The following testcase crashes on mozilla-central revision a551f534773c (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug --without-intl-api --enable-optimize --target=i686-pc-linux-gnu, run with --fuzzing-safe --ion-offthread-compile=off min.js): h = Function("b", "b", "c", "...rest", "return rest.toString();"); Backtrace: received signal SIGSEGV, Segmentation fault. 0x088c3016 in js::frontend::BytecodeEmitter::EmitterScope::enterFunction (this=0xffffba5c, bce=0xffffbbb4, funbox=0xf79cd050) at js/src/frontend/BytecodeEmitter.cpp:1051 #0 0x088c3016 in js::frontend::BytecodeEmitter::EmitterScope::enterFunction (this=0xffffba5c, bce=0xffffbbb4, funbox=0xf79cd050) at js/src/frontend/BytecodeEmitter.cpp:1051 #1 0x088c32a8 in js::frontend::BytecodeEmitter::emitFunctionFormalParametersAndBody (this=0xffffbbb4, pn=0xf79cd030) at js/src/frontend/BytecodeEmitter.cpp:8627 #2 0x088c43c2 in js::frontend::BytecodeEmitter::emitTree (this=0xffffbbb4, pn=0xf79cd030, emitLineNote=js::frontend::BytecodeEmitter::EMIT_LINENOTE) at js/src/frontend/BytecodeEmitter.cpp:9026 #3 0x088c5873 in js::frontend::BytecodeEmitter::emitFunctionScript (this=0xffffbbb4, body=0xf79cd030) at js/src/frontend/BytecodeEmitter.cpp:4228 #4 0x088c5c4a in BytecodeCompiler::compileFunctionBody (this=0xffffbdb8, fun=..., formals=..., generatorKind=js::NotGenerator) at js/src/frontend/BytecodeCompiler.cpp:474 #5 0x088c5d83 in CompileFunctionBody (cx=cx@entry=0xf792d000, fun=fun@entry=..., options=..., formals=..., srcBuf=..., enclosingScope=..., generatorKind=js::NotGenerator) at js/src/frontend/BytecodeCompiler.cpp:692 #6 0x088c5f72 in js::frontend::CompileFunctionBody (cx=0xf792d000, fun=..., options=..., formals=..., srcBuf=...) at js/src/frontend/BytecodeCompiler.cpp:711 #7 0x085608dc in FunctionConstructor (cx=<optimized out>, argc=<optimized out>, vp=<optimized out>, generatorKind=js::NotGenerator) at js/src/jsfun.cpp:1863 #8 0x08704f7b in js::CallJSNative (cx=0xf792d000, native=0x85614e0 <js::Function(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235 #9 0x086fc366 in js::InternalCallOrConstruct (cx=0xf792d000, args=..., construct=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:454 [...] #22 main (argc=4, argv=0xffffd8f4, envp=0xffffd908) at js/src/shell/js.cpp:7614 eax 0x0 0 ebx 0xf7946580 -141269632 ecx 0xf7da4864 -136689564 edx 0x0 0 esi 0xf7946594 -141269612 edi 0xffffb8e8 -18200 ebp 0xffffb968 4294949224 esp 0xffffb890 4294949008 eip 0x88c3016 <js::frontend::BytecodeEmitter::EmitterScope::enterFunction(js::frontend::BytecodeEmitter*, js::frontend::FunctionBox*)+3894> => 0x88c3016 <js::frontend::BytecodeEmitter::EmitterScope::enterFunction(js::frontend::BytecodeEmitter*, js::frontend::FunctionBox*)+3894>: movl $0x0,0x0 0x88c3020 <js::frontend::BytecodeEmitter::EmitterScope::enterFunction(js::frontend::BytecodeEmitter*, js::frontend::FunctionBox*)+3904>: ud2

Do you know when this regressed?

I restarted the bot and it will attempt to make a bisection. If that doesn't succeed, someone will have to manually bisect.

JSBugMon: Bisection requested, result: === Treeherder Build Bisection Results by autoBisect === The "good" changeset has the timestamp "20160825005824" and the hash "181336fdda6625d8ffa5e5764b817cc3da1f9659". The "bad" changeset has the timestamp "20160825011927" and the hash "bd702fa23037799ab4dd266d8a2b59d021f6cfa8". Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=181336fdda6625d8ffa5e5764b817cc3da1f9659&tochange=bd702fa23037799ab4dd266d8a2b59d021f6cfa8

Shu-yu, is bug 1263355 a likely regressor?

This assert is hitting because of a bug in the current Function constructor parameter parsing code. It should be fixed by bug 755821. If this is super urgent I can try to paper around it in the meantime, I guess.

This doesn't like we would want to uplift bug 755821 - do we have an alternative fix, or are we planning on shipping this regression in 51?

(In reply to Milan Sreckovic [:milan] from comment #6) > This doesn't like we would want to uplift bug 755821 - do we have an > alternative fix, or are we planning on shipping this regression in 51? This assertion is DEBUG-only, and on release builds, will erroneously allow certain corner-case inputs to the Function constructor that are not spec-compliant. It is not a regression in the sense we have never supported those inputs in a spec-compliant fashion. I'm fine with shipping this until bug 755821 is ready. Web content impact is minimal IMO.

JSBugMon: The testcase found in this bug no longer reproduces (tried revision 0ddfec7126ec).

JSBugMon: Bisection requested, failed due to error (try manually).

autoBisect shows this is probably related to the following changeset: The first good revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/0dc201de2d39 user: Tom Schuster date: Sat Oct 15 11:47:00 2016 +0900 summary: Bug 755821 - Parse arguments of Function constructor properly. r=shu Tom, is bug 755821 a likely fix?

Yes, see shu's comments.

Marking FIXED by bug 755821.