Closed
Bug 1130604
Opened 9 years ago
Closed 9 years ago
Crash [@ js::frontend::ParseNode::getKind] or [@ js::frontend::Parser<js::frontend::FullParseHandler>::cloneParseTree]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1127012
| Tracking | Status | |
|---|---|---|
| firefox38 | --- | affected |
People
(Reporter: gkw, Unassigned)
References
Details
(Keywords: crash, regression, testcase, Whiteboard: [fuzzblocker] [jsbugmon:update])
Crash Data
Attachments
(2 files)
for (var [{
b: a = ({}, function() {})
}] in -2
crashes js debug and opt shell on m-c changeset aa5f8d47a0ba with --fuzzing-safe --no-threads --no-ion at js::frontend::ParseNode::getKind with js::frontend::Parser<js::frontend::FullParseHandler>::cloneParseTree on the stack.
Debug configure options:
CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --enable-optimize --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests
Opt configure options:
CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --disable-debug --enable-optimize --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests
=== Treeherder Build Bisection Results by autoBisect ===
The "good" changeset has the timestamp "20150121013236" and the hash "26d8f946a53b".
The "bad" changeset has the timestamp "20150121021935" and the hash "8832848bf234".
Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=26d8f946a53b&tochange=8832848bf234
Jason, is bug 932080 a likely regressor?Flags: needinfo?(jorendorff)
|
Reporter | |
Comment 1•9 years ago
|
||
(lldb) bt 5
* thread #1: tid = 0x2a611, 0x00000001000fd1d4 js-64-dm-nsprBuild-darwin-aa5f8d47a0ba`js::frontend::Parser<js::frontend::FullParseHandler>::cloneParseTree(js::frontend::ParseNode*) [inlined] js::frontend::ParseNode::getKind(this=0x0000000000000000, this=0x0000000000000000, this=0x0000000000000000) const at ParseNode.h:495, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
* frame #0: 0x00000001000fd1d4 js-64-dm-nsprBuild-darwin-aa5f8d47a0ba`js::frontend::Parser<js::frontend::FullParseHandler>::cloneParseTree(js::frontend::ParseNode*) [inlined] js::frontend::ParseNode::getKind(this=0x0000000000000000, this=0x0000000000000000, this=0x0000000000000000) const at ParseNode.h:495
frame #1: 0x00000001000fd1d4 js-64-dm-nsprBuild-darwin-aa5f8d47a0ba`js::frontend::Parser<js::frontend::FullParseHandler>::cloneParseTree(this=0x00007fff5fbfe288, opn=0x0000000000000000) + 100 at ParseNode.cpp:322
frame #2: 0x00000001000fd3d7 js-64-dm-nsprBuild-darwin-aa5f8d47a0ba`js::frontend::Parser<js::frontend::FullParseHandler>::cloneParseTree(this=0x00007fff5fbfe288, opn=0x000000010281c9a8) + 615 at ParseNode.cpp:337
frame #3: 0x00000001000fd452 js-64-dm-nsprBuild-darwin-aa5f8d47a0ba`js::frontend::Parser<js::frontend::FullParseHandler>::cloneParseTree(this=0x00007fff5fbfe288, opn=0x000000010281c970) + 738 at ParseNode.cpp:347
frame #4: 0x00000001000fd804 js-64-dm-nsprBuild-darwin-aa5f8d47a0ba`js::frontend::Parser<js::frontend::FullParseHandler>::cloneLeftHandSide(js::frontend::ParseNode*) [inlined] js::frontend::Parser<js::frontend::FullParseHandler>::cloneDestructuringDefault(this=<unavailable>) + 42 at ParseNode.cpp:439
(lldb)|
|
Reporter | |
Comment 2•9 years ago
|
||
(lldb) bt 5
* thread #1: tid = 0x2a796, 0x0000000100198c8b js-dbg-64-dm-nsprBuild-darwin-aa5f8d47a0ba`js::frontend::Parser<js::frontend::FullParseHandler>::cloneParseTree(js::frontend::ParseNode*) [inlined] js::frontend::ParseNode::getKind(this=0x0000000000000000, this=<unavailable>, this=<unavailable>, p1=<unavailable>) const at ParseNode.h:494, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
* frame #0: 0x0000000100198c8b js-dbg-64-dm-nsprBuild-darwin-aa5f8d47a0ba`js::frontend::Parser<js::frontend::FullParseHandler>::cloneParseTree(js::frontend::ParseNode*) [inlined] js::frontend::ParseNode::getKind(this=0x0000000000000000, this=<unavailable>, this=<unavailable>, p1=<unavailable>) const at ParseNode.h:494
frame #1: 0x0000000100198c8b js-dbg-64-dm-nsprBuild-darwin-aa5f8d47a0ba`js::frontend::Parser<js::frontend::FullParseHandler>::cloneParseTree(this=0x00007fff5fbfe058, opn=0x0000000000000000) + 219 at ParseNode.cpp:322
frame #2: 0x0000000100198ee1 js-dbg-64-dm-nsprBuild-darwin-aa5f8d47a0ba`js::frontend::Parser<js::frontend::FullParseHandler>::cloneParseTree(this=0x00007fff5fbfe058, opn=0x000000010204c3a8) + 817 at ParseNode.cpp:337
frame #3: 0x0000000100198f65 js-dbg-64-dm-nsprBuild-darwin-aa5f8d47a0ba`js::frontend::Parser<js::frontend::FullParseHandler>::cloneParseTree(this=0x00007fff5fbfe058, opn=0x000000010204c370) + 949 at ParseNode.cpp:347
frame #4: 0x0000000100199300 js-dbg-64-dm-nsprBuild-darwin-aa5f8d47a0ba`js::frontend::Parser<js::frontend::FullParseHandler>::cloneDestructuringDefault(this=0x00007fff5fbfe058, opn=0x000000010204c450) + 80 at ParseNode.cpp:439
(lldb)|
|
Reporter | |
Updated•9 years ago
|
Blocks: 932080
Crash Signature: [@ js::frontend::ParseNode::getKind]
[@ js::frontend::Parser<js::frontend::FullParseHandler>::cloneParseTree] → [@ js::frontend::ParseNode::getKind]
[@ js::frontend::Parser<js::frontend::FullParseHandler>::cloneParseTree]
|
|
Reporter | |
Comment 3•9 years ago
|
||
Variations of this are being continuously detected, setting [fuzzblocker].
Whiteboard: [jsbugmon:update] → [fuzzblocker] [jsbugmon:update]
|
|
Reporter | |
Comment 4•9 years ago
|
||
Variants of this fuzzblocker are now causing crashes with stacks that have no signatures other than memory addresses. Flagging needinfo? from more JS interpreter folks. Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 js 0x0000000100192d63 0x100000000 + 1650019 1 js 0x0000000100192f70 0x100000000 + 1650544 2 js 0x0000000100192e55 0x100000000 + 1650261 3 js 0x0000000100192ffb 0x100000000 + 1650683 4 js 0x0000000100192e29 0x100000000 + 1650217
Flags: needinfo?(jwalden+bmo)
Flags: needinfo?(efaustbmo)
|
||
Updated•9 years ago
|
Group: core-security
Status: NEW → RESOLVED
Closed: 9 years ago
Flags: needinfo?(jwalden+bmo)
Resolution: --- → DUPLICATE
|
||
Updated•9 years ago
|
Flags: needinfo?(jorendorff)
|
|
Reporter | |
Updated•9 years ago
|
Flags: needinfo?(efaustbmo)
|
||
Updated•9 years ago
|
Group: core-security → core-security-release
|
||
Updated•8 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•