Closed Bug 1547467 Opened 6 years ago Closed 6 years ago

Assertion failure: JSID_IS_ATOM(id) && frontend::IsIdentifierNameOrPrivateName(JSID_TO_ATOM(id)), at js/src/vm/StringType.cpp:2216

Categories

(Core :: JavaScript Engine, defect, P1)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla69
Tracking Flags:
Tracking Status
firefox-esr60 --- unaffected
firefox67 --- unaffected
firefox68 --- wontfix
firefox69 --- fixed

People

(Reporter: decoder, Assigned: khyperia)

References

(Regression)

Details

(4 keywords, Whiteboard: [jsbugmon:update])

Attachments

(1 file)

Bug 1547467 - Introduce another scope for .initializers, and remove .localInitializers.
(deleted), text/x-phabricator-request
Details

The following testcase crashes on mozilla-central revision 0ec836eceb96 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe --cpu-count=2):

class foo extends null {
    constructor(a = class bar extends bar {}) {}
}
new foo();

Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  js::IdToPrintableUTF8 (cx=<optimized out>, cx@entry=0x7ffff5f19000, id=id@entry=..., behavior=behavior@entry=js::IdToPrintableBehavior::IdIsIdentifier) at js/src/vm/StringType.cpp:2214
#1  0x00005555558d0726 in js::ReportRuntimeLexicalError (id=..., errorNumber=79, cx=0x7ffff5f19000) at js/src/vm/Interpreter.cpp:5304
#2  js::ReportRuntimeLexicalError (cx=<optimized out>, cx@entry=0x7ffff5f19000, errorNumber=errorNumber@entry=79, name=..., name@entry=...) at js/src/vm/Interpreter.cpp:5313
#3  0x00005555558d3dbb in js::ReportRuntimeLexicalError (cx=0x7ffff5f19000, errorNumber=79, script=..., pc=0x7ffff5ffb6a3 "\212\002") at js/src/vm/Interpreter.cpp:5336
#4  0x00005555558e5655 in js::ReportUninitializedLexical (pc=<optimized out>, script=..., cx=<optimized out>) at js/src/vm/Interpreter-inl.h:109
#5  js::CheckUninitializedLexical (val=..., pc=<optimized out>, script=..., cx=<optimized out>) at js/src/vm/Interpreter-inl.h:125
#6  Interpret (cx=0x7ffff5f19000, state=...) at js/src/vm/Interpreter.cpp:3445
#7  0x00005555558e8716 in js::RunScript (cx=0x7ffff5f19000, state=...) at js/src/vm/Interpreter.cpp:423
[...]
#16 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:11373
rax	0x555557c90360	93825033372512
rbx	0x7fffffffc7a0	140737488340896
rcx	0x555556bc6880	93825015769216
rdx	0x0	0
rsi	0x7ffff6eeb770	140737336227696
rdi	0x7ffff6eea540	140737336223040
rbp	0x7fffffffc760	140737488340832
rsp	0x7fffffffc700	140737488340736
r8	0x7ffff6eeb770	140737336227696
r9	0x7ffff7fe6cc0	140737354034368
r10	0x58	88
r11	0x7ffff6b927a0	140737332717472
r12	0x0	0
r13	0x7fffffffc788	140737488340872
r14	0x7ffff5f19000	140737319636992
r15	0x7fffffffca80	140737488341632
rip	0x555555cbb5e1 <js::IdToPrintableUTF8(JSContext*, JS::Handle<JS::PropertyKey>, js::IdToPrintableBehavior)+465>
=> 0x555555cbb5e1 <js::IdToPrintableUTF8(JSContext*, JS::Handle<JS::PropertyKey>, js::IdToPrintableBehavior)+465>:	movl   $0x0,0x0
   0x555555cbb5ec <js::IdToPrintableUTF8(JSContext*, JS::Handle<JS::PropertyKey>, js::IdToPrintableBehavior)+476>:	ud2
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/d11fc84ce16f user: Ashley Hauck date: Thu Apr 11 23:07:06 2019 +0000 summary: Bug 1542448 - Copy .initializers to .localInitializers for derived classes. r=jorendorff This iteration took 498.677 seconds to run.

Ashley, is bug 1542448 a likely regressor?

Flags: needinfo?(khyperia)
Regressed by: 1542448
Flags: needinfo?(khyperia)
Priority: -- → P1
Assignee: nobody → khyperia
Status: NEW → ASSIGNED
Pushed by dvarga@mozilla.com: https://hg.mozilla.org/mozilla-central/rev/6004e7f60bb6 Introduce another scope for .initializers, and remove .localInitializers. r=jorendorff
Pushed by ahauck@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/b0583bec1768 Introduce another scope for .initializers, and remove .localInitializers. r=jorendorff
Flags: needinfo?(khyperia)

https://hg.mozilla.org/mozilla-central/rev/b0583bec1768

Status: ASSIGNED → RESOLVED
Closed: 6 years ago
status-firefox69: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla69
Regressions: 1553744

Is this worth uplifting to 68?

Flags: needinfo?(khyperia)

I don't know - punting to sdetar for that question.

However, if you do take this, you should also take the bugs that were caused by this (bug 1553744 then bug 1555979).

Flags: needinfo?(khyperia) → needinfo?(sdetar)

Talking with Ashley about this, I would currently considering not recommending uplifting this Fx68 unless there is significant reason to do so as there seems to be some risks in doing so. These risks come from this is a complex problem to fix as well as a number of other dependent patches will also have to be uplifted. It does not seem like a simple uplift.

Jason, do you have any thoughts on that?

Flags: needinfo?(sdetar) → needinfo?(jorendorff)

I agree: don't uplift. The feature is behind a pref.

Flags: needinfo?(jorendorff)
Has Regression Range: --- → yes
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: