Crash [@ BindNameToSlot]

RESOLVED FIXED in mozilla37

Status

()

--
critical
RESOLVED FIXED
4 years ago
4 years ago

People

(Reporter: gkw, Assigned: efaust)

Tracking

(Blocks: 1 bug, {crash, regression, testcase})

Trunk
mozilla37
x86_64
Mac OS X
crash, regression, testcase
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox36 affected)

Details

(Whiteboard: [fuzzblocker][jsbugmon:update], crash signature)

Attachments

(3 attachments)

eval("\
     \"use strict\";\
     let (a) {\
        (function() {\
            a = c\
        })\
    }\
")

crashes js debug shell on m-c changeset 1162e4a4d7a2 with --no-ion --no-threads at BindNameToSlot.

Debug configure options:

CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --enable-optimize --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/6ec9033a4535
user:        Eric Faust
date:        Wed Nov 26 14:42:52 2014 -0800
summary:     Bug 1101905 - Part 3: Add strict variant of JSOP_SETNAME. (r=Waldo)

Eric, is bug 1101905 a likely regressor?
Flags: needinfo?(efaustbmo)
Created attachment 8530402 [details]
stack

(lldb) bt 5
* thread #1: tid = 0x5bd059, 0x0000000100142031 js-dbg-opt-64-dm-nsprBuild-darwin-1162e4a4d7a2`BindNameToSlot(js::ExclusiveContext*, js::frontend::BytecodeEmitter*, js::frontend::ParseNode*) [inlined] js::frontend::ParseNode::getKind(this=<unavailable>) const + 28 at ParseNode.h:493, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
  * frame #0: 0x0000000100142031 js-dbg-opt-64-dm-nsprBuild-darwin-1162e4a4d7a2`BindNameToSlot(js::ExclusiveContext*, js::frontend::BytecodeEmitter*, js::frontend::ParseNode*) [inlined] js::frontend::ParseNode::getKind(this=<unavailable>) const + 28 at ParseNode.h:493
    frame #1: 0x0000000100142015 js-dbg-opt-64-dm-nsprBuild-darwin-1162e4a4d7a2`BindNameToSlot(js::ExclusiveContext*, js::frontend::BytecodeEmitter*, js::frontend::ParseNode*) [inlined] js::frontend::ParseNode::isKind(this=<unavailable>, kind=<unavailable>) const at ParseNode.h:500
    frame #2: 0x0000000100142015 js-dbg-opt-64-dm-nsprBuild-darwin-1162e4a4d7a2`BindNameToSlot(js::ExclusiveContext*, js::frontend::BytecodeEmitter*, js::frontend::ParseNode*) [inlined] BindNameToSlotHelper(pn=<unavailable>) + 1507 at BytecodeEmitter.cpp:1695
    frame #3: 0x0000000100141a32 js-dbg-opt-64-dm-nsprBuild-darwin-1162e4a4d7a2`BindNameToSlot(cx=<unavailable>, bce=<unavailable>, pn=<unavailable>) + 1026 at BytecodeEmitter.cpp:1918
    frame #4: 0x0000000100147fb4 js-dbg-opt-64-dm-nsprBuild-darwin-1162e4a4d7a2`EmitAssignment(cx=0x0000000101b14360, bce=0x00007fff5fbfb7f0, lhs=0x0000000102047e68, op=JSOP_NOP, rhs=0x0000000102047ed8) + 308 at BytecodeEmitter.cpp:3984
(lldb)
status-firefox36: --- → affected
Upping to [fuzzblocker] because possibly-related variants are causing crashes with stacks that have no signatures.
Whiteboard: [jsbugmon:update] → [fuzzblocker][jsbugmon:update]
Created attachment 8531652 [details]
stack with no signature
(Assignee)

Comment 4

4 years ago
Created attachment 8532594 [details] [diff] [review]
Fix
Assignee: nobody → efaustbmo
Status: NEW → ASSIGNED
Flags: needinfo?(efaustbmo)
Attachment #8532594 - Flags: review?(jwalden+bmo)

Updated

4 years ago
Attachment #8532594 - Flags: review?(jwalden+bmo) → review+
https://hg.mozilla.org/mozilla-central/rev/8b67be801da7
Status: ASSIGNED → RESOLVED
Last Resolved: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla37
You need to log in before you can comment on or make changes to this bug.