RESOLVED FIXED 157091
Assertion failure for super() call in direct eval in method function 
https://bugs.webkit.org/show_bug.cgi?id=157091
Summary Assertion failure for super() call in direct eval in method function
André Bargull
Reported 2016-04-27 10:44:36 PDT
SVN: rev200124 Build with: perl Tools/Scripts/build-jsc --gtk --debug The following test case triggers this assertion error: --- ASSERTION FAILED: generator.isConstructor() || generator.derivedContextType() == DerivedContextType::DerivedConstructorContext --- Test case: --- (new class {m(){ eval("super()") }}).m() --- Stack trace: --- #0 0x00007ffff6e289ac in WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:322 #1 0x00007ffff6478daa in JSC::FunctionCallValueNode::emitBytecode (this=0x7fffafdec038, generator=..., dst=0x7ffff0dd8948) at ../../Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp:762 #2 0x00007ffff6449637 in JSC::BytecodeGenerator::emitNodeInTailPosition (this=0x7ffff0d98000, dst=0x7ffff0dd8948, n=0x7fffafdec038) at ../../Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h:415 #3 0x00007ffff6449521 in JSC::BytecodeGenerator::emitNode (this=0x7ffff0d98000, dst=0x7ffff0dd8948, n=0x7fffafdec038) at ../../Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h:406 #4 0x00007ffff6485e14 in JSC::ExprStatementNode::emitBytecode (this=0x7fffafdec088, generator=..., dst=0x7ffff0dd8948) at ../../Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp:2150 #5 0x00007ffff6449499 in JSC::BytecodeGenerator::emitNodeInTailPosition (this=0x7ffff0d98000, dst=0x7ffff0dd8948, n=0x7fffafdec088) at ../../Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h:390 #6 0x00007ffff64939f1 in JSC::SourceElements::emitBytecode (this=0x7fffafdec000, generator=..., dst=0x7ffff0dd8948) at ../../Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp:2106 #7 0x00007ffff6493ad0 in JSC::ScopeNode::emitStatementsBytecode (this=0x7ffff0d8d000, generator=..., dst=0x7ffff0dd8948) at ../../Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp:3048 #8 0x00007ffff648c7a6 in JSC::EvalNode::emitBytecode (this=0x7ffff0d8d000, generator=...) at ../../Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp:3086 #9 0x00007ffff64274f0 in JSC::BytecodeGenerator::generate (this=0x7ffff0d98000) at ../../Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp:101 #10 0x00007ffff6b432b7 in JSC::BytecodeGenerator::generate<JSC::EvalNode*, JSC::UnlinkedEvalCodeBlock*&, JSC::DebuggerMode&, JSC::ProfilerMode&, JSC::VariableEnvironment const*&> (vm=...) at ../../Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h:297 #11 0x00007ffff6b41213 in JSC::CodeCache::getGlobalCodeBlock<JSC::UnlinkedEvalCodeBlock, JSC::EvalExecutable> (this=0x7ffff0def000, vm=..., executable=0x7fffaedfbee0, source=..., builtinMode=JSC::JSParserBuiltinMode::NotBuiltin, strictMode=JSC::JSParserStrictMode::Strict, thisTDZMode=JSC::ThisTDZMode::CheckIfNeeded, debuggerMode=JSC::DebuggerOff, profilerMode=JSC::ProfilerOff, error=..., evalContextType=JSC::EvalContextType::FunctionEvalContext, variablesUnderTDZ=0x7fffffffbfd0) at ../../Source/JavaScriptCore/runtime/CodeCache.cpp:123 #12 0x00007ffff6b3dd8d in JSC::CodeCache::getEvalCodeBlock (this=0x7ffff0def000, vm=..., executable=0x7fffaedfbee0, source=..., builtinMode=JSC::JSParserBuiltinMode::NotBuiltin, strictMode=JSC::JSParserStrictMode::Strict, thisTDZMode=JSC::ThisTDZMode::CheckIfNeeded, isArrowFunctionContext=false, debuggerMode=JSC::DebuggerOff, profilerMode=JSC::ProfilerOff, error=..., evalContextType=JSC::EvalContextType::FunctionEvalContext, variablesUnderTDZ=0x7fffffffbfd0) at ../../Source/JavaScriptCore/runtime/CodeCache.cpp:143 #13 0x00007ffff6c04991 in JSC::JSGlobalObject::createEvalCodeBlock (this=0x7fffaede7900, callFrame=0x7fffffffca70, executable=0x7fffaedfbee0, thisTDZMode=<incomplete type>, isArrowFunctionContext=false, variablesUnderTDZ=0x7fffffffbfd0) at ../../Source/JavaScriptCore/runtime/JSGlobalObject.cpp:1108 #14 0x00007ffff6ba66ce in JSC::EvalExecutable::create (exec=0x7fffffffca70, source=..., isInStrictContext=true, thisTDZMode=JSC::ThisTDZMode::CheckIfNeeded, derivedContextType=JSC::DerivedContextType::DerivedMethodContext, isArrowFunctionContext=false, evalContextType=JSC::EvalContextType::FunctionEvalContext, variablesUnderTDZ=0x7fffffffbfd0) at ../../Source/JavaScriptCore/runtime/Executable.cpp:440 #15 0x00007ffff699b34b in JSC::EvalCodeCache::getSlow (this=0x7ffff0dba1b8, exec=0x7fffffffca70, owner=0x7fffaed9b840, inStrictContext=true, thisTDZMode=<incomplete type>, derivedContextType=JSC::DerivedContextType::DerivedMethodContext, isArrowFunctionContext=false, evalContextType=JSC::EvalContextType::FunctionEvalContext, evalSource=..., scope=0x7fffaeddbe80) at ../../Source/JavaScriptCore/bytecode/EvalCodeCache.h:105 #16 0x00007ffff6995385 in JSC::eval (callFrame=0x7fffffffca70) at ../../Source/JavaScriptCore/interpreter/Interpreter.cpp:200 #17 0x00007ffff6a29fd7 in JSC::(anonymous namespace)::llint_slow_path_call_eval (exec=0x7fffffffcb00, pc=0x7ffff0df0c18) at ../../Source/JavaScriptCore/llint/LLIntSlowPaths.cpp:1354 #18 0x00007ffff6a33ea2 in llint_entry () at ../../Source/JavaScriptCore/heap/HandleTypes.h:38 #19 0x00007ffff6a33818 in llint_entry () at ../../Source/JavaScriptCore/heap/HandleTypes.h:38 #20 0x00007ffff6a2d895 in vmEntryToJavaScript () at ../../Source/JavaScriptCore/heap/HandleTypes.h:38 #21 0x00007ffff69d46d2 in JSC::JITCode::execute (this=0x7ffff0d9c640, vm=0x7fffb09f1000, protoCallFrame=0x7fffffffcd30) at ../../Source/JavaScriptCore/jit/JITCode.cpp:80 #22 0x00007ffff6997f4f in JSC::Interpreter::execute (this=0x7ffff0def058, program=0x7fffaedfbf70, callFrame=0x7fffaede7940, thisObj=0x7fffaedba360) at ../../Source/JavaScriptCore/interpreter/Interpreter.cpp:960 #23 0x00007ffff6b849ad in JSC::evaluate (exec=0x7fffaede7940, source=..., thisValue=..., returnedException=...) at ../../Source/JavaScriptCore/runtime/Completion.cpp:106 #24 0x000000000043a120 in runInteractive (globalObject=0x7fffaede7900) at ../../Source/JavaScriptCore/jsc.cpp:2083 #25 0x000000000043abcb in runJSC (vm=0x7fffb09f1000, options=...) at ../../Source/JavaScriptCore/jsc.cpp:2244 #26 0x000000000043b0a1 in jscmain (argc=1, argv=0x7fffffffdbb8) at ../../Source/JavaScriptCore/jsc.cpp:2293 #27 0x000000000043967f in main (argc=1, argv=0x7fffffffdbb8) at ../../Source/JavaScriptCore/jsc.cpp:1947 ---
Attachments
Patch (8.65 KB, patch)
2016-04-30 12:39 PDT, Yusuke Suzuki 		no flags
DetailsFormatted DiffDiff
Patch (13.19 KB, patch)
2016-05-03 18:14 PDT, Yusuke Suzuki 		no flags
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2016-04-29 09:14:22 PDT
<rdar://problem/26004823>
Yusuke Suzuki
Comment 2 2016-04-30 12:39:16 PDT
Created attachment 277824 [details] Patch
Saam Barati
Comment 3 2016-05-01 16:00:11 PDT
Comment on attachment 277824 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=277824&action=review > Source/JavaScriptCore/parser/Parser.cpp:292 > + // eval("super()") is allowed in the parsing phase. We should validate that it is under the correct context. > + bool validSuperBinding = true; > + if (scope->isEvalContext()) > + validSuperBinding = semanticCheckForSuperAndContext(scope, scope->constructorKind(), scope->expectedSuperBinding()); Why can't this be done when we are parsing the actual "super()" call?
Yusuke Suzuki
Comment 4 2016-05-02 05:04:04 PDT
(In reply to comment #3) > Comment on attachment 277824 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=277824&action=review > > > Source/JavaScriptCore/parser/Parser.cpp:292 > > + // eval("super()") is allowed in the parsing phase. We should validate that it is under the correct context. > > + bool validSuperBinding = true; > > + if (scope->isEvalContext()) > > + validSuperBinding = semanticCheckForSuperAndContext(scope, scope->constructorKind(), scope->expectedSuperBinding()); > > Why can't this be done when we are parsing the actual "super()" call? Maybe, seems better. I'll rework about it :)
Yusuke Suzuki
Comment 5 2016-05-03 18:14:03 PDT
Created attachment 278050 [details] Patch
Yusuke Suzuki
Comment 6 2016-05-03 23:53:23 PDT
Comment on attachment 278050 [details] Patch Thanks :)
WebKit Commit Bot
Comment 7 2016-05-04 00:42:40 PDT
Comment on attachment 278050 [details] Patch Clearing flags on attachment: 278050 Committed r200409: <http://trac.webkit.org/changeset/200409>
WebKit Commit Bot
Comment 8 2016-05-04 00:42:43 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.