapper::singleton>, cx=cx@entry=0x7ffff693f000, proxy=..., proxy@entry=..., args=...) at js/src/proxy/Wrapper.cpp:165 #18 0x00000000009c6e43 in js::CrossCompartmentWrapper::call (this=0x1d9b860 <js::CrossCompartmentWrapper::singleton>, cx=0x7ffff693f000, wrapper=..., args=...) at js/src/proxy/CrossCompartmentWrapper.cpp:329 #19 0x00000000009c1803 in js::Proxy::call (cx=cx@entry=0x7ffff693f000, proxy=proxy@entry=..., args=...) at js/src/proxy/Proxy.cpp:401 #20 0x00000000009c1908 in js::proxy_Call (cx=cx@entry=0x7ffff693f000, argc=<optimized out>, vp=<optimized out>) at js/src/proxy/Proxy.cpp:690 #21 0x0000000000ae5d5b in js::CallJSNative (cx=cx@entry=0x7ffff693f000, native=0x9c1870 <js::proxy_Call(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235 #22 0x0000000000ad62f7 in js::InternalCallOrConstruct (cx=0x7ffff693f000, args=..., construct=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:442 #23 0x0000000000ad1268 in js::CallFromStack (args=..., cx=<optimized out>) at js/src/vm/Interpreter.cpp:505 #24 Interpret (cx=0x7ffff693f000, state=...) at js/src/vm/Interpreter.cpp:2907 #25 0x0000000000ad5f45 in js::RunScript (cx=cx@entry=0x7ffff693f000, state=...) at js/src/vm/Interpreter.cpp:400 This test requires evalInFrame.js from the tree to reproduce. I normally reduce these further manually by inlining the included library, but I guess in this case that would be unnecessary additional work.

for (var i = 0; i < 1; i++) { L: break; } Run with --fuzzing-safe --no-threads --ion-eager: Assertion failure: found, at js/src/jit/IonBuilder.cpp:3002

This is an automated crash issue comment: Summary: Assertion failure: !IsUninitializedLexical((activation.regs()).fp()->unaliasedLocal(i)), at js/src/vm/Interpreter.cpp:3387 Build version: mozilla-central revision 720b5d2c84d5+ Build flags: --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug --enable-optimize Runtime options: --fuzzing-safe min.js Testcase: let m = parseModule(` gczeal(2); let i8Array = new Int8Array(4); let i8Iterator = i8Array[Symbol.iterator](); i8Array = new Int8Array(); `); m.declarationInstantiation(); m.evaluation(); Backtrace: received signal SIGSEGV, Segmentation fault. 0x0000000000ad3b1e in Interpret (cx=0x7ffff693f000, state=...) at js/src/vm/Interpreter.cpp:3387 #0 0x0000000000ad3b1e in Interpret (cx=0x7ffff693f000, state=...) at js/src/vm/Interpreter.cpp:3387 #1 0x0000000000ad5f45 in js::RunScript (cx=cx@entry=0x7ffff693f000, state=...) at js/src/vm/Interpreter.cpp:400 #2 0x0000000000ade911 in js::ExecuteKernel (cx=cx@entry=0x7ffff693f000, script=..., script@entry=..., envChainArg=..., newTargetValue=..., evalInFrame=..., evalInFrame@entry=..., result=result@entry=0x7fffef307140) at js/src/vm/Interpreter.cpp:681 #3 0x0000000000aded58 in js::Execute (cx=cx@entry=0x7ffff693f000, script=..., script@entry=..., envChainArg=..., rval=rval@entry=0x7fffef307140) at js/src/vm/Interpreter.cpp:714 #4 0x0000000000c1b41f in js::ModuleObject::evaluate (cx=cx@entry=0x7ffff693f000, self=..., self@entry=..., rval=rval@entry=...) at js/src/builtin/ModuleObject.cpp:915 #5 0x0000000000b2f574 in intrinsic_EvaluateModule (cx=cx@entry=0x7ffff693f000, argc=<optimized out>, vp=0x7fffef307140) at js/src/vm/SelfHosting.cpp:2201 #6 0x0000000000ae5d5b in js::CallJSNative (cx=cx@entry=0x7ffff693f000, native=0xb2f4e0 <intrinsic_EvaluateModule(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235 [...]

This is an automated crash issue comment: Summary: Assertion failure: data.s.payload.why == why, at jsshell-build/dist/include/js/Value.h:1212 Build version: mozilla-central revision 720b5d2c84d5+ Build flags: --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug --enable-optimize Runtime options: --fuzzing-safe Testcase: const libdir = "/srv/repos/mozilla-central/js/src/jit-test/lib/"; let m = parseModule(` load(libdir + "asserts.js"); const constructors = [ Int8Array, Uint8Array, Uint8ClampedArray, Int16Array, Uint16Array, Int32Array, Uint32Array, Float32Array, Float64Array ]; for (var constructor of constructors) { for (var constructor2 of constructors) { var modifiedConstructor = new constructor(2); modifiedConstructor.constructor = constructor2; assertDeepEq(modifiedConstructor.slice(1), new constructor2(1)); } } `); m.declarationInstantiation(); m.evaluation(); Backtrace: received signal SIGSEGV, Segmentation fault. 0x0000000000e169cc in JS::Value::isMagic (this=this@entry=0x7fffffffc240, why=why@entry=JS_OPTIMIZED_ARGUMENTS) at jsshell-build/dist/include/js/Value.h:1212 #0 0x0000000000e169cc in JS::Value::isMagic (this=this@entry=0x7fffffffc240, why=why@entry=JS_OPTIMIZED_ARGUMENTS) at jsshell-build/dist/include/js/Value.h:1212 #1 0x0000000000e5216d in JS::Value::isMagic (why=JS_OPTIMIZED_ARGUMENTS, this=<optimized out>) at js/src/vm/Interpreter-inl.h:510 #2 js::ValueOperations<JS::Handle<JS::Value> >::isMagic (why=JS_OPTIMIZED_ARGUMENTS, this=<synthetic pointer>) at jsshell-build/dist/include/js/Value.h:1771 #3 js::jit::DoGetElemFallback (cx=0x7ffff693f000, frame=0x7fffffffc298, stub_=<optimized out>, lhs=..., rhs=..., res=...) at js/src/jit/BaselineIC.cpp:1540 #4 0x00007ffff7e3d76a in ?? () [...] #26 0x0000000000000000 in ?? () Test requires a copy of jit-test's asserts.js libary in the right place.

oomTest(function() { eval("\"use strict\";"); }); Run with --fuzzing-safe --no-threads --no-baseline --no-ion -D: Assertion failure: this->is<T>(), at js/src/jsobj.h:562

Comment on attachment 8779243 [details] [diff] [review] Rollup for fuzzing v5 I stopped testing for now because apparently, some of these issues might be dups to each other and I don't want to cause more noise. Please feedback? me again once a new patch is ready and I'll be glad to give it more testing :)

Applies on top of m-c 6cf0089510fa

@shu: Should I also report spec compliance bugs/regressions here, or do you want to tackle those later?

This is an automated crash issue comment: Summary: Assertion failure: script->isDerivedClassConstructor(), at js/src/vm/Interpreter.cpp:3366 Build version: mozilla-central revision 6cf0089510fa+ Build flags: --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug --enable-optimize Runtime options: --fuzzing-safe Testcase: { for (var x = 0; i < 100; i++) a >>= i; let i = 1; } Backtrace: received signal SIGSEGV, Segmentation fault. 0x0000000000ad5ef8 in Interpret (cx=0x7ffff693f000, state=...) at js/src/vm/Interpreter.cpp:3366 #0 0x0000000000ad5ef8 in Interpret (cx=0x7ffff693f000, state=...) at js/src/vm/Interpreter.cpp:3366 #1 0x0000000000ad6f75 in js::RunScript (cx=cx@entry=0x7ffff693f000, state=...) at js/src/vm/Interpreter.cpp:400 #2 0x0000000000adfaaa in js::ExecuteKernel (cx=cx@entry=0x7ffff693f000, script=..., script@entry=..., envChainArg=..., newTargetValue=..., evalInFrame=..., evalInFrame@entry=..., result=result@entry=0x0) at js/src/vm/Interpreter.cpp:681 #3 0x0000000000adfea8 in js::Execute (cx=cx@entry=0x7ffff693f000, script=..., script@entry=..., envChainArg=..., rval=rval@entry=0x0) at js/src/vm/Interpreter.cpp:714 [...]

This is an automated crash issue comment: Summary: Assertion failure: env_->is<GlobalObject>() || IsGlobalLexicalEnvironment(env_), at js/src/vm/EnvironmentObject.cpp:1261 Build version: mozilla-central revision 6cf0089510fa+ Build flags: --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug --enable-optimize Runtime options: --fuzzing-safe --ion-offthread-compile=off --ion-eager Testcase: var g = newGlobal("same-compartment"); var dbg = new Debugger; g.toggle = function toggle(d) { if (d) { dbg.addDebuggee(g); frame1.onPop = function() { onPopExecuted = setJitCompilerOption('offthread-compilation.enable', 0) >> toggle('#2: x = null; x ^= true; x === 1. Actual: ' + (getObjectMetadata)) + (this); }; } }; g.eval("" + function f(d) { toggle(d); }); g.eval("(" + function test() { for (var i = 0; i < 5; i++) f(false); f(true); } + ")();"); Backtrace: received signal SIGSEGV, Segmentation fault. 0x0000000000a2566c in js::EnvironmentIter::settle (this=this@entry=0x7fffffff9d50) at js/src/vm/EnvironmentObject.cpp:1261 #0 0x0000000000a2566c in js::EnvironmentIter::settle (this=this@entry=0x7fffffff9d50) at js/src/vm/EnvironmentObject.cpp:1261 #1 0x0000000000ab9fe1 in js::EnvironmentIter::operator++ (this=0x7fffffff9d50) at js/src/vm/EnvironmentObject.h:611 #2 js::UnwindAllEnvironmentsInFrame (cx=cx@entry=0x7ffff693f000, ei=...) at js/src/vm/Interpreter.cpp:1059 #3 0x00000000008118ab in js::jit::DebugEpilogue (cx=cx@entry=0x7ffff693f000, frame=frame@entry=0x7fffffffa4e8, pc=0x7fffef322756 "\232", ok=<optimized out>, ok@entry=false) at js/src/jit/VMFunctions.cpp:709 #4 0x00000000006d8b14 in js::jit::OnLeaveBaselineFrame (frameOk=false, rfe=0x7fffffffa478, pc=<optimized out>, frame=..., cx=0x7ffff693f000) at js/src/jit/JitFrames.cpp:463 #5 js::jit::HandleExceptionBaseline (pc=0x7fffef322756 "\232", rfe=<optimized out>, frame=..., cx=0x7ffff693f000) at js/src/jit/JitFrames.cpp:696 #6 js::jit::HandleException (rfe=<optimized out>) at js/src/jit/JitFrames.cpp:837 #7 0x00007ffff7e3b646 in ?? () #8 0x0000000000000000 in ?? ()

This is an automated crash issue comment: Summary: Assertion failure: loc.environmentCoordinate().hops() == 0 || name == cx->names().dotThis, at js/src/frontend/BytecodeEmitter.cpp:3146 Build version: mozilla-central revision 6cf0089510fa+ Build flags: --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug --enable-optimize Runtime options: --fuzzing-safe Testcase: try { eval('"use strict"; var x = "a\\4";'); } catch (e) { var e = ''; let arguments = parseFloat.int32(TypedObject.objectType); {} } Backtrace: received signal SIGSEGV, Segmentation fault. 0x0000000000ccb08e in js::frontend::BytecodeEmitter::emitSetOrInitializeNameAtLocation<js::frontend::BytecodeEmitter::emitSingleDeclaration(js::frontend::ParseNode*, js::frontend::ParseNode*, js::frontend::ParseNode*)::<lambda(js::frontend::BytecodeEmitter*, const js::frontend::NameLocation&, bool)> > (initialize=true, emitRhs=..., loc=..., name=..., this=0x7fffffffced8) at js/src/frontend/BytecodeEmitter.cpp:3145 #0 0x0000000000ccb08e in js::frontend::BytecodeEmitter::emitSetOrInitializeNameAtLocation<js::frontend::BytecodeEmitter::emitSingleDeclaration(js::frontend::ParseNode*, js::frontend::ParseNode*, js::frontend::ParseNode*)::<lambda(js::frontend::BytecodeEmitter*, const js::frontend::NameLocation&, bool)> > (initialize=true, emitRhs=..., loc=..., name=..., this=0x7fffffffced8) at js/src/frontend/BytecodeEmitter.cpp:3145 #1 js::frontend::BytecodeEmitter::emitSetOrInitializeName<js::frontend::BytecodeEmitter::emitSingleDeclaration(js::frontend::ParseNode*, js::frontend::ParseNode*, js::frontend::ParseNode*)::<lambda(js::frontend::BytecodeEmitter*, const js::frontend::NameLocation&, bool)> > (initialize=true, initialize=true, emitRhs=..., name=..., this=0x7fffffffced8) at js/src/frontend/BytecodeEmitter.h:545 #2 js::frontend::BytecodeEmitter::emitInitializeName<js::frontend::BytecodeEmitter::emitSingleDeclaration(js::frontend::ParseNode*, js::frontend::ParseNode*, js::frontend::ParseNode*)::<lambda(js::frontend::BytecodeEmitter*, const js::frontend::NameLocation&, bool)> > (emitRhs=..., name=..., this=0x7fffffffced8) at js/src/frontend/BytecodeEmitter.h:563 #3 js::frontend::BytecodeEmitter::emitInitializeName<js::frontend::BytecodeEmitter::emitSingleDeclaration(js::frontend::ParseNode*, js::frontend::ParseNode*, js::frontend::ParseNode*)::<lambda(js::frontend::BytecodeEmitter*, const js::frontend::NameLocation&, bool)> > (emitRhs=..., pn=<optimized out>, this=0x7fffffffced8) at js/src/frontend/BytecodeEmitter.h:559 #4 js::frontend::BytecodeEmitter::emitSingleDeclaration (this=0x7fffffffced8, declList=<optimized out>, decl=<optimized out>, initializer=<optimized out>) at js/src/frontend/BytecodeEmitter.cpp:4769 #5 0x0000000000cd1461 in js::frontend::BytecodeEmitter::emitDeclarationList (this=this@entry=0x7fffffffced8, declList=declList@entry=0x7ffff69a5200) at js/src/frontend/BytecodeEmitter.cpp:4741 #6 0x0000000000cc6593 in js::frontend::BytecodeEmitter::emitTree (this=this@entry=0x7fffffffced8, pn=pn@entry=0x7ffff69a5200, emitLineNote=emitLineNote@entry=js::frontend::BytecodeEmitter::EMIT_LINENOTE) at js/src/frontend/BytecodeEmitter.cpp:9094 #7 0x0000000000cd224e in js::frontend::BytecodeEmitter::emitStatementList (this=0x7fffffffced8, pn=<optimized out>) at js/src/frontend/BytecodeEmitter.cpp:7256 #8 0x0000000000cc680b in js::frontend::BytecodeEmitter::emitTree (this=this@entry=0x7fffffffced8, pn=pn@entry=0x7ffff69a51d0, emitLineNote=js::frontend::BytecodeEmitter::SUPPRESS_LINENOTE) at js/src/frontend/BytecodeEmitter.cpp:8933 #9 0x0000000000cccc23 in js::frontend::BytecodeEmitter::emitLexicalScopeBody (this=this@entry=0x7fffffffced8, body=body@entry=0x7ffff69a51d0, emitLineNote=emitLineNote@entry=js::frontend::BytecodeEmitter::SUPPRESS_LINENOTE) at js/src/frontend/BytecodeEmitter.cpp:5566 #10 0x0000000000cd8d4b in js::frontend::BytecodeEmitter::emitLexicalScope (this=this@entry=0x7fffffffced8, pn=pn@entry=0x7ffff69a5458) at js/src/frontend/BytecodeEmitter.cpp:5615 #11 0x0000000000cc6d9b in js::frontend::BytecodeEmitter::emitTree (this=this@entry=0x7fffffffced8, pn=0x7ffff69a5458, emitLineNote=emitLineNote@entry=js::frontend::BytecodeEmitter::EMIT_LINENOTE) at js/src/frontend/BytecodeEmitter.cpp:9088 #12 0x0000000000cd1312 in js::frontend::BytecodeEmitter::emitCatch (this=this@entry=0x7fffffffced8, pn=pn@entry=0x7ffff69a54d0) at js/src/frontend/BytecodeEmitter.cpp:5243 #13 0x0000000000cc6ba3 in js::frontend::BytecodeEmitter::emitTree (this=this@entry=0x7fffffffced8, pn=pn@entry=0x7ffff69a54d0, emitLineNote=js::frontend::BytecodeEmitter::SUPPRESS_LINENOTE) at js/src/frontend/BytecodeEmitter.cpp:8903 #14 0x0000000000cccc23 in js::frontend::BytecodeEmitter::emitLexicalScopeBody (this=this@entry=0x7fffffffced8, body=body@entry=0x7ffff69a54d0, emitLineNote=emitLineNote@entry=js::frontend::BytecodeEmitter::SUPPRESS_LINENOTE) at js/src/frontend/BytecodeEmitter.cpp:5566 #15 0x0000000000cd8d4b in js::frontend::BytecodeEmitter::emitLexicalScope (this=this@entry=0x7fffffffced8, pn=pn@entry=0x7ffff69a54a0) at js/src/frontend/BytecodeEmitter.cpp:5615 #16 0x0000000000cc6d9b in js::frontend::BytecodeEmitter::emitTree (this=this@entry=0x7fffffffced8, pn=pn@entry=0x7ffff69a54a0, emitLineNote=emitLineNote@entry=js::frontend::BytecodeEmitter::EMIT_LINENOTE) at js/src/frontend/BytecodeEmitter.cpp:9088 #17 0x0000000000ccb303 in js::frontend::BytecodeEmitter::emitTry (this=this@entry=0x7fffffffced8, pn=pn@entry=0x7ffff69a5500) at js/src/frontend/BytecodeEmitter.cpp:5344 [...] #34 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:7523

This is an automated crash issue comment: Summary: Assertion failure: this->is<T>(), at js/src/vm/Scope.h:222 Build version: mozilla-central revision 6cf0089510fa+ Build flags: --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug --enable-optimize Runtime options: --fuzzing-safe --ion-offthread-compile=off Testcase: f = ([a = class target extends b {}, b] = [void 0]) => {}; f() Backtrace: received signal SIGSEGV, Segmentation fault. 0x0000000000ab45c8 in js::Scope::as<js::LexicalScope> (this=<optimized out>) at js/src/vm/Scope.h:222 #0 0x0000000000ab45c8 in js::Scope::as<js::LexicalScope> (this=<optimized out>) at js/src/vm/Scope.h:222 #1 js::ReportRuntimeLexicalError (cx=0x7ffff693f000, errorNumber=71, script=..., pc=<optimized out>) at js/src/vm/Interpreter.cpp:4992 #2 0x0000000000ad4ecc in js::ReportUninitializedLexical (pc=<optimized out>, script=..., cx=<optimized out>) at js/src/vm/Interpreter-inl.h:111 #3 js::CheckUninitializedLexical (val=..., pc=<optimized out>, script=..., cx=<optimized out>) at js/src/vm/Interpreter-inl.h:129 #4 Interpret (cx=0x7ffff693f000, state=...) at js/src/vm/Interpreter.cpp:3292 #5 0x0000000000ad6f75 in js::RunScript (cx=cx@entry=0x7ffff693f000, state=...) at js/src/vm/Interpreter.cpp:400 #6 0x0000000000ad7228 in js::InternalCallOrConstruct (cx=0x7ffff693f000, args=..., construct=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:472 #7 0x0000000000ad20c0 in js::CallFromStack (args=..., cx=<optimized out>) at js/src/vm/Interpreter.cpp:505 [...] #18 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:7523

This is an automated crash issue comment: Summary: Assertion failure: this->is<T>(), at js/src/vm/Scope.h:222 Build version: mozilla-central revision 6cf0089510fa+ Build flags: --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug --enable-optimize Runtime options: --fuzzing-safe Testcase: let m = parseModule(` const count = 1024; let s = ""; for (let i = 0; i < count; i++) s += "export let e" + ++count + " = " + (i * i) + ";\\n"; `); m.declarationInstantiation(); m.evaluation(); Backtrace: received signal SIGSEGV, Segmentation fault. 0x0000000000ab45c8 in js::Scope::as<js::LexicalScope> (this=<optimized out>) at js/src/vm/Scope.h:222 #0 0x0000000000ab45c8 in js::Scope::as<js::LexicalScope> (this=<optimized out>) at js/src/vm/Scope.h:222 #1 js::ReportRuntimeLexicalError (cx=0x7ffff693f000, errorNumber=72, script=..., pc=<optimized out>) at js/src/vm/Interpreter.cpp:4992 #2 0x0000000000accc95 in js::ReportRuntimeConstAssignment (pc=<optimized out>, script=..., cx=<optimized out>) at js/src/vm/Interpreter-inl.h:144 #3 Interpret (cx=0x7ffff693f000, state=...) at js/src/vm/Interpreter.cpp:3283 #4 0x0000000000ad6f75 in js::RunScript (cx=cx@entry=0x7ffff693f000, state=...) at js/src/vm/Interpreter.cpp:400 #5 0x0000000000adfaaa in js::ExecuteKernel (cx=cx@entry=0x7ffff693f000, script=..., script@entry=..., envChainArg=..., newTargetValue=..., evalInFrame=..., evalInFrame@entry=..., result=result@entry=0x7fffef324140) at js/src/vm/Interpreter.cpp:681 #6 0x0000000000adfea8 in js::Execute (cx=cx@entry=0x7ffff693f000, script=..., script@entry=..., envChainArg=..., rval=rval@entry=0x7fffef324140) at js/src/vm/Interpreter.cpp:714 #7 0x0000000000c1c26f in js::ModuleObject::evaluate (cx=cx@entry=0x7ffff693f000, self=..., self@entry=..., rval=rval@entry=...) at js/src/builtin/ModuleObject.cpp:915 #8 0x0000000000b30294 in intrinsic_EvaluateModule (cx=cx@entry=0x7ffff693f000, argc=<optimized out>, vp=0x7fffef324140) at js/src/vm/SelfHosting.cpp:2201 #9 0x0000000000ae6b1b in js::CallJSNative (cx=cx@entry=0x7ffff693f000, native=0xb30200 <intrinsic_EvaluateModule(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235 [...]

(In reply to André Bargull from comment #72) > @shu: Should I also report spec compliance bugs/regressions here, or do you > want to tackle those later? If they are regressions from earlier versions, definitely.

Or if they're bugs in newly-added functionality. Like, I think we want to know if there's some spec compliance issue with the TDZ for parameter defaults, even tho that's new code and such a problem might not be a regression.

This is an automated crash issue comment: Summary: Assertion failure: (detail::IsInBounds<From, To>(aFrom)), at jsshell-build/dist/include/mozilla/Casting.h:237 Build version: mozilla-central revision 6cf0089510fa+ Build flags: --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug --enable-optimize Runtime options: --fuzzing-safe --ion-offthread-compile=off Testcase: var lfLogBuffer = ` if (lfCodeBuffer) loadFile(lfCodeBuffer); function loadFile(await ) { eval(lfVarx); } `; lfLogBuffer = lfLogBuffer.split('\n'); var lfCodeBuffer = ""; while (true) { var line = lfLogBuffer.shift(); if (line == null) { break; } else { lfCodeBuffer += line + "\n"; } } if (lfCodeBuffer) loadFile(lfCodeBuffer); function loadFile(lfVarx) { eval(lfVarx); } Backtrace: received signal SIGSEGV, Segmentation fault. 0x0000000000cddc78 in mozilla::AssertedCast<unsigned char, unsigned int> (aFrom=<optimized out>) at jsshell-build/dist/include/mozilla/Casting.h:237 #0 0x0000000000cddc78 in mozilla::AssertedCast<unsigned char, unsigned int> (aFrom=<optimized out>) at jsshell-build/dist/include/mozilla/Casting.h:237 #1 js::frontend::BytecodeEmitter::EmitterScope::checkEnvironmentChainLength (this=this@entry=0x7ffffff01b10, bce=<optimized out>, bce@entry=0x7ffffff01e70) at js/src/frontend/BytecodeEmitter.cpp:375 #2 0x0000000000cbe04f in js::frontend::BytecodeEmitter::EmitterScope::enterFunction (this=this@entry=0x7ffffff01b10, bce=bce@entry=0x7ffffff01e70, funbox=<optimized out>) at js/src/frontend/BytecodeEmitter.cpp:1116 #3 0x0000000000cc5697 in js::frontend::BytecodeEmitter::EmitterScope::enterFunction (this=<optimized out>, bce=0x7ffffff01e70, funbox=<optimized out>) at js/src/frontend/NameCollections.h:306 #4 0x0000000000cc5ae4 in js::frontend::BytecodeEmitter::emitFunctionFormalParametersAndBody (this=this@entry=0x7ffffff01e70, pn=pn@entry=0x7ffff69a50d8) at js/src/frontend/BytecodeEmitter.cpp:8501 #5 0x0000000000cc6a8b in js::frontend::BytecodeEmitter::emitTree (this=this@entry=0x7ffffff01e70, pn=pn@entry=0x7ffff69a50d8, emitLineNote=emitLineNote@entry=js::frontend::BytecodeEmitter::EMIT_LINENOTE) at js/src/frontend/BytecodeEmitter.cpp:8848 #6 0x0000000000cc7e72 in js::frontend::BytecodeEmitter::emitFunctionScript (this=this@entry=0x7ffffff01e70, body=0x7ffff69a50d8) at js/src/frontend/BytecodeEmitter.cpp:4166 #7 0x0000000000cca6d1 in js::frontend::CompileLazyFunction (cx=cx@entry=0x7ffff693f000, lazy=..., lazy@entry=..., chars=<optimized out>, length=<optimized out>) at js/src/frontend/BytecodeCompiler.cpp:674 #8 0x00000000009043bc in JSFunction::createScriptForLazilyInterpretedFunction (cx=0x7ffff693f000, fun=fun@entry=...) at js/src/jsfun.cpp:1505 #9 0x0000000000464db4 in JSFunction::getOrCreateScript (this=<optimized out>, cx=<optimized out>) at js/src/jsfun.h:397 #10 0x0000000000acb2be in Interpret (cx=0x7ffff693f000, state=...) at js/src/vm/Interpreter.cpp:2919 [...] #127 0x0000000000adfaaa in js::ExecuteKernel (cx=<optimized out>, script=..., envChainArg=..., newTargetValue=..., evalInFrame=..., result=<optimized out>) at js/src/vm/Interpreter.cpp:681 rax 0x0 0 rbx 0x7ffffff01b10 140737487313680 rcx 0x7ffff6c28a2d 140737333332525 rdx 0x0 0 rsi 0x7ffff6ef7770 140737336276848 rdi 0x7ffff6ef6540 140737336272192 rbp 0x7ffffff01800 140737487312896 rsp 0x7ffffff017f0 140737487312880 r8 0x7ffff6ef7770 140737336276848 r9 0x7ffff7fe4740 140737354024768 r10 0x58 88 r11 0x7ffff6b9f750 140737332770640 r12 0x7ffffff01e70 140737487314544 r13 0x7ffff693f000 140737330278400 r14 0x7ffffff01e70 140737487314544 r15 0x7ffffff01880 140737487313024 rip 0xcddc78 <js::frontend::BytecodeEmitter::EmitterScope::checkEnvironmentChainLength(js::frontend::BytecodeEmitter*)+152> => 0xcddc78 <js::frontend::BytecodeEmitter::EmitterScope::checkEnvironmentChainLength(js::frontend::BytecodeEmitter*)+152>: movl $0x0,0x0 0xcddc83 <js::frontend::BytecodeEmitter::EmitterScope::checkEnvironmentChainLength(js::frontend::BytecodeEmitter*)+163>: ud2 This seems to involve some kind of over-recursion.

This is an automated crash issue comment: Summary: Assertion failure: offset >= list[index].start, at js/src/frontend/BytecodeEmitter.cpp:9572 Build version: mozilla-central revision 6cf0089510fa+ Build flags: --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug --enable-optimize Runtime options: --fuzzing-safe --ion-offthread-compile=off Testcase: eval(` var of; let expect =false , assertEq; `); Backtrace: received signal SIGSEGV, Segmentation fault. 0x0000000000cb5208 in js::frontend::CGScopeNoteList::recordEnd (this=0x7fffffffc270, index=0, offset=13, inPrologue=<optimized out>) at js/src/frontend/BytecodeEmitter.cpp:9572 #0 0x0000000000cb5208 in js::frontend::CGScopeNoteList::recordEnd (this=0x7fffffffc270, index=0, offset=13, inPrologue=<optimized out>) at js/src/frontend/BytecodeEmitter.cpp:9572 #1 0x0000000000cb5e10 in js::frontend::BytecodeEmitter::EmitterScope::leave (this=this@entry=0x7fffffffbf30, bce=bce@entry=0x7fffffffbfe8, nonLocal=nonLocal@entry=false) at js/src/frontend/BytecodeEmitter.cpp:1398 #2 0x0000000000ccd08d in js::frontend::BytecodeEmitter::emitScript (this=0x7fffffffbfe8, body=body@entry=0x7ffff69a5190) at js/src/frontend/BytecodeEmitter.cpp:4105 #3 0x0000000000ccd4df in BytecodeCompiler::compileScript (this=this@entry=0x7fffffffc3c0, environment=environment@entry=..., sc=sc@entry=0x7fffffffc350) at js/src/frontend/BytecodeCompiler.cpp:349 #4 0x0000000000ccd8e7 in BytecodeCompiler::compileEvalScript (enclosingScope=..., environment=..., this=0x7fffffffc3c0) at js/src/frontend/BytecodeCompiler.cpp:384 #5 js::frontend::CompileEvalScript (cx=cx@entry=0x7ffff693f000, alloc=..., environment=environment@entry=..., enclosingScope=enclosingScope@entry=..., options=..., srcBuf=..., extraSct=0x0, sourceObjectOut=0x0) at js/src/frontend/BytecodeCompiler.cpp:583 #6 0x00000000009efda5 in EvalKernel (cx=cx@entry=0x7ffff693f000, v=..., v@entry=..., evalType=evalType@entry=DIRECT_EVAL, caller=..., env=env@entry=..., pc=<optimized out>, vp=...) at js/src/builtin/Eval.cpp:318 #7 0x00000000009f0521 in js::DirectEval (cx=0x7ffff693f000, v=..., vp=...) at js/src/builtin/Eval.cpp:438 #8 0x0000000000acc722 in Interpret (cx=0x7ffff693f000, state=...) at js/src/vm/Interpreter.cpp:2822

This is an automated crash issue comment: Summary: Assertion failure: canHaveArgumentSlots(), at js/src/vm/Scope.h:1090 Build version: mozilla-central revision 6cf0089510fa+ Build flags: --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug --enable-optimize Runtime options: --fuzzing-safe Testcase: function f({get } = (yield), y) { var stack = getBacktrace({ args: true, }); } f(1, 2); Backtrace: received signal SIGSEGV, Segmentation fault. 0x0000000000931f68 in js::BindingIter::argumentSlot (this=<optimized out>) at js/src/vm/Scope.h:1090 #0 0x0000000000931f68 in js::BindingIter::argumentSlot (this=<optimized out>) at js/src/vm/Scope.h:1090 #1 0x0000000000917586 in FormatFrame (showThisProps=false, showLocals=false, showArgs=true, num=0, buf=0x7fffef310f00 "0 f(", iter=..., cx=0x7ffff693f000) at js/src/jsfriendapi.cpp:861 #2 JS::FormatStackDump (cx=cx@entry=0x7ffff693f000, buf=<optimized out>, buf@entry=0x0, showArgs=true, showLocals=false, showThisProps=false) at js/src/jsfriendapi.cpp:993 #3 0x0000000000c4f349 in GetBacktrace (cx=cx@entry=0x7ffff693f000, argc=<optimized out>, vp=<optimized out>) at js/src/builtin/TestingFunctions.cpp:2503 #4 0x0000000000ae6b1b in js::CallJSNative (cx=cx@entry=0x7ffff693f000, native=0xc4f160 <GetBacktrace(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235

Applies on top of m-c 0502bd9e025e

This is an automated crash issue comment: Summary: Assertion failure: si_.kind() == ScopeKind::NamedLambda || si_.kind() == ScopeKind::StrictNamedLambda, at js/src/vm/EnvironmentObject.cpp:1233 Build version: mozilla-central revision 0502bd9e025e+ Build flags: --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug --enable-optimize Runtime options: --fuzzing-safe Testcase: (function f() { let x = (new function() { x(() => { f.ArrayType(1, 2); }, "first argument of ctypes.cast must be a CData"); }) })(); Backtrace: received signal SIGSEGV, Segmentation fault. 0x0000000000a23870 in js::EnvironmentIter::settle (this=this@entry=0x7fffffffdc90) at js/src/vm/EnvironmentObject.cpp:1232 #0 0x0000000000a23870 in js::EnvironmentIter::settle (this=this@entry=0x7fffffffdc90) at js/src/vm/EnvironmentObject.cpp:1232 #1 0x0000000000a23ab6 in js::EnvironmentIter::EnvironmentIter(JSContext*, js::AbstractFramePtr, unsigned char*, mozilla::detail::GuardObjectNotifier&&) (this=0x7fffffffdc90, cx=0x7ffff693f000, frame=..., pc=0x7fffef409c5f "R", _notifier=<unknown type in /home/ubuntu/mozilla-central/js/src/dist/bin/js, CU 0x36f121b, DIE 0x38e484b>) at js/src/vm/EnvironmentObject.cpp:1201 #2 0x0000000000ac7dcf in HandleError (regs=..., cx=<optimized out>) at js/src/vm/Interpreter.cpp:1227 #3 Interpret (cx=0x7ffff693f000, state=...) at js/src/vm/Interpreter.cpp:4110 [...]

This is an automated crash issue comment: Summary: Assertion failure: script->isDerivedClassConstructor(), at js/src/vm/Interpreter.cpp:3374 Build version: mozilla-central revision 0502bd9e025e+ Build flags: --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug --enable-optimize Runtime options: --fuzzing-safe Testcase: { while (x && 0) if (!((x = 1) === x)) {} let x = () => sym() } Backtrace: received signal SIGSEGV, Segmentation fault. 0x0000000000ad2d02 in Interpret (cx=0x7ffff693f000, state=...) at js/src/vm/Interpreter.cpp:3374 #0 0x0000000000ad2d02 in Interpret (cx=0x7ffff693f000, state=...) at js/src/vm/Interpreter.cpp:3374 #1 0x0000000000ad3db5 in js::RunScript (cx=cx@entry=0x7ffff693f000, state=...) at js/src/vm/Interpreter.cpp:400 [..]

This is an automated crash issue comment: Summary: Assertion failure: bi.kind() == BindingKind::FormalParameter, at js/src/frontend/BytecodeEmitter.cpp:1063 Build version: mozilla-central revision 0502bd9e025e+ Build flags: --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug --enable-optimize Runtime options: --fuzzing-safe Testcase: function crashMe2(n) { var nasty = [], fn while (n--) nasty[n] = "a" + 1234567890 fn = Function(nasty.join(), "void 0") } crashMe2(0x10000); Backtrace: received signal SIGSEGV, Segmentation fault. 0x0000000000cba8dc in js::frontend::BytecodeEmitter::EmitterScope::enterFunction (this=this@entry=0x7fffffffb440, bce=bce@entry=0x7fffffffb5e8, funbox=0x7ffff69a5080) at js/src/frontend/BytecodeEmitter.cpp:1063 #0 0x0000000000cba8dc in js::frontend::BytecodeEmitter::EmitterScope::enterFunction (this=this@entry=0x7fffffffb440, bce=bce@entry=0x7fffffffb5e8, funbox=0x7ffff69a5080) at js/src/frontend/BytecodeEmitter.cpp:1063 #1 0x0000000000cc1c97 in js::frontend::BytecodeEmitter::EmitterScope::enterFunction (this=<optimized out>, bce=0x7fffffffb5e8, funbox=<optimized out>) at js/src/frontend/NameCollections.h:306 #2 0x0000000000cc20e4 in js::frontend::BytecodeEmitter::emitFunctionFormalParametersAndBody (this=this@entry=0x7fffffffb5e8, pn=pn@entry=0x7ffff69a5050) at js/src/frontend/BytecodeEmitter.cpp:8512 #3 0x0000000000cc302b in js::frontend::BytecodeEmitter::emitTree (this=this@entry=0x7fffffffb5e8, pn=pn@entry=0x7ffff69a5050, emitLineNote=emitLineNote@entry=js::frontend::BytecodeEmitter::EMIT_LINENOTE) at js/src/frontend/BytecodeEmitter.cpp:8859 #4 0x0000000000cc4462 in js::frontend::BytecodeEmitter::emitFunctionScript (this=0x7fffffffb5e8, body=body@entry=0x7ffff69a5050) at js/src/frontend/BytecodeEmitter.cpp:4167 #5 0x0000000000cc5f7a in BytecodeCompiler::compileFunctionBody (this=this@entry=0x7fffffffb950, fun=..., fun@entry=..., formals=..., formals@entry=..., generatorKind=generatorKind@entry=js::NotGenerator) at js/src/frontend/BytecodeCompiler.cpp:474 #6 0x0000000000cc60a8 in CompileFunctionBody (cx=cx@entry=0x7ffff693f000, fun=fun@entry=..., options=..., formals=formals@entry=..., srcBuf=..., enclosingScope=..., enclosingScope@entry=..., generatorKind=js::NotGenerator) at js/src/frontend/BytecodeCompiler.cpp:692 #7 0x0000000000cc62ae in js::frontend::CompileFunctionBody (cx=cx@entry=0x7ffff693f000, fun=fun@entry=..., options=..., formals=formals@entry=..., srcBuf=...) at js/src/frontend/BytecodeCompiler.cpp:711 #8 0x000000000092a3a2 in FunctionConstructor (cx=<optimized out>, argc=<optimized out>, vp=<optimized out>, generatorKind=js::NotGenerator) at js/src/jsfun.cpp:1863 #9 0x0000000000ae3c89 in js::CallJSNative (cx=cx@entry=0x7ffff693f000, native=0x92af50 <js::Function(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235 [...] #40 0x0000000000000000 in ?? () rax 0x0 0 rbx 0x7ffff69f5520 140737331025184 rcx 0x7ffff6c28a2d 140737333332525 rdx 0x0 0 rsi 0x7ffff6ef7770 140737336276848 rdi 0x7ffff6ef6540 140737336272192 rbp 0x7fffffffb280 140737488335488 rsp 0x7fffffffb140 140737488335168 r8 0x7ffff6ef7770 140737336276848 r9 0x7ffff7fe4740 140737354024768 r10 0x58 88 r11 0x7ffff6b9f750 140737332770640 r12 0x7ffff69a5080 140737330696320 r13 0x7fffffffb1e0 140737488335328 r14 0x7fffffffb5e8 140737488336360 r15 0x7fffffffb1b0 140737488335280 rip 0xcba8dc <js::frontend::BytecodeEmitter::EmitterScope::enterFunction(js::frontend::BytecodeEmitter*, js::frontend::FunctionBox*)+3004> => 0xcba8dc <js::frontend::BytecodeEmitter::EmitterScope::enterFunction(js::frontend::BytecodeEmitter*, js::frontend::FunctionBox*)+3004>: movl $0x0,0x0 0xcba8e7 <js::frontend::BytecodeEmitter::EmitterScope::enterFunction(js::frontend::BytecodeEmitter*, js::frontend::FunctionBox*)+3015>: ud2

(In reply to Shu-yu Guo [:shu] from comment #78) > If they are regressions from earlier versions, definitely. function f(a = 0) { let a = 1; } f(); Expected: Throws SyntaxError Actual: No error (In reply to Jeff Walden [:Waldo] (remove +bmo to email) from comment #79) > Or if they're bugs in newly-added functionality. Like, I think we want to > know if there's some spec compliance issue with the TDZ for parameter > defaults, even tho that's new code and such a problem might not be a > regression. function f(a = 0, b = (eval("var a = 1"), assertEq(a, 1)), c = assertEq(a, 0)) { } f(); Expected: No error Actual: Throws "Error: Assertion failed" --- function f(a = (eval("{function a(){}}"), print(typeof a))) { } f(); Expected: Prints "function" Actual: Throws ReferenceError --- function f(a, b = () => a) { eval("var a"); print(b()) a = 2; print(b()) } f(1); Expected: Prints "1 1" Actual: Prints "1 2" --- var init, first; for (let i = (init = () => i = 1, 0); (first = () => i, i) < 0; ++i); print(init(), first()); Expected: Prints "1 0" Actual: Prints "1 1" --- function f() { eval("{function a(){}}"); const a = 1; } f(); Expected: No error Actual: Throws SyntaxError

This is an automated crash issue comment: Summary: Crash [@ js::frontend::FunctionBox::hasExtraVarScope] Build version: mozilla-central revision 0502bd9e025e+ Build flags: --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug --enable-optimize Runtime options: --fuzzing-safe Testcase: function test(get, [] = Bool16x8(...w), ...of) { var f; } Backtrace: received signal SIGSEGV, Segmentation fault. 0x0000000000ccf4f5 in js::frontend::FunctionBox::hasExtraVarScope (this=<optimized out>) at js/src/frontend/SharedContext.h:522 #0 0x0000000000ccf4f5 in js::frontend::FunctionBox::hasExtraVarScope (this=<optimized out>) at js/src/frontend/SharedContext.h:522 #1 js::frontend::BytecodeEmitter::isRestParameter (result=0x7fffffffc37f, pn=0x7ffff69a5280, this=<optimized out>) at js/src/frontend/BytecodeEmitter.cpp:7588 #2 js::frontend::BytecodeEmitter::emitOptimizeSpread (this=0x7fffffffc9a0, arg0=0x7ffff69a5280, jmp=0x7fffffffc420, emitted=0x7fffffffc41f) at js/src/frontend/BytecodeEmitter.cpp:7617 #3 0x0000000000cd18e4 in js::frontend::BytecodeEmitter::emitCallOrNew (this=this@entry=0x7fffffffc9a0, pn=pn@entry=0x7ffff69a5250) at js/src/frontend/BytecodeEmitter.cpp:7799 #4 0x0000000000cc2d53 in js::frontend::BytecodeEmitter::emitTree (this=this@entry=0x7fffffffc9a0, pn=pn@entry=0x7ffff69a5250, emitLineNote=emitLineNote@entry=js::frontend::BytecodeEmitter::EMIT_LINENOTE) at js/src/frontend/BytecodeEmitter.cpp:9094 #5 0x0000000000cd1d6a in js::frontend::BytecodeEmitter::emitFunctionFormalParameters (this=this@entry=0x7fffffffc9a0, pn=pn@entry=0x7ffff69a5190) at js/src/frontend/BytecodeEmitter.cpp:8581 #6 0x0000000000cc220e in js::frontend::BytecodeEmitter::emitFunctionFormalParametersAndBody (this=this@entry=0x7fffffffc9a0, pn=pn@entry=0x7ffff69a5190) at js/src/frontend/BytecodeEmitter.cpp:8445 #7 0x0000000000cc302b in js::frontend::BytecodeEmitter::emitTree (this=this@entry=0x7fffffffc9a0, pn=pn@entry=0x7ffff69a5190, emitLineNote=emitLineNote@entry=js::frontend::BytecodeEmitter::EMIT_LINENOTE) at js/src/frontend/BytecodeEmitter.cpp:8859 #8 0x0000000000cc4462 in js::frontend::BytecodeEmitter::emitFunctionScript (this=this@entry=0x7fffffffc9a0, body=0x7ffff69a5190) at js/src/frontend/BytecodeEmitter.cpp:4167 #9 0x0000000000cc4f05 in js::frontend::BytecodeEmitter::emitFunction (this=this@entry=0x7fffffffced8, pn=pn@entry=0x7ffff69a5050, needsProto=needsProto@entry=false) at js/src/frontend/BytecodeEmitter.cpp:6671 #10 0x0000000000cc2c4d in js::frontend::BytecodeEmitter::emitTree (this=this@entry=0x7fffffffced8, pn=pn@entry=0x7ffff69a5050, emitLineNote=emitLineNote@entry=js::frontend::BytecodeEmitter::EMIT_LINENOTE) at js/src/frontend/BytecodeEmitter.cpp:8854 #11 0x0000000000cce81e in js::frontend::BytecodeEmitter::emitStatementList (this=0x7fffffffced8, pn=<optimized out>) at js/src/frontend/BytecodeEmitter.cpp:7267 #12 0x0000000000cc2dab in js::frontend::BytecodeEmitter::emitTree (this=this@entry=0x7fffffffced8, pn=pn@entry=0x7ffff69a5020, emitLineNote=emitLineNote@entry=js::frontend::BytecodeEmitter::EMIT_LINENOTE) at js/src/frontend/BytecodeEmitter.cpp:8944 #13 0x0000000000cc92ed in js::frontend::BytecodeEmitter::emitScript (this=0x7fffffffced8, body=body@entry=0x7ffff69a5020) at js/src/frontend/BytecodeEmitter.cpp:4109 #14 0x0000000000cc9a2f in BytecodeCompiler::compileScript (this=this@entry=0x7fffffffd280, environment=environment@entry=..., sc=sc@entry=0x7fffffffd230) at js/src/frontend/BytecodeCompiler.cpp:349 #15 0x0000000000cca054 in BytecodeCompiler::compileGlobalScript (scopeKind=<optimized out>, this=0x7fffffffd280) at js/src/frontend/BytecodeCompiler.cpp:376 [...] #26 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:7548 rax 0x7fffef700b50 140737210485584 rbp 0x7fffffffc3f0 140737488339952 r8 0x0 0 rip 0xccf4f5 <js::frontend::BytecodeEmitter::emitOptimizeSpread(js::frontend::ParseNode*, js::frontend::JumpList*, bool*)+629> => 0xccf4f5 <js::frontend::BytecodeEmitter::emitOptimizeSpread(js::frontend::ParseNode*, js::frontend::JumpList*, bool*)+629>: mov 0x8(%r8),%r8 0xccf4f9 <js::frontend::BytecodeEmitter::emitOptimizeSpread(js::frontend::ParseNode*, js::frontend::JumpList*, bool*)+633>: lea -0x50(%rbp),%rax

This is an automated crash issue comment: Summary: Assertion failure: !isExtensible() && v.isPrivateGCThing(), at js/src/vm/EnvironmentObject.h:427 Build version: mozilla-central revision 0502bd9e025e+ Build flags: --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug --enable-optimize Runtime options: --fuzzing-safe Testcase: for (var i = 0; i < 200; parseFloat++) { (function* get(undefined, ...get) { g.apply(this, arguments); })(); } Backtrace: received signal SIGSEGV, Segmentation fault. 0x0000000000a69260 in js::LexicalEnvironmentObject::scope (this=0x7fffef775040) at js/src/vm/EnvironmentObject.h:427 #0 0x0000000000a69260 in js::LexicalEnvironmentObject::scope (this=0x7fffef775040) at js/src/vm/EnvironmentObject.h:427 #1 0x0000000000b406c0 in AssertScopeMatchesEnvironment (scope=<optimized out>, originalEnv=<optimized out>) at js/src/vm/Stack.cpp:130 #2 0x0000000000b40f03 in js::InterpreterFrame::prologue (this=0x7fffef3240d0, cx=0x7ffff693f000) at js/src/vm/Stack.cpp:232 #3 0x0000000000ac7a68 in Interpret (cx=0x7ffff693f000, state=...) at js/src/vm/Interpreter.cpp:1770 [...]

Applies on top of m-c 233ab21b64b5

This is an automated crash issue comment: Summary: Assertion failure: script->isDerivedClassConstructor(), at js/src/vm/Interpreter.cpp:3374 Build version: mozilla-central revision 233ab21b64b5+ Build flags: --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug --enable-optimize Runtime options: --fuzzing-safe Testcase: $2 = 0, label = 1; switch (label | 0) { case 1: $2 -= $1 + 14 | 0; case [], $5(() => new Map(ArrayBuffer), $1), (yield): let $1 = []; } Backtrace: received signal SIGSEGV, Segmentation fault. 0x0000000000ad3c5f in Interpret (cx=0x7ffff693f000, state=...) at js/src/vm/Interpreter.cpp:3374 #0 0x0000000000ad3c5f in Interpret (cx=0x7ffff693f000, state=...) at js/src/vm/Interpreter.cpp:3374 #1 0x0000000000ad4a15 in js::RunScript (cx=cx@entry=0x7ffff693f000, state=...) at js/src/vm/Interpreter.cpp:400 [...]

(In reply to Shu-yu Guo [:shu] from comment #93) > Created attachment 8780726 [details] [diff] [review] > Rollup for fuzzing v9 Applies on top of m-c 2ed7e61b988d

With fixes for fuzz and anba tests.

// Adapted from randomly chosen test: js/src/jit-test/tests/profiler/bug1231925.js "use strict"; enableSPSProfiling(); oomTest(function() { eval("(function() {})()"); }); Run with --fuzzing-safe --no-threads --no-baseline --no-ion: Assertion failure: size_before == *profiler->size_, at js/src/vm/SPSProfiler.cpp:434

function f(a = x, x = x) {} f(/y/) Run with --fuzzing-safe --no-threads --no-baseline --no-ion: Assertion failure: script->isDerivedClassConstructor(), at js/src/vm/Interpreter.cpp:3374

Applies on top of m-c 2ed7e61b988d

This is an automated crash issue comment: Summary: Assertion failure: !fun->needsExtraBodyVarEnvironment(), at js/src/jit/IonBuilder.cpp:1245 Build version: mozilla-central revision 2ed7e61b988d+ Build flags: --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug --enable-optimize Runtime options: --fuzzing-safe --ion-offthread-compile=off --baseline-eager Testcase: setJitCompilerOption("ion.warmup.trigger", 4); var lfLogBuffer = ` function logProxy(object = {}, handler = {}) { var log = []; var proxy = new WeakMap(object, new Proxy(handler, { get(proto) { log.push(propertyKey); } })); } var {proxy, log} = logProxy(); `; loadFile(lfLogBuffer); loadFile(lfLogBuffer); loadFile(lfLogBuffer); function loadFile(lfVarx) { try { function newFunc(x) { new Function(x)(); }; newFunc(lfVarx); } catch (lfVare) {} } Backtrace: received signal SIGSEGV, Segmentation fault. 0x0000000000647818 in js::jit::IonBuilder::initEnvironmentChain (this=this@entry=0x7fffffff9690, callee=0x7ffff69b4ea0) at js/src/jit/IonBuilder.cpp:1245 #0 0x0000000000647818 in js::jit::IonBuilder::initEnvironmentChain (this=this@entry=0x7fffffff9690, callee=0x7ffff69b4ea0) at js/src/jit/IonBuilder.cpp:1245 #1 0x000000000068efb3 in js::jit::IonBuilder::buildInline (this=0x7fffffff9690, callerBuilder=<optimized out>, callerResumePoint=<optimized out>, callInfo=...) at js/src/jit/IonBuilder.cpp:1090 #2 0x000000000068f459 in js::jit::IonBuilder::inlineScriptedCall (this=this@entry=0x7fffffffa4a0, callInfo=..., target=<optimized out>) at js/src/jit/IonBuilder.cpp:5226 #3 0x000000000068fa00 in js::jit::IonBuilder::inlineSingleCall (this=0x7fffffffa4a0, callInfo=..., targetArg=<optimized out>) at js/src/jit/IonBuilder.cpp:5734 #4 0x0000000000691049 in js::jit::IonBuilder::inlineCallsite (this=0x7fffffffa4a0, targets=..., callInfo=...) at js/src/jit/IonBuilder.cpp:5790 #5 0x00000000006914f5 in js::jit::IonBuilder::jsop_call (this=this@entry=0x7fffffffa4a0, argc=0, constructing=<optimized out>) at js/src/jit/IonBuilder.cpp:6743 #6 0x000000000069559c in js::jit::IonBuilder::inspectOpcode (this=this@entry=0x7fffffffa4a0, op=op@entry=JSOP_CALL) at js/src/jit/IonBuilder.cpp:1918 #7 0x000000000068dc9e in js::jit::IonBuilder::traverseBytecode (this=this@entry=0x7fffffffa4a0) at js/src/jit/IonBuilder.cpp:1534 #8 0x000000000068efc3 in js::jit::IonBuilder::buildInline (this=0x7fffffffa4a0, callerBuilder=<optimized out>, callerResumePoint=<optimized out>, callInfo=...) at js/src/jit/IonBuilder.cpp:1093 #9 0x000000000068f459 in js::jit::IonBuilder::inlineScriptedCall (this=this@entry=0x7ffff69b2270, callInfo=..., target=<optimized out>) at js/src/jit/IonBuilder.cpp:5226 #10 0x000000000068fa00 in js::jit::IonBuilder::inlineSingleCall (this=0x7ffff69b2270, callInfo=..., targetArg=<optimized out>) at js/src/jit/IonBuilder.cpp:5734 #11 0x00000000006903ee in js::jit::IonBuilder::inlineCalls (this=this@entry=0x7ffff69b2270, callInfo=..., targets=..., choiceSet=..., maybeCache=<optimized out>) at js/src/jit/IonBuilder.cpp:6054 #12 0x0000000000690f22 in js::jit::IonBuilder::inlineCallsite (this=0x7ffff69b2270, targets=..., callInfo=...) at js/src/jit/IonBuilder.cpp:5802 #13 0x00000000006914f5 in js::jit::IonBuilder::jsop_call (this=this@entry=0x7ffff69b2270, argc=0, constructing=<optimized out>) at js/src/jit/IonBuilder.cpp:6743 #14 0x000000000069559c in js::jit::IonBuilder::inspectOpcode (this=this@entry=0x7ffff69b2270, op=op@entry=JSOP_CALL) at js/src/jit/IonBuilder.cpp:1918 #15 0x000000000068dc9e in js::jit::IonBuilder::traverseBytecode (this=this@entry=0x7ffff69b2270) at js/src/jit/IonBuilder.cpp:1534 #16 0x000000000068e896 in js::jit::IonBuilder::build (this=0x7ffff69b2270) at js/src/jit/IonBuilder.cpp:921 #17 0x00000000006a267f in js::jit::IonCompile (cx=cx@entry=0x7ffff6965000, script=<optimized out>, baselineFrame=baselineFrame@entry=0x7fffffffb6f8, osrPc=<optimized out>, constructing=<optimized out>, recompile=<optimized out>, optimizationLevel=js::jit::OptimizationLevel::Normal) at js/src/jit/Ion.cpp:2232 #18 0x00000000006a2f79 in js::jit::Compile (cx=cx@entry=0x7ffff6965000, script=script@entry=..., osrFrame=osrFrame@entry=0x7fffffffb6f8, osrPc=osrPc@entry=0x0, constructing=<optimized out>, forceRecompile=forceRecompile@entry=false) at js/src/jit/Ion.cpp:2473 #19 0x00000000006a398a in BaselineCanEnterAtEntry (frame=0x7fffffffb6f8, script=..., cx=0x7ffff6965000) at js/src/jit/Ion.cpp:2597 #20 js::jit::IonCompileScriptForBaseline (cx=0x7ffff6965000, frame=0x7fffffffb6f8, pc=<optimized out>) at js/src/jit/Ion.cpp:2721 #21 0x00007ffff7feb360 in ?? () [...]

These two parameter environment tests from https://github.com/anba/es6draft/blob/master/src/test/scripts/suite/semantic/function/parameter_environment.js#L133-L150 are still failing: function g8(h = () => arguments) { var arguments = 0; assertEq(arguments, 0); assertEq(arguments === h(), false); } g8(); function g9(h = () => arguments) { var arguments; assertEq(void 0 === arguments, false); assertEq(h(), arguments); arguments = 0; assertEq(arguments, 0); assertEq(arguments === h(), false); } g9();

This is an automated crash issue comment: Summary: Assertion failure: env->lastProperty() == copy->lastProperty(), at js/src/vm/EnvironmentObject.cpp:972 Build version: mozilla-central revision 2ed7e61b988d+ Build flags: --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug --without-intl-api --enable-optimize --target=i686-pc-linux-gnu Runtime options: --fuzzing-safe --ion-offthread-compile=off Testcase: for (let x = 0; x < 4; ++x) { (function() { for (var set = 0, get, get; eval("\tvar\tx\t=\t1\t");) {} })() }; Backtrace: received signal SIGSEGV, Segmentation fault. 0x086823a9 in js::LexicalEnvironmentObject::clone (cx=0xf7934000, env=...) at js/src/vm/EnvironmentObject.cpp:972 #0 0x086823a9 in js::LexicalEnvironmentObject::clone (cx=0xf7934000, env=...) at js/src/vm/EnvironmentObject.cpp:972 #1 0x0874f7e8 in js::InterpreterFrame::freshenLexicalEnvironment (this=0xf1225018, cx=0xf7934000) at js/src/vm/Stack.cpp:332 #2 0x086ef2c1 in Interpret (cx=0xf7934000, state=...) at js/src/vm/Interpreter.cpp:3806 [...]

This is an automated crash issue comment: Summary: Assertion failure: NewFunctionEnvironmentIsWellFormed(cx, enclosingEnv), at js/src/jsfun.cpp:2093 Build version: mozilla-central revision 2ed7e61b988d+ Build flags: --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug --enable-optimize Runtime options: --fuzzing-safe Testcase: function eval(source) { offThreadCompileModule(source); let m = finishOffThreadModule(); m.declarationInstantiation(); return m.evaluation(); } function runTestCase(testcase) { if (testcase() !== true) {} } eval(` function testcase() { function set () {} } runTestCase(testcase); `); Backtrace: received signal SIGSEGV, Segmentation fault. 0x00000000009279c8 in js::CloneFunctionReuseScript (cx=cx@entry=0x7ffff693f000, fun=fun@entry=..., enclosingEnv=..., enclosingEnv@entry=..., allocKind=allocKind@entry=js::gc::AllocKind::FIRST, newKind=newKind@entry=js::GenericObject, proto=..., proto@entry=...) at js/src/jsfun.cpp:2093 #0 0x00000000009279c8 in js::CloneFunctionReuseScript (cx=cx@entry=0x7ffff693f000, fun=fun@entry=..., enclosingEnv=..., enclosingEnv@entry=..., allocKind=allocKind@entry=js::gc::AllocKind::FIRST, newKind=newKind@entry=js::GenericObject, proto=..., proto@entry=...) at js/src/jsfun.cpp:2093 #1 0x0000000000af1be3 in js::CloneFunctionObjectIfNotSingleton (cx=cx@entry=0x7ffff693f000, fun=..., fun@entry=..., parent=..., proto=..., proto@entry=..., newKind=newKind@entry=js::GenericObject) at js/src/jsfuninlines.h:89 #2 0x0000000000ab5b26 in js::Lambda (cx=0x7ffff693f000, fun=..., parent=...) at js/src/vm/Interpreter.cpp:4290 #3 0x0000000000ac8573 in Interpret (cx=0x7ffff693f000, state=...) at js/src/vm/Interpreter.cpp:3452 #4 0x0000000000ace425 in js::RunScript (cx=cx@entry=0x7ffff693f000, state=...) at js/src/vm/Interpreter.cpp:400 #5 0x0000000000ad73fe in js::ExecuteKernel (cx=cx@entry=0x7ffff693f000, script=..., script@entry=..., envChainArg=..., newTargetValue=..., evalInFrame=..., evalInFrame@entry=..., result=result@entry=0x7ffff021d1c8) at js/src/vm/Interpreter.cpp:681 #6 0x0000000000ad77a0 in js::Execute (cx=cx@entry=0x7ffff693f000, script=..., script@entry=..., envChainArg=..., rval=rval@entry=0x7ffff021d1c8) at js/src/vm/Interpreter.cpp:714 #7 0x0000000000c1135e in js::ModuleObject::evaluate (cx=cx@entry=0x7ffff693f000, self=..., self@entry=..., rval=rval@entry=...) at js/src/builtin/ModuleObject.cpp:915 #8 0x0000000000b27b1f in intrinsic_EvaluateModule (cx=cx@entry=0x7ffff693f000, argc=<optimized out>, vp=0x7ffff021d1c8) at js/src/vm/SelfHosting.cpp:2201 #9 0x0000000000addf19 in js::CallJSNative (cx=cx@entry=0x7ffff693f000, native=0xb27a90 <intrinsic_EvaluateModule(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235 [...]

This is an automated crash issue comment: Summary: Crash [@ js::Shape::slot] Build version: mozilla-central revision 2ed7e61b988d+ Build flags: --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug --enable-optimize Runtime options: --fuzzing-safe Testcase: const libdir = "/srv/repos/mozilla-central/js/src/jit-test/lib/"; load(libdir + "iteration.js"); function* f4(get = [1], f2, ...each) {} it = f4(); assertIteratorResult(it.return(-2), 2, false); Backtrace: received signal SIGSEGV, Segmentation fault. 0x00000000006109b1 in js::Shape::slot (this=0x0) at js/src/vm/Shape.h:830 #0 0x00000000006109b1 in js::Shape::slot (this=0x0) at js/src/vm/Shape.h:830 #1 0x0000000000a9b13d in js::SetReturnValueForClosingGenerator (cx=cx@entry=0x7ffff693f000, frame=...) at js/src/vm/GeneratorObject.cpp:111 #2 0x0000000000aa1909 in js::HandleClosingGeneratorReturn (cx=0x7ffff693f000, frame=..., ok=true) at js/src/vm/Interpreter.cpp:1210 #3 0x0000000000ac1d94 in HandleError (regs=..., cx=<optimized out>) at js/src/vm/Interpreter.cpp:1270 #4 Interpret (cx=0x7ffff693f000, state=...) at js/src/vm/Interpreter.cpp:4121 #5 0x0000000000ace425 in js::RunScript (cx=cx@entry=0x7ffff693f000, state=...) at js/src/vm/Interpreter.cpp:400 #6 0x0000000000ace6d5 in js::InternalCallOrConstruct (cx=0x7ffff693f000, args=..., construct=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:472 #7 0x0000000000ac9418 in js::CallFromStack (args=..., cx=<optimized out>) at js/src/vm/Interpreter.cpp:505 #8 Interpret (cx=0x7ffff693f000, state=...) at js/src/vm/Interpreter.cpp:2915 [...] #18 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:7551 rax 0x0 0 rbx 0x7ffff693f000 140737330278400 rcx 0x0 0 rdx 0x4 4 rsi 0x7ffff693f000 140737330278400 rdi 0x0 0 rbp 0x7fffffffd170 140737488343408 rsp 0x7fffffffd120 140737488343328 r8 0xffffffff 4294967295 r9 0x2e 46 r10 0x7ffff021d1e8 140737222136296 r11 0xfffffffffffffff5 -11 r12 0x7ffff0700a00 140737227262464 r13 0x7fffffffd130 140737488343344 r14 0x1d68020 30834720 r15 0x7fffffffd840 140737488345152 rip 0x6109b1 <js::Shape::slot() const+1> => 0x6109b1 <js::Shape::slot() const+1>: testb $0x40,0x14(%rdi) 0x6109b5 <js::Shape::slot() const+5>: mov %rsp,%rbp Test requires iteration.js, provided by jit-tests in mozilla-central.

Applies on top of m-c 054d4856cea6

This is an automated crash issue comment: Summary: Assertion failure: frame.stackDepth() == 0, at js/src/jit/BaselineCompiler.cpp:3982 Build version: mozilla-central revision 054d4856cea6+ Build flags: --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug --without-intl-api --enable-optimize --target=i686-pc-linux-gnu Runtime options: --fuzzing-safe --ion-eager Testcase: (function* of([d] = eval("var MYVAR=new String('0Xf');++MYVAR"), ...get) {})(); Backtrace: received signal SIGSEGV, Segmentation fault. 0x089ac436 in js::jit::BaselineCompiler::emit_JSOP_GENERATOR (this=0xffffbaf0) at js/src/jit/BaselineCompiler.cpp:3982 #0 0x089ac436 in js::jit::BaselineCompiler::emit_JSOP_GENERATOR (this=0xffffbaf0) at js/src/jit/BaselineCompiler.cpp:3982 #1 0x089d1c71 in js::jit::BaselineCompiler::emitBody (this=0xffffbaf0) at js/src/jit/BaselineCompiler.cpp:990 #2 0x089d2cc9 in js::jit::BaselineCompiler::compile (this=0xffffbaf0) at js/src/jit/BaselineCompiler.cpp:115 #3 0x08202fa1 in js::jit::BaselineCompile (cx=0xf7934000, script=0xf155e100, forceDebugInstrumentation=false) at js/src/jit/BaselineJIT.cpp:298 #4 0x08203854 in CanEnterBaselineJIT (cx=cx@entry=0xf7934000, script=..., script@entry=..., osrFrame=osrFrame@entry=0x0) at js/src/jit/BaselineJIT.cpp:337 #5 0x08203a0b in js::jit::CanEnterBaselineMethod (cx=0xf7934000, state=...) at js/src/jit/BaselineJIT.cpp:399 #6 0x082d156c in js::jit::CanEnter (cx=0xf7934000, state=...) at js/src/jit/Ion.cpp:2558 #7 0x086f6f5c in js::RunScript (cx=0xf7934000, state=...) at js/src/vm/Interpreter.cpp:376 #8 0x086f7243 in js::InternalCallOrConstruct (cx=0xf7934000, args=..., construct=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:472 #9 0x086f747d in InternalCall (cx=cx@entry=0xf7934000, args=...) at js/src/vm/Interpreter.cpp:499 #10 0x086f75cf in js::CallFromStack (cx=0xf7934000, args=...) at js/src/vm/Interpreter.cpp:505 #11 0x089d6618 in js::jit::DoCallFallback (cx=0xf7934000, frame=0xffffce58, stub_=0xf1373010, argc=0, vp=0xffffce28, res=...) at js/src/jit/BaselineIC.cpp:5985 #12 0xf7be367c in ?? ()

Comment on attachment 8781341 [details] [diff] [review] Rollup for fuzzing v11 I didn't find more issues apart from the ones I mentioned already. I suggest we land this as long as it remains that stable and find any remaining bugs when it landed :)

Comment on attachment 8781341 [details] [diff] [review] Rollup for fuzzing v11 I have been busy lately so have not been focused too much on this, but most of the fuzzblockers seem to be gone on Linux so I agree with :decoder, let's land it and we can file follow-up bugs later.

Comment on attachment 8782672 [details] [diff] [review] Use UniquePtrs for Scope data. Review of attachment 8782672 [details] [diff] [review]: ----------------------------------------------------------------- ::: js/public/RootingAPI.h @@ +1127,5 @@ > + > +template <typename Outer, typename T, typename D> > +class UniquePtrOperations > +{ > + const js::UniquePtr<T, D>& uniquePtr() const { return static_cast<const Outer*>(this)->get(); } Don't think you need the js:: on UniquePtr in the various places here. @@ +1144,5 @@ > +}; > + > +template <typename T, typename D> > +class RootedBase<js::UniquePtr<T, D>> > + : public MutableUniquePtrOperations<JS::Rooted<js::UniquePtr<T, D>>, T, D> { }; Most excellent. I think we put {} on its own line usually, tho. ::: js/src/vm/Runtime.h @@ +1677,5 @@ > + struct DeletePolicy<Data> : public js::GCManagedDeletePolicy<Data> \ > + { } > + > +DEFINE_SCOPE_DATA_DELETEPOLICY(js::FunctionScope::Data); > +DEFINE_SCOPE_DATA_DELETEPOLICY(js::ModuleScope::Data); I'd prefer just typing this out, no macros. ::: js/src/vm/Scope.cpp @@ +243,5 @@ > > if (mode == XDR_ENCODE) { > data.set(&scope->data()); > } else { > + data.set(NewEmptyScopeData<ConcreteScope>(cx, length).release()); The explicit, and necessary, js_free of this in the loop below still ensaddens me. I dunno that we can get rid of it, unfortunately. Still, looks like we got rid of the vast majority of js_free, so this looks overall pretty winning. @@ +334,1 @@ > return nullptr; I guess |scopeClone| doesn't leak here because it's GC-managed? And there's no GC hazard because CopyScopeData returns manually-managed memory and can never GC? Fugly, but I guess okay?

Here's a test that fails for me; if you add an eval("") in the loop it passes. (Run with -e 'const libdir="jit-test/lib/";' .) // TDZ checks work in destructuring default expressions, // even after the variables are initialized the first time. load(libdir + "asserts.js"); assertThrowsInstanceOf(() => { // should throw the second time through: b is uninitialized for (const {a=b, b} of [{a:1, b:2}, {b:3}]) {} }, ReferenceError);

Good catch

Comment on attachment 8779082 [details] [diff] [review] Rewrite the frontend: bindings. Review of attachment 8779082 [details] [diff] [review]: ----------------------------------------------------------------- Splinter almost gave me a heart attack today when I thought this review was lost. Nothing was lost - it just didn't show up for me because the patch is obsolete, and I accidentally started reviewing a later one in a separate tab. I did not read every line but this has to land. I mostly stuck to the parts of the code you said to read, plus all the headers, the tests, and a few other random files. This is awesome. I sort of wish the mega-renamings had been separate patches, in case you plan on doing this again... but no complaints. ::: js/src/ds/InlineTable.h @@ +4,5 @@ > + * License, v. 2.0. If a copy of the MPL was not distributed with this > + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ > + > +#ifndef ds_InlineMap_h > +#define ds_InlineMap_h might as well update these ::: js/src/frontend/FoldConstants.cpp @@ -904,5 @@ > - // Don't decay the overall expression if the replacement node is a > - // a definition. > - // > - // The rationale for this pre-existing restriction is unclear; if you > - // discover it, please document it! Speculation is that it has lol ::: js/src/frontend/NameCollections.h @@ +19,5 @@ > +// BytecodeEmitter create many maps for name analysis that are short-lived > +// (i.e., for the duration of parsing or emitting a lexical scope). Making > +// them recyclable cuts down significantly on allocator churn. > +template <typename RepresentativeCollection, typename ConcreteCollectionPool> > +class CollectionPool This code, the whole file, is pretty... "all-in", relative to the importance of what it's doing. What I mean is: CRTP + 50-line #define + `##` usage + reinterpret_cast across unrelated types + void** + unions... I don't have a specific productive comment, just ...are you sure [y/N]? ::: js/src/frontend/ParseNode.h @@ -1002,5 @@ > void dump(int indent); > #endif > }; > > -struct BinaryObjNode : public ParseNode OMG good riddance @@ -1495,5 @@ > void DumpParseTree(ParseNode* pn, int indent = 0); > #endif > > -/* > - * js::Definition is a degenerate subtype of the PN_FUNC and PN_NAME variants Same comment here and on all the other lines of this file ::: js/src/jit-test/tests/arguments/defaults-scoping.js @@ +3,2 @@ > var x = 'global'; > function f(a=x) { // local variable x update the comment, fwiw? @@ +9,3 @@ > > +var i = 42; > +function g(f=function () { return ++i; }) { // closes on global variable x global variable i, not x @@ +32,3 @@ > } > assertEq(j("expr"), "expr"); > +assertThrowsInstanceOf(() => j("v"), ReferenceError); What happens when there's a direct eval in an argument default expression could definitely stand to be tested more. In particular, the way each default expression gets its own VarEnvironmentObject, which can be mutated by separate sloppy evals in the same default expression ... we should have a test that does that, if only because the spec is nuts. :-| ::: js/src/tests/ecma_6/LexicalEnvironment/const-declaration-in-for-loop.js @@ +46,5 @@ > > // We don't support for (const ... in ...) or for (const ... of ...) yet. When > // we do, these all should start passing without throwing a syntax error, and > // we can remove the try/catch here, and the ultimate throw-canary forcing this > // test to be updated. Please delete the comment too. ::: js/src/vm/EnvironmentObject.h @@ +39,5 @@ > +extern JSScript* > +EnvironmentCoordinateFunctionScript(JSScript* script, jsbytecode* pc); > + > + > +/*** Environment objects *****************************************************/ Please put this in here: /*** Environment objects *****************************************************/ /* * About environments * ------------------ * * (See also: ecma262 rev c7952de (19 Aug 2016) 8.1 "Lexical Environments".) * * Scoping in ES is specified in terms of "Environment Records". There's a * global Environment Record per realm, and a new Environment Record is created * whenever control enters a function, block, or other scope. * * A "Lexical Environment" is a list of nested Environment Records, innermost * first: everything that's in scope. Throughout SpiderMonkey, "environment" * means a Lexical Environment. * * N.B.: "Scope" means something different: a static scope, the compile-time * analogue of an environment. See Scope.h. * * How SpiderMonkey represents environments * ---------------------------------------- * * Some environments are stored as JSObjects. Several kinds of objects * represent environments: * * JSObject * | * +--NativeObject * | | * | +--EnvironmentObject Engine-internal environment * | | | * | | +--CallObject Environment of entire function * | | | * | | +--ModuleEnvironmentObject Module top-level environment * | | | * | | +--LexicalEnvironmentObject Lexical (block) environment * | | | | * | | | +--NamedLambdaObject Environment for `(function f(){...})` * | | | containing only a binding for `f` * | | +--VarEnvironmentObject See VarScope in Scope.h. * | | | * | | +--WithEnvironmentObject Presents object properties as bindings * | | | * | | +--NonSyntacticVariablesObject See "Non-syntactic environments" below * | | * | +--GlobalObject The global environment * | * +--ProxyObject * | * +--DebugEnvironmentProxy Environment for debugger eval-in-frame * * EnvironmentObjects are technically real JSObjects but only belong on the * environment chain (that is, fp->environmentChain() or fun->environment()). * They are never exposed to scripts. * * Note that reserved slots in any base classes shown above are fixed for all * derived classes. So e.g. EnvironmentObject::enclosingEnvironment() can * simply access a fixed slot without further dynamic type information. * * When the current environment is represented by an object, the stack frame * has a pointer to that object (see AbstractFramePtr::environmentChain()). * However, that isn't always the case. Where possible, we store binding values * in JS stack slots. For block and function scopes where all bindings can be * stored in stack slots, nothing is allocated in the heap; there is no * environment object. * * Full information about the environment chain is always recoverable: * EnvironmentIter can do it, and we construct a fake environment for debugger * eval-in-frame (see "Debug environment objects" below). * * Syntactic Environments * ---------------------- * * Environments may be syntactic, i.e., corresponding to source text, or * non-syntactic, i.e., specially created by embedding. * The comment should do a better job of explaining why this distinction matters so much. It has never really been clear to me. * CallObject, ModuleEnvironmentObject, and LexicalEnvironmentObject always * represent syntactic environments. (CallObject is considered syntactic even * when it's used as the scope of strict eval code.) WithEnvironmentObject is * syntactic when it's used to represent the scope of a `with` block. * * * Non-syntactic Environments * -------------------------- ...and from there on it's fine as-is. @@ +76,5 @@ > + * > + * Non-syntactic Environments > + * -------------------------- > + * > + * A non-syntactic environment is one that was not created due to source due to JS source code @@ +750,5 @@ > + * this, the engine assumes there is no debugger and optimizes scope access > + * and creation accordingly. When the debugger wants to perform an unexpected > + * eval-in-frame (or other, similar environment-requiring operations), > + * fp->environmentChain is now incomplete: it may not contain all, or any, of > + * the EnvironmentObjects to represent the current scope. "may not" is misleading, so replace the part after the colon with "any or all of the EnvironmentObjects representing the current environment may have been optimized away." (or just delete the colon and everything after it, your call) @@ +956,5 @@ > +IsGlobalLexicalEnvironment(JSObject* env) > +{ > + return env->is<LexicalEnvironmentObject>() && > + env->as<LexicalEnvironmentObject>().isGlobal(); > +} Not in this version of the patch, but in Github: > // An frame's initial environment is the innermost environment typo ("An frame") And: > // If a function frame's CallObject, if present, is always the initial typo ("If a" should be "A") ::: js/src/vm/Interpreter-inl.h @@ +375,5 @@ > > + if (varobj->is<GlobalObject>()) { > + if (!varobj->compartment()->addToVarNames(cx, dn)) > + return false; > + } Shaking my head. I can't believe this got into the standard. The test for this is just ridiculous. ::: js/src/vm/Scope.h @@ +276,5 @@ > +}; > + > +// > +// A lexical scope that holds let and const bindings. There are 3 kinds of > +// LexicalScopes. Comment goes on to describe only two kinds. NamedLambda and StrictNamedLambda are missing. ;) @@ +628,5 @@ > +// > +// Scope of an eval. Holds var bindings. There are 2 kinds of EvalScopes. > +// > +// ScopeKind::StrictEval > +// A strict eval. Corresponds to a CallObject, where its var bindings lives. VarEnvironmentObject, not CallObject @@ +633,5 @@ > +// > +// ScopeKind::Eval > +// A sloppy eval. If this is a direct `eval()` call inside a parameter > +// default value expression, then this is like a StrictEval scope (per > +// spec). Anywhere else, this is an empty scope, used only in the frontend, Is this comment correct? The implementation doesn't seem to treat this scope "like a StrictEval scope": it doesn't emit JSOP_PUSHVARENV, anyway, and it wasn't clear what else this was supposed to mean. ::: js/src/vm/Stack-inl.h @@ +182,5 @@ > { > + MOZ_ASSERT(*environmentChain() == env.enclosingEnvironment()); > + envChain_ = &env; > + if (mozilla::IsSame<SpecificEnvironment, CallObject>::value || > + mozilla::IsSame<SpecificEnvironment, VarEnvironmentObject>::value) I had a comment about this, but it looks like you already factored this out into a function (because it got weirder). Yay? ::: js/src/vm/Stack.h @@ +280,5 @@ > > RESUMED_GENERATOR = 0x2, /* frame is for a resumed generator invocation */ > > /* Function prologue state */ > + HAS_INITIAL_ENV = 0x4, /* call obj created function or var env for eval */ This comment didn't help me. @@ +481,5 @@ > * arguments, missing formal arguments are padded with |undefined|. > * > + * When a local/formal variable is aliased (accessed by nested closures, > + * environment operations, or 'arguments'), the canonical location for > + * that value is the slot of an activation object. Aliased locals don't Can we s/activation/environment/ globally? @@ +525,2 @@ > * > + * Given that an InterpreterFrame corresponds roughly to a ES5 Execution While you're here: "a ES5" -> "an ES". (Really this whole comment is not great.)

Comment on attachment 8780730 [details] [diff] [review] Rewrite the frontend: bindings. Review of attachment 8780730 [details] [diff] [review]: ----------------------------------------------------------------- ::: js/src/jsscript.cpp @@ +279,5 @@ > { > + ScopeArray* scopes = script->scopes(); > + GCPtrScope* vector = scopes->vector; > + unsigned length = scopes->length; > + for (uint32_t i = 0; i < length; ++i) { Types of `length` and `i` might as well match here. ::: js/src/octane/run-deltablue.js @@ +51,5 @@ > } > > > BenchmarkSuite.config.doWarmup = undefined; > +BenchmarkSuite.config.doDeterministic = true; Looks like you probably don't mean to land this.

Apologies for the format, Bugzilla claims to me that I can't post review comments longer than 64K or something insane. IT'S NOT MY FAULT! I think the only thing that really needs my over-IRC discussion, is the naming of notePositionalFormalParameter and all the other note* functions. Will try to catch you so we can iron that out firstmost, then you won't be blocked because I happen not to be around to discuss something.

THANK YOU FRIENDS FOR REVIEWING

Pushed by shu@rfrn.org: https://hg.mozilla.org/integration/mozilla-inbound/rev/cb6fc6d38f8d Rewrite the frontend: bindings. (r=jorendorff,Waldo) https://hg.mozilla.org/integration/mozilla-inbound/rev/18bec78f348e Report memory metrics for Scopes. (r=njn) https://hg.mozilla.org/integration/mozilla-inbound/rev/19267e198cd9 Disable failing parts of test_object.html. (r=me) https://hg.mozilla.org/integration/mozilla-inbound/rev/bd702fa23037 Fuzz tests.

Pushed by shu@rfrn.org: https://hg.mozilla.org/integration/mozilla-inbound/rev/dbf7b0e7dc66 Fix Scope->zone() comparison to use zoneFromAnyThread to fix CLOSED TREE.

FYI, this rewrite improved a few benchmarks on AWFY: Octane-MandreelLatency and SS-date-format-tofte

https://hg.mozilla.org/mozilla-central/rev/cb6fc6d38f8d https://hg.mozilla.org/mozilla-central/rev/18bec78f348e https://hg.mozilla.org/mozilla-central/rev/19267e198cd9 https://hg.mozilla.org/mozilla-central/rev/bd702fa23037 https://hg.mozilla.org/mozilla-central/rev/dbf7b0e7dc66