The following testcase crashes on mozilla-central revision d0830980ffdb (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-debug --enable-optimize, run with --fuzzing-safe min.js): g = newGlobal(); g.log *= ""; Debugger(g).onDebuggerStatement = frame => frame.eval("log += this.Math.toString();"); let forceException = g.eval(` (class extends class {} { constructor() { debugger; } }) `); new forceException; Backtrace: received signal SIGSEGV, Segmentation fault. JSFunction::isDerivedClassConstructor (this=0x0) at js/src/jsfun.cpp:1343 #0 JSFunction::isDerivedClassConstructor (this=0x0) at js/src/jsfun.cpp:1343 #1 0x00000000008b0c17 in js::ThrowUninitializedThis (cx=0x7ffff694d000, frame=...) at js/src/vm/Interpreter.cpp:5059 #2 0x00000000008d476a in Interpret (cx=0x7ffff694d000, state=...) at js/src/vm/Interpreter.cpp:2605 #3 0x00000000008d4b90 in js::RunScript (cx=cx@entry=0x7ffff694d000, state=...) at js/src/vm/Interpreter.cpp:400 #4 0x00000000008da68e in js::ExecuteKernel (cx=cx@entry=0x7ffff694d000, script=..., script@entry=..., envChainArg=..., newTargetValue=..., evalInFrame=..., result=result@entry=0x7fffffffb830) at js/src/vm/Interpreter.cpp:681 #5 0x0000000000880305 in EvaluateInEnv (pc=0x0, rval=..., lineno=1, filename=0xd844ed "debugger eval code", chars=..., frame=..., env=..., cx=<optimized out>) at js/src/vm/Debugger.cpp:7434 #6 DebuggerGenericEval (cx=cx@entry=0x7ffff694d000, chars=..., bindings=..., bindings@entry=..., options=..., status=@0x7fffffffc03c: 32767, value=..., dbg=0x7ffff697a000, envArg=..., iter=0x7fffffffbb88) at js/src/vm/Debugger.cpp:7520 #7 0x0000000000880e50 in js::DebuggerFrame::eval (cx=cx@entry=0x7ffff694d000, frame=..., frame@entry=..., chars=..., bindings=bindings@entry=..., options=..., status=@0x7fffffffc03c: 32767, value=...) at js/src/vm/Debugger.cpp:7542 #8 0x000000000088103f in js::DebuggerFrame::evalMethod (cx=0x7ffff694d000, argc=<optimized out>, vp=<optimized out>) at js/src/vm/Debugger.cpp:8119 #9 0x00000000008d4e00 in js::CallJSNative (args=..., native=<optimized out>, cx=0x7ffff694d000) at js/src/jscntxtinlines.h:235 #10 js::InternalCallOrConstruct (cx=0x7ffff694d000, args=..., construct=<optimized out>) at js/src/vm/Interpreter.cpp:454 #11 0x00000000008d0601 in js::CallFromStack (args=..., cx=<optimized out>) at js/src/vm/Interpreter.cpp:505 #12 Interpret (cx=0x7ffff694d000, state=...) at js/src/vm/Interpreter.cpp:2916 #13 0x00000000008d4b90 in js::RunScript (cx=cx@entry=0x7ffff694d000, state=...) at js/src/vm/Interpreter.cpp:400 #14 0x00000000008d4d42 in js::InternalCallOrConstruct (cx=cx@entry=0x7ffff694d000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:472 #15 0x00000000008d4f75 in InternalCall (cx=cx@entry=0x7ffff694d000, args=...) at js/src/vm/Interpreter.cpp:499 #16 0x00000000008d4fd8 in js::Call (cx=cx@entry=0x7ffff694d000, fval=..., fval@entry=..., thisv=..., thisv@entry=..., args=..., rval=..., rval@entry=...) at js/src/vm/Interpreter.cpp:518 #17 0x0000000000812040 in js::Call (cx=0x7ffff694d000, fval=fval@entry=..., thisObj=<optimized out>, arg0=arg0@entry=..., rval=..., rval@entry=...) at js/src/vm/Interpreter.h:114 #18 0x00000000008869d5 in js::Debugger::fireDebuggerStatement (this=this@entry=0x7ffff697a000, cx=cx@entry=0x7ffff694d000, vp=..., vp@entry=...) at js/src/vm/Debugger.cpp:1688 #19 0x0000000000887031 in js::Debugger::<lambda(js::Debugger*)>::operator() (dbg=0x7ffff697a000, __closure=<synthetic pointer>) at js/src/vm/Debugger.cpp:970 #20 js::Debugger::dispatchHook<js::Debugger::slowPathOnDebuggerStatement(JSContext*, js::AbstractFramePtr)::<lambda(js::Debugger*)>, js::Debugger::slowPathOnDebuggerStatement(JSContext*, js::AbstractFramePtr)::<lambda(js::Debugger*)> > (fireHook=..., cx=<optimized out>, hookIsEnabled=...) at js/src/vm/Debugger.cpp:1827 #21 js::Debugger::slowPathOnDebuggerStatement (cx=<optimized out>, frame=...) at js/src/vm/Debugger.cpp:971 #22 0x00000000008d21df in js::Debugger::onDebuggerStatement (frame=..., cx=<optimized out>) at js/src/vm/Debugger-inl.h:58 #23 Interpret (cx=0x7ffff694d000, state=...) at js/src/vm/Interpreter.cpp:3746 #24 0x00000000008d4b90 in js::RunScript (cx=cx@entry=0x7ffff694d000, state=...) at js/src/vm/Interpreter.cpp:400 #25 0x00000000008d4d42 in js::InternalCallOrConstruct (cx=cx@entry=0x7ffff694d000, args=..., construct=construct@entry=js::CONSTRUCT) at js/src/vm/Interpreter.cpp:472 #26 0x00000000008d9eed in InternalConstruct (cx=cx@entry=0x7ffff694d000, args=...) at js/src/vm/Interpreter.cpp:547 #27 0x00000000008da00b in js::Construct (cx=cx@entry=0x7ffff694d000, fval=..., fval@entry=..., args=..., newTarget=..., objp=..., objp@entry=...) at js/src/vm/Interpreter.cpp:596 #28 0x000000000083d705 in js::Wrapper::construct (this=this@entry=0x1a5e8a0 <js::CrossCompartmentWrapper::singleton>, cx=cx@entry=0x7ffff694d000, proxy=..., proxy@entry=..., args=...) at js/src/proxy/Wrapper.cpp:184 #29 0x000000000080d148 in js::CrossCompartmentWrapper::construct (this=0x1a5e8a0 <js::CrossCompartmentWrapper::singleton>, cx=0x7ffff694d000, wrapper=..., args=...) at js/src/proxy/CrossCompartmentWrapper.cpp:353 #30 0x000000000080bf2d in js::Proxy::construct (args=..., proxy=..., cx=0x7ffff694d000) at js/src/proxy/Proxy.cpp:420 #31 js::proxy_Construct (cx=0x7ffff694d000, argc=<optimized out>, vp=<optimized out>) at js/src/proxy/Proxy.cpp:699 #32 0x00000000008d9de0 in js::CallJSNative (args=..., native=0x80be40 <js::proxy_Construct(JSContext*, unsigned int, JS::Value*)>, cx=0x7ffff694d000) at js/src/jscntxtinlines.h:235 [...] #45 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:7657 rax 0x0 0 rbx 0x7ffff694d000 140737330335744 rcx 0x7ffff069b230 140737226846768 rdx 0x7ffff694d000 140737330335744 rsi 0x7ffff03b21a0 140737223795104 rdi 0x0 0 rbp 0x7fffffffb480 140737488336000 rsp 0x7fffffffb048 140737488334920 r8 0x3b 59 r9 0x7 7 r10 0x7ffff04b9800 140737224873984 r11 0x1b 27 r12 0x1a3b2a0 27505312 r13 0x7fffffffb440 140737488335936 r14 0x7ffff694d000 140737330335744 r15 0x7ffff69281d0 140737330184656 rip 0x779780 <JSFunction::isDerivedClassConstructor()> => 0x779780 <JSFunction::isDerivedClassConstructor()>: movzwl 0x22(%rdi),%eax 0x779784 <JSFunction::isDerivedClassConstructor()+4>: test $0x2,%ah

JSBugMon: Bisection requested, result: === Treeherder Build Bisection Results by autoBisect === The "good" changeset has the timestamp "20150917233551" and the hash "7641104770a80015e63597b58cb312fefcbd9ab4". The "bad" changeset has the timestamp "20160905032019" and the hash "6e9706730af84fb7121e1dc0cbf00bb0906e5efa". Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=7641104770a80015e63597b58cb312fefcbd9ab4&tochange=6e9706730af84fb7121e1dc0cbf00bb0906e5efa

Here's a better bisection window: === Treeherder Build Bisection Results by autoBisect === The "good" changeset has the timestamp "20160825005824" and the hash "181336fdda6625d8ffa5e5764b817cc3da1f9659". The "bad" changeset has the timestamp "20160825011927" and the hash "bd702fa23037799ab4dd266d8a2b59d021f6cfa8". Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=181336fdda6625d8ffa5e5764b817cc3da1f9659&tochange=bd702fa23037799ab4dd266d8a2b59d021f6cfa8 Shu-yu, is bug 1263355 a likely regressor?

We don't have to worry about baseline frames because even baseline doesn't compile Debugger evals.

Comment on attachment 8788831 [details] [diff] [review] Handle Debugger.Frame.evals when throwing uninitialized 'this'. Review of attachment 8788831 [details] [diff] [review]: ----------------------------------------------------------------- Do we use a different scope chain now for Debugger eval-in-frame than before the rewrite? Not sure why this is a problem now.

(In reply to Jan de Mooij [:jandem] from comment #4) > Comment on attachment 8788831 [details] [diff] [review] > Handle Debugger.Frame.evals when throwing uninitialized 'this'. > > Review of attachment 8788831 [details] [diff] [review]: > ----------------------------------------------------------------- > > Do we use a different scope chain now for Debugger eval-in-frame than before > the rewrite? Not sure why this is a problem now. We used to keep a flag on scripts for its being a direct eval in a function or a Debugger eval-in-frame. I replaced this flag with looking at the scope chain only, but that missed the Debugger case. Debugger evals have as their outermost scope something of ScopeKind::NonSyntactic and not ScopeKind::Function.

Pushed by cbook@mozilla.com: https://hg.mozilla.org/mozilla-central/rev/75582480f782 Handle Debugger.Frame.evals when throwing uninitialized 'this'. (r=jandem)