Closed Bug 1617168 Opened 4 years ago Closed 4 years ago

Assertion failure: isMemberExpression || isCallExpression (Unknown ParseNodeKind for OptionalChain), at frontend/BytecodeEmitter.cpp:7801

Categories

(Core :: JavaScript Engine, defect, P1)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla76
Tracking Flags:
Tracking Status
firefox-esr68 --- unaffected
firefox74 --- unaffected
firefox75 --- unaffected
firefox76 --- fixed

People

(Reporter: decoder, Assigned: yulia)

References

(Regression)

Details

(5 keywords, Whiteboard: [jsbugmon:update,bisect])

Attachments

(2 files)

Testcase
(deleted), text/plain
Details
Bug 1617168 - handle DeleteOptionalChainExpr and OptionalExpr in emitOptionalTree; r=jorendorff
(deleted), text/x-phabricator-request
Details

The following testcase crashes on mozilla-central revision 5f2e62175414+ (build with --disable-jemalloc --enable-address-sanitizer --enable-gczeal --enable-optimize="-O2 -g" --enable-fuzzing --enable-debug --without-intl-api, run with --fuzzing-safe):

delete[1]?.r[delete[1]?.r1]

Backtrace:

==20276==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x55d616faeffd bp 0x7ffe775bcc70 sp 0x7ffe775bcac0 T0)
==20276==The signal is caused by a WRITE memory access.
==20276==Hint: address points to the zero page.
    #0 0x55d616faeffc in js::frontend::BytecodeEmitter::emitOptionalTree(js::frontend::ParseNode*, js::frontend::OptionalEmitter&, js::frontend::ValueUsage) js/src/frontend/BytecodeEmitter.cpp:7800:7
    #1 0x55d616fad74e in js::frontend::BytecodeEmitter::emitDeleteElementInOptChain(js::frontend::PropertyByValueBase*, js::frontend::OptionalEmitter&) js/src/frontend/BytecodeEmitter.cpp:6885:8
    #2 0x55d616facf7c in js::frontend::BytecodeEmitter::emitDeleteOptionalChain(js::frontend::UnaryNode*) js/src/frontend/BytecodeEmitter.cpp:6783:12
    #3 0x55d616f65457 in js::frontend::BytecodeEmitter::emitTree(js::frontend::ParseNode*, js::frontend::ValueUsage, js::frontend::BytecodeEmitter::EmitLineNumberNote, bool) js/src/frontend/BytecodeEmitter.cpp:10089:12
    #4 0x55d616faa339 in js::frontend::BytecodeEmitter::emitExpressionStatement(js::frontend::UnaryNode*) js/src/frontend/BytecodeEmitter.cpp:6608:10
    #5 0x55d616f66468 in js::frontend::BytecodeEmitter::emitTree(js::frontend::ParseNode*, js::frontend::ValueUsage, js::frontend::BytecodeEmitter::EmitLineNumberNote, bool) js/src/frontend/BytecodeEmitter.cpp:9933:12
    #6 0x55d616f6579e in js::frontend::BytecodeEmitter::emitStatementList(js::frontend::ListNode*) js/src/frontend/BytecodeEmitter.cpp:6552:10
    #7 0x55d616f6579e in js::frontend::BytecodeEmitter::emitTree(js::frontend::ParseNode*, js::frontend::ValueUsage, js::frontend::BytecodeEmitter::EmitLineNumberNote, bool) js/src/frontend/BytecodeEmitter.cpp:9924:12
    #8 0x55d616f73f4c in js::frontend::BytecodeEmitter::emitScript(js::frontend::ParseNode*) js/src/frontend/BytecodeEmitter.cpp:2461:10
    #9 0x55d616ffdfdc in js::frontend::ScriptCompiler<mozilla::Utf8Unit>::compileScript(js::frontend::CompilationInfo&, JS::Handle<JSObject*>, js::frontend::SharedContext*) js/src/frontend/BytecodeCompiler.cpp:512:21
    #10 0x55d616f31dbf in JSScript* CreateGlobalScript<mozilla::Utf8Unit>(js::frontend::CompilationInfo&, js::frontend::GlobalSharedContext&, JS::SourceText<mozilla::Utf8Unit>&) js/src/frontend/BytecodeCompiler.cpp:204:17
    #11 0x55d616f31dbf in js::frontend::CompileGlobalScript(js::frontend::CompilationInfo&, js::frontend::GlobalSharedContext&, JS::SourceText<mozilla::Utf8Unit>&) js/src/frontend/BytecodeCompiler.cpp:223:10
    #12 0x55d6159febc7 in JSScript* CompileSourceBuffer<mozilla::Utf8Unit>(JSContext*, JS::ReadOnlyCompileOptions const&, JS::SourceText<mozilla::Utf8Unit>&) js/src/vm/CompilationAndEvaluation.cpp:78:10
    #13 0x55d6159ff975 in JS::CompileUtf8FileDontInflate(JSContext*, JS::ReadOnlyCompileOptions const&, _IO_FILE*) js/src/vm/CompilationAndEvaluation.cpp:150:10
    #14 0x55d615316e4e in RunFile(JSContext*, char const*, _IO_FILE*, CompileUtf8, bool) js/src/shell/js.cpp:887:16
    #15 0x55d615314b13 in Process(JSContext*, char const*, bool, FileKind) js/src/shell/js.cpp:1529:14
    #16 0x55d615285084 in ProcessArgs(JSContext*, js::cli::OptionParser*) js/src/shell/js.cpp:10085:10
    #17 0x55d615285084 in Shell(JSContext*, js::cli::OptionParser*, char**) js/src/shell/js.cpp:10697:10
    #18 0x55d61527145e in main js/src/shell/js.cpp:11381:12
    #19 0x7f51c52a2b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #20 0x55d6151b1029 in _start (js/src/debug64asan/dist/bin/js+0x2185029)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV js/src/frontend/BytecodeEmitter.cpp:7800:7 in js::frontend::BytecodeEmitter::emitOptionalTree(js::frontend::ParseNode*, js::frontend::OptionalEmitter&, js::frontend::ValueUsage)
==20276==ABORTING

This was found by libFuzzer \o/

Attached file Testcase (deleted) — 

    
  
Regressed by: 1566143

    
  
Has Regression Range: --- → yes

    
    

    
  
Jason, does this make sense for Yulia to look at?  It seems it could be Optional Chaining related.


Flags: needinfo?(jorendorff)
Flags: needinfo?(ystartsev)
Assignee: nobody → ystartsev
Flags: needinfo?(ystartsev)
Flags: needinfo?(jorendorff)
Priority: -- → P1

    
    

    
  
Can someone else take care of the patch/review since Yulia is on PTO?


Flags: needinfo?(sdetar)

    
    

    
  
(In reply to Jens Stutte [:jstutte] from comment #4)




Can someone else take care of the patch/review since Yulia is on PTO?




Hey Jens, I see you're the FF 75 REO. This is a corner case that affects only debug builds, so it doesn't affect actual browser builds in any way. I'll set the status to unaffected to hide it from release tracking dashboards.



          status-firefox75:
          affectedunaffected
Flags: needinfo?(sdetar)

    
    

    
  
Pushed by ystartsev@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/1b366cf1e157
handle DeleteOptionalChainExpr and OptionalExpr in emitOptionalTree; r=jorendorff

    
    

    
  
Backed out changeset 1b366cf1e157 (Bug 1617168) for bustages complaining about optional-chain.js


Push with failures: https://treeherder.mozilla.org/#/jobs?repo=autoland&resultStatus=success%2Ctestfailed%2Cbusted%2Cexception&classifiedState=unclassified&fromchange=fb90c9d681983e815377955166855f659b510005&searchStr=spidermonkey%2Cbuilds&tochange=956f705663758405f2c027b1f3dba82f60f90589&selectedJob=293294756


Backout link: https://hg.mozilla.org/integration/autoland/rev/cce6671e42ecb21ea0029ee0d2adaeaa83083e07


Failure log: https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=293294756&repo=autoland&lineNumber=254751


...
[task 2020-03-16T10:15:45.669Z] TEST-PASS | non262/expressions/optional-chain-super-elem.js | (args: "--dll /builds/worker/workspace/breakpad-tools/libbreakpadinjector.so --baseline-eager") [0.1 s]
[task 2020-03-16T10:15:45.669Z] TEST-PASS | non262/expressions/optional-chain-super-elem.js | (args: "--dll /builds/worker/workspace/breakpad-tools/libbreakpadinjector.so --no-blinterp --no-baseline --no-ion --more-compartments") [0.1 s]
[task 2020-03-16T10:15:45.669Z] TEST-PASS | non262/expressions/optional-chain.js | (args: "--dll /builds/worker/workspace/breakpad-tools/libbreakpadinjector.so") [0.1 s]
[task 2020-03-16T10:15:45.669Z] ## non262/expressions/optional-chain.js: rc = 3, run time = 0.072253
[task 2020-03-16T10:15:45.669Z] 1566143: Implement the Optional Chain operator (?.) proposal
[task 2020-03-16T10:15:45.669Z] /builds/worker/workspace/build/src/js/src/tests/non262/expressions/optional-chain.js:49:15 Error: TypeError has wrong message!, expected can't access property "undefined", [...].r is undefined but got can't access property "undefined" of undefined
[task 2020-03-16T10:15:45.669Z] Stack:
[task 2020-03-16T10:15:45.669Z]   shouldThrowTypeError@/builds/worker/workspace/build/src/js/src/tests/non262/expressions/optional-chain.js:49:15
[task 2020-03-16T10:15:45.669Z]   @/builds/worker/workspace/build/src/js/src/tests/non262/expressions/optional-chain.js:223:21
[task 2020-03-16T10:15:45.669Z] TEST-UNEXPECTED-FAIL | non262/expressions/optional-chain.js | (args: "--dll /builds/worker/workspace/breakpad-tools/libbreakpadinjector.so --ion-eager --ion-offthread-compile=off --more-compartments") [0.1 s]
[task 2020-03-16T10:15:45.669Z] ## non262/expressions/optional-chain.js: rc = 3, run time = 0.062321
[task 2020-03-16T10:15:45.669Z] 1566143: Implement the Optional Chain operator (?.) proposal
[task 2020-03-16T10:15:45.669Z] /builds/worker/workspace/build/src/js/src/tests/non262/expressions/optional-chain.js:49:15 Error: TypeError has wrong message!, expected can't access property "undefined", [...].r is undefined but got can't access property "undefined" of undefined
[task 2020-03-16T10:15:45.669Z] Stack:
[task 2020-03-16T10:15:45.670Z]   shouldThrowTypeError@/builds/worker/workspace/build/src/js/src/tests/non262/expressions/optional-chain.js:49:15
[task 2020-03-16T10:15:45.670Z]   @/builds/worker/workspace/build/src/js/src/tests/non262/expressions/optional-chain.js:223:21
[task 2020-03-16T10:15:45.670Z] TEST-UNEXPECTED-FAIL | non262/expressions/optional-chain.js | (args: "--dll /builds/worker/workspace/breakpad-tools/libbreakpadinjector.so --baseline-eager") [0.1 s]
[task 2020-03-16T10:15:45.670Z] TEST-PASS | non262/expressions/optional-chain.js | (args: "--dll /builds/worker/workspace/breakpad-tools/libbreakpadinjector.so --no-blinterp --no-baseline --no-ion --more-compartments") [0.1 s]
[task 2020-03-16T10:15:45.670Z] TEST-PASS | non262/expressions/primitive-this-boxing-behavior.js | (args: "--dll /builds/worker/workspace/breakpad-tools/libbreakpadinjector.so") [0.0 s]
[task 2020-03-16T10:15:45.749Z] TEST-PASS | non262/expressions/primitive-this-boxing-behavior.js | (args: "--dll /builds/worker/workspace/breakpad-tools/libbreakpadinjector.so --ion-eager --ion-offthread-compile=off --more-compartments") [0.1 s]
[task 2020-03-16T10:15:45.750Z] TEST-PASS | non262/expressions/primitive-this-boxing-behavior.js | (args: "--dll /builds/worker/workspace/breakpad-tools/libbreakpadinjector.so --baseline-eager") [0.1 s]
[task 2020-03-16T10:15:45.750Z] TEST-PASS | non262/expressions/primitive-this-boxing-behavior.js | (args: "--dll /builds/worker/workspace/breakpad-tools/libbreakpadinjector.so --no-blinterp --no-baseline --no-ion --more-compartments") [0.1 s]
...



Flags: needinfo?(ystartsev)
Depends on: 1622815
Flags: needinfo?(ystartsev)

    
    

    
  
Pushed by ystartsev@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/03ace54e7250
handle DeleteOptionalChainExpr and OptionalExpr in emitOptionalTree; r=jorendorff

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/03ace54e7250


Status: NEW → RESOLVED
Closed: 4 years ago

          status-firefox76:
          --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla76

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: