Assertion failure: isMemberExpression || isCallExpression || isOptionalExpression (Unknown ParseNodeKind for OptionalChain), at frontend/BytecodeEmitter.cpp:7982
Categories
(Core :: JavaScript Engine, defect, P2)
Tracking
()
Tracking | Status | |
---|---|---|
firefox-esr68 | --- | unaffected |
firefox75 | --- | wontfix |
firefox76 | --- | wontfix |
firefox77 | --- | wontfix |
firefox78 | --- | verified |
People
(Reporter: decoder, Assigned: yulia)
References
(Regression)
Details
(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:update,bisected,confirmed])
Attachments
(2 files)
The following testcase crashes on mozilla-central revision 20200426-df251f2e0320 (debug build, run with --fuzzing-safe --no-threads):
(0 || 1 % $)?.$
Backtrace:
received signal SIGSEGV, Segmentation fault.
#0 0x00005555561daac0 in js::frontend::BytecodeEmitter::emitOptionalTree(js::frontend::ParseNode*, js::frontend::OptionalEmitter&, js::frontend::ValueUsage) ()
#1 0x00005555561da8a7 in js::frontend::BytecodeEmitter::emitOptionalTree(js::frontend::ParseNode*, js::frontend::OptionalEmitter&, js::frontend::ValueUsage) ()
#2 0x00005555561deb6b in js::frontend::BytecodeEmitter::emitOptionalChain(js::frontend::UnaryNode*, js::frontend::ValueUsage) ()
#3 0x00005555561c437a in js::frontend::BytecodeEmitter::emitTree(js::frontend::ParseNode*, js::frontend::ValueUsage, js::frontend::BytecodeEmitter::EmitLineNumberNote, bool) ()
#4 0x00005555561d95d2 in js::frontend::BytecodeEmitter::emitExpressionStatement(js::frontend::UnaryNode*) ()
#5 0x00005555561c45d0 in js::frontend::BytecodeEmitter::emitTree(js::frontend::ParseNode*, js::frontend::ValueUsage, js::frontend::BytecodeEmitter::EmitLineNumberNote, bool) ()
#6 0x00005555561d9442 in js::frontend::BytecodeEmitter::emitStatementList(js::frontend::ListNode*) ()
#7 0x00005555561c45b0 in js::frontend::BytecodeEmitter::emitTree(js::frontend::ParseNode*, js::frontend::ValueUsage, js::frontend::BytecodeEmitter::EmitLineNumberNote, bool) ()
#8 0x00005555561c7b1f in js::frontend::BytecodeEmitter::emitScript(js::frontend::ParseNode*) ()
#9 0x00005555561ee881 in js::frontend::ScriptCompiler<mozilla::Utf8Unit>::compileScript(js::frontend::CompilationInfo&, JS::Handle<JSObject*>, js::frontend::SharedContext*) ()
#10 0x00005555561b5574 in js::frontend::CompileGlobalScript(js::frontend::CompilationInfo&, js::frontend::GlobalSharedContext&, JS::SourceText<mozilla::Utf8Unit>&) ()
#11 0x0000555555b2ae64 in JSScript* CompileSourceBuffer<mozilla::Utf8Unit>(JSContext*, JS::ReadOnlyCompileOptions const&, JS::SourceText<mozilla::Utf8Unit>&) ()
#12 0x0000555555b2b0bb in JS::CompileUtf8File(JSContext*, JS::ReadOnlyCompileOptions const&, _IO_FILE*) ()
#13 0x00005555557ee884 in RunFile(JSContext*, char const*, _IO_FILE*, CompileUtf8, bool) ()
#14 0x00005555557edce4 in Process(JSContext*, char const*, bool, FileKind) ()
#15 0x00005555557931e1 in Shell(JSContext*, js::cli::OptionParser*, char**) ()
#16 0x000055555578a7cd in main ()
rax 0x555556fa5e6e 93825019829870
rbx 0x0 0
rcx 0x555557f9c908 93825036568840
rdx 0x0 0
rsi 0x7ffff6efd770 140737336301424
rdi 0x7ffff6efc540 140737336296768
rbp 0x7fffffffa560 140737488332128
rsp 0x7fffffffa510 140737488332048
r8 0x7ffff6efd770 140737336301424
r9 0x7ffff7f9bd00 140737353727232
r10 0x58 88
r11 0x7ffff6ba47a0 140737332791200
r12 0x7ffff5c68100 140737316815104
r13 0x0 0
r14 0x7fffffffa5d0 140737488332240
r15 0x7fffffffaa60 140737488333408
rip 0x5555561daac0 <js::frontend::BytecodeEmitter::emitOptionalTree(js::frontend::ParseNode*, js::frontend::OptionalEmitter&, js::frontend::ValueUsage)+864>
=> 0x5555561daac0 <_ZN2js8frontend15BytecodeEmitter16emitOptionalTreeEPNS0_9ParseNodeERNS0_15OptionalEmitterENS0_10ValueUsageE+864>: movl $0x1f2e,0x0
0x5555561daacb <_ZN2js8frontend15BytecodeEmitter16emitOptionalTreeEPNS0_9ParseNodeERNS0_15OptionalEmitterENS0_10ValueUsageE+875>: callq 0x555555818636 <abort>
Reporter | ||
Comment 1•4 years ago
|
||
Updated•4 years ago
|
Updated•4 years ago
|
Comment 2•4 years ago
|
||
Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20200428100141-a99c73301874.
The bug appears to have been introduced in the following build range:
> Start: 59873ee30955167ac1c6cc1eaafcbeda834ef74d (20200120154412)
> End: 83b4297580701442c304b9c45b08222cfc18cd02 (20200121001743)
> Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=59873ee30955167ac1c6cc1eaafcbeda834ef74d&tochange=83b4297580701442c304b9c45b08222cfc18cd02
Updated•4 years ago
|
Comment 3•4 years ago
|
||
Yulia, could this an issue related to Optional Chaining?
Assignee | ||
Updated•4 years ago
|
Assignee | ||
Comment 4•4 years ago
|
||
@decoder found the following behavior: When a logical expression is paired with a binary expression
that tries to access an undefined value, we get a segfault.
I poked around to see if this was due to something the OptionalChain implementation was causing, and
it looks like it is related to folding binary expressions with unknown values.
Assignee | ||
Comment 5•4 years ago
|
||
yep, it is related to the "allowed node" list that we have.
Updated•4 years ago
|
Pushed by ystartsev@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/88980549a854 Add BinaryExpressions to allowed list for Optional Chain; r=jorendorff
Comment 7•4 years ago
|
||
Backed out changeset 88980549a854 (bug 1633683) for causing build bustages on FoldConstants.cpp
Backout revision https://hg.mozilla.org/integration/autoland/rev/b3cc834a7ba174ac828bab9262ff6e52833ebb7e
Failure logs https://treeherder.mozilla.org/logviewer.html#?job_id=300259099&repo=autoland
https://treeherder.mozilla.org/logviewer.html#?job_id=300259117&repo=autoland
Yulia can you please take a look?
Updated•4 years ago
|
Updated•4 years ago
|
Pushed by ystartsev@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/43ed501d4487 Add BinaryExpressions to allowed list for Optional Chain; r=jorendorff
Comment 10•4 years ago
|
||
bugherder |
Updated•4 years ago
|
Comment 11•4 years ago
|
||
The patch landed in nightly and beta is affected.
:yulia, is this bug important enough to require an uplift?
If not please set status_beta
to wontfix
.
For more information, please visit auto_nag documentation.
Assignee | ||
Comment 12•4 years ago
|
||
I don't think this is important enough to need an uplift.
Updated•4 years ago
|
Comment 13•4 years ago
|
||
Bugmon Analysis: Verified bug as fixed on rev mozilla-central 20200518152416-a627b6676824. Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
Description
•