Crash in TParseContext::addIndexExpression

RESOLVED INCOMPLETE

Status

()

Core
Canvas: WebGL
--
critical
RESOLVED INCOMPLETE
3 years ago
2 years ago

People

(Reporter: vlee, Unassigned)

Tracking

({crash, regression, reproducible})

18 Branch
crash, regression, reproducible
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(crash signature, URL)

(Reporter)

Description

3 years ago
User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/39.0.2171.65 Chrome/39.0.2171.65 Safari/537.36

Steps to reproduce:

$ firefox https://www.khronos.org/registry/webgl/sdk/tests/conformance/glsl/bugs/undefined-index-should-not-crash.html?webglVersion=1


Actual results:

(gdb) bt
#0  0x00007f654474bce7 in TParseContext::addIndexExpression (this=0x7fff675cc8c0, baseExpression=0x7f651c91d080, location=..., indexExpression=0x7f651c91d1b0)
    at /build/buildd/firefox-34.0+build2/gfx/angle/src/compiler/translator/ParseContext.cpp:2080
#1  0x00007f654471d8ba in yyparse (context=0x7fff675cc8c0) at /build/buildd/firefox-34.0+build2/gfx/angle/src/compiler/translator/glslang_tab.cpp:2661
#2  0x00007f6544722611 in glslang_parse (context=context@entry=0x7fff675cc8c0)
    at /build/buildd/firefox-34.0+build2/gfx/angle/src/compiler/translator/glslang_tab.cpp:5262
#3  0x00007f654474aaaa in PaParseStrings (count=count@entry=1, string=string@entry=0x7fff675cca28, length=length@entry=0x0, 
    context=context@entry=0x7fff675cc8c0) at /build/buildd/firefox-34.0+build2/gfx/angle/src/compiler/translator/ParseContext.cpp:2623
#4  0x00007f654472cca2 in TCompiler::compile (this=0x7f650f893000, shaderStrings=shaderStrings@entry=0x7fff675cca28, numStrings=numStrings@entry=1, 
    compileOptions=145421, compileOptions@entry=145420) at /build/buildd/firefox-34.0+build2/gfx/angle/src/compiler/translator/Compiler.cpp:173
#5  0x00007f654474f48f in ShCompile (handle=<optimized out>, shaderStrings=0x7fff675cca28, numStrings=1, compileOptions=145420)
    at /build/buildd/firefox-34.0+build2/gfx/angle/src/compiler/translator/ShaderLang.cpp:185
#6  0x00007f6543c52574 in mozilla::WebGLContext::CompileShader (this=this@entry=0x7f65009d8000, shader=shader@entry=0x7f6500fe5940)
    at /build/buildd/firefox-34.0+build2/dom/canvas/WebGLContextGL.cpp:3151
#7  0x00007f6543be14a1 in mozilla::dom::WebGLRenderingContextBinding::compileShader (cx=0x7f65085c1200, obj=..., self=0x7f65009d8000, args=...)
    at /build/buildd/firefox-34.0+build2/obj-x86_64-linux-gnu/dom/bindings/WebGLRenderingContextBinding.cpp:8669
#8  0x00007f6543c2ded2 in mozilla::dom::GenericBindingMethod (cx=0x7f65085c1200, argc=<optimized out>, vp=<optimized out>)
    at /build/buildd/firefox-34.0+build2/dom/bindings/BindingUtils.cpp:2485
#9  0x00007f6544bdcfc5 in CallJSNative (args=..., native=<optimized out>, cx=<optimized out>) at /build/buildd/firefox-34.0+build2/js/src/jscntxtinlines.h:231
#10 js::Invoke (cx=0x7f65085c1200, args=..., construct=(js::CONSTRUCT | unknown: 479318416)) at /build/buildd/firefox-34.0+build2/js/src/vm/Interpreter.cpp:481
#11 0x00007f6544bd7615 in Interpret (cx=0x7f65085c1200, state=...) at /build/buildd/firefox-34.0+build2/js/src/vm/Interpreter.cpp:2563
#12 0x00007f6544bdcc3a in js::RunScript (cx=cx@entry=0x7f65085c1200, state=...) at /build/buildd/firefox-34.0+build2/js/src/vm/Interpreter.cpp:428
#13 0x00007f6544bde255 in ExecuteKernel (result=0x0, evalInFrame=..., type=js::EXECUTE_GLOBAL, thisv=<synthetic pointer>, scopeChainArg=..., script=..., 
    cx=0x7f65085c1200) at /build/buildd/firefox-34.0+build2/js/src/vm/Interpreter.cpp:636
#14 js::Execute (cx=cx@entry=0x7f65085c1200, script=script@entry=..., scopeChainArg=..., rval=rval@entry=0x0)
    at /build/buildd/firefox-34.0+build2/js/src/vm/Interpreter.cpp:673
#15 0x00007f6544a7129a in Evaluate (cx=cx@entry=0x7f65085c1200, obj=..., optionsArg=..., srcBuf=..., rval=rval@entry=0x0)
    at /build/buildd/firefox-34.0+build2/js/src/jsapi.cpp:4782
#16 0x00007f6544a72398 in JS::Evaluate (cx=cx@entry=0x7f65085c1200, obj=..., optionsArg=..., srcBuf=...)
    at /build/buildd/firefox-34.0+build2/js/src/jsapi.cpp:4873
#17 0x00007f654389d018 in nsJSUtils::EvaluateString (aCx=aCx@entry=0x7f65085c1200, aSrcBuf=..., aScopeObject=aScopeObject@entry=..., aCompileOptions=..., 
    aEvaluateOptions=..., aRetValue=aRetValue@entry=..., aOffThreadToken=0x0) at /build/buildd/firefox-34.0+build2/dom/base/nsJSUtils.cpp:242
#18 0x00007f654389d39c in nsJSUtils::EvaluateString (aCx=0x7f65085c1200, aSrcBuf=..., aScopeObject=..., aScopeObject@entry=..., aCompileOptions=..., 
    aOffThreadToken=aOffThreadToken@entry=0x0) at /build/buildd/firefox-34.0+build2/dom/base/nsJSUtils.cpp:308
#19 0x00007f6543eec401 in nsScriptLoader::EvaluateScript (this=0x7f6500ff57b0, aRequest=0x7f6500df5cc0, aSrcBuf=..., aOffThreadToken=0x0)
    at /build/buildd/firefox-34.0+build2/content/base/src/nsScriptLoader.cpp:1132
#20 0x00007f6543eecabf in nsScriptLoader::ProcessRequest (this=0x7f6500ff57b0, aRequest=0x7f6500df5cc0, aOffThreadToken=0x0)
    at /build/buildd/firefox-34.0+build2/content/base/src/nsScriptLoader.cpp:966
#21 0x00007f6543eeea52 in nsScriptLoader::ProcessScriptElement (this=0x7f6500ff57b0, aElement=0x7f6500df5b10)
    at /build/buildd/firefox-34.0+build2/content/base/src/nsScriptLoader.cpp:779
#22 0x00007f6543eeb1ec in nsScriptElement::MaybeProcessScript (this=0x7f6500df5b10)
    at /build/buildd/firefox-34.0+build2/content/base/src/nsScriptElement.cpp:140
#23 0x00007f654371f801 in nsIScriptElement::AttemptToExecute (this=0x7f6500df5b10) at ../../dist/include/nsIScriptElement.h:220
#24 0x00007f65437208d3 in nsHtml5TreeOpExecutor::RunScript (this=0x7f651c91d1b0, this@entry=0x7f6500bee000, aScriptElement=0x7f651c91d080)
    at /build/buildd/firefox-34.0+build2/parser/html/nsHtml5TreeOpExecutor.cpp:660
#25 0x00007f6543720d9f in nsHtml5TreeOpExecutor::RunFlushLoop (this=0x7f6500bee000)
    at /build/buildd/firefox-34.0+build2/parser/html/nsHtml5TreeOpExecutor.cpp:485
#26 0x00007f6543720ecc in nsHtml5ExecutorReflusher::Run (this=<optimized out>) at /build/buildd/firefox-34.0+build2/parser/html/nsHtml5TreeOpExecutor.cpp:54
#27 0x00007f65432d2a6f in nsThread::ProcessNextEvent (this=0x7f65486ed950, aMayWait=<optimized out>, aResult=0x7fff675ce75f)
    at /build/buildd/firefox-34.0+build2/xpcom/threads/nsThread.cpp:823
#28 0x00007f65432e3eb9 in NS_ProcessNextEvent (aThread=<optimized out>, aMayWait=aMayWait@entry=false)
    at /build/buildd/firefox-34.0+build2/xpcom/glue/nsThreadUtils.cpp:265
#29 0x00007f654348ce9e in mozilla::ipc::MessagePump::Run (this=0x7f6538abd780, aDelegate=0x7f6538a99500)
    at /build/buildd/firefox-34.0+build2/ipc/glue/MessagePump.cpp:99
#30 0x00007f654347e663 in RunHandler (this=0x7f6538a99500) at /build/buildd/firefox-34.0+build2/ipc/chromium/src/base/message_loop.cc:227
#31 MessageLoop::Run (this=0x7f6538a99500) at /build/buildd/firefox-34.0+build2/ipc/chromium/src/base/message_loop.cc:201
#32 0x00007f6543e155b6 in nsBaseAppShell::Run (this=0x7f651c91d1b0) at /build/buildd/firefox-34.0+build2/widget/xpwidgets/nsBaseAppShell.cpp:164
#33 0x00007f654450fe4d in nsAppStartup::Run (this=0x7f652e17a060) at /build/buildd/firefox-34.0+build2/toolkit/components/startup/nsAppStartup.cpp:280
#34 0x00007f654453dfa9 in XREMain::XRE_mainRun (this=this@entry=0x7fff675ce9e8) at /build/buildd/firefox-34.0+build2/toolkit/xre/nsAppRunner.cpp:4128
#35 0x00007f654453e20a in XREMain::XRE_main (this=this@entry=0x7fff675ce9e8, argc=argc@entry=1, argv=argv@entry=0x7fff675cfee8, 
    aAppData=aAppData@entry=0x7fff675cebf0) at /build/buildd/firefox-34.0+build2/toolkit/xre/nsAppRunner.cpp:4201
#36 0x00007f654453e436 in XRE_main (argc=1, argv=0x7fff675cfee8, aAppData=0x7fff675cebf0, aFlags=<optimized out>)
    at /build/buildd/firefox-34.0+build2/toolkit/xre/nsAppRunner.cpp:4415
#37 0x00007f654998d3bc in do_main (argc=1, argv=0x7fff675cfee8, xreDirectory=0x7f6548653780)
    at /build/buildd/firefox-34.0+build2/browser/app/nsBrowserApp.cpp:287
#38 0x00007f654998cb33 in main (argc=1, argv=0x7fff675cfee8) at /build/buildd/firefox-34.0+build2/browser/app/nsBrowserApp.cpp:652

Updated

3 years ago
Severity: normal → critical
Crash Signature: [@ TParseContext::addIndexExpression(TIntermTyped*, TSourceLoc const&, TIntermTyped*) ]
Keywords: crash, reproducible
Summary: SIGSEGV TParseContext::addIndexExpression → Crash in TParseContext::addIndexExpression

Comment 1

3 years ago
I got a slightly different signature with FF37:
Firefox 37.0a1 Crash Report [@ TIntermConstantUnion::getUConst(unsigned int) ]
https://crash-stats.mozilla.com/report/index/e4af75ed-0119-46c0-a6d7-acd3d2150101

Regressin range:
good=2012-09-21
bad=2012-09-22
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=48c4938eaf57&tochange=9cfb80a82883
Status: UNCONFIRMED → NEW
Component: Untriaged → Canvas: WebGL
Ever confirmed: true
Keywords: regression
OS: Linux → All
Product: Firefox → Core
Hardware: x86_64 → All
Version: 34 Branch → 18 Branch

Updated

3 years ago
Crash Signature: [@ TParseContext::addIndexExpression(TIntermTyped*, TSourceLoc const&, TIntermTyped*) ] → [@ TParseContext::addIndexExpression(TIntermTyped*, TSourceLoc const&, TIntermTyped*) ] [@ TIntermConstantUnion::getUConst(unsigned int) ]

Updated

3 years ago
Crash Signature: [@ TParseContext::addIndexExpression(TIntermTyped*, TSourceLoc const&, TIntermTyped*) ] [@ TIntermConstantUnion::getUConst(unsigned int) ] → [@ TParseContext::addIndexExpression(TIntermTyped*, TSourceLoc const&, TIntermTyped*) ] [@ TIntermConstantUnion::getUConst(unsigned int) ] [@ TParseContext::addIndexExpression ] [@ TIntermConstantUnion::getUConst ]
Marking this bug report as incomplete since I cannot find any recent reports of this crash. Please reopen if you can reproduce this in the latest Firefox version.
Status: NEW → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.