Closed Bug 1204857 Opened 9 years ago Closed 9 years ago

Assertion failure: tt == TOK_EOF, at js/src/frontend/Parser.cpp:866 with parseModule

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla44
Tracking Flags:
Tracking Status
firefox43 --- affected
firefox44 --- fixed

People

(Reporter: decoder, Assigned: jonco)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update])

Attachments

(1 file)

bug1204857-trailing-garbage
1.27 KB, patch
efaust
: review+
Details | Diff | Splinter Review 
The following testcase crashes on mozilla-central revision a6786bf8d71d (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --thread-count=2 --baseline-eager):

parseModule(("}"));



Backtrace:

Program terminated with signal 11, Segmentation fault.
#0  0x0000000000501bc2 in js::frontend::Parser<js::frontend::FullParseHandler>::standaloneModule (this=this@entry=0x7ffd33979c20, module=..., module@entry=...) at js/src/frontend/Parser.cpp:866
#1  0x000000000063c73d in BytecodeCompiler::compileModule (this=this@entry=0x7ffd339795a0) at js/src/frontend/BytecodeCompiler.cpp:648
#2  0x000000000063ce01 in js::frontend::CompileModule (cx=cx@entry=0x7f8801d06800, obj=..., obj@entry=..., optionsInput=..., srcBuf=...) at js/src/frontend/BytecodeCompiler.cpp:843
#3  0x000000000048af32 in ParseModule (cx=0x7f8801d06800, argc=<optimized out>, vp=0x7ffd3397a9b8) at js/src/shell/js.cpp:3099
#4  0x00000000006cd872 in js::CallJSNative (cx=0x7f8801d06800, native=0x48ac70 <ParseModule(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235
#5  0x00000000006be0f0 in js::Invoke (cx=cx@entry=0x7f8801d06800, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:763
#6  0x00000000006c007d in js::Invoke (cx=cx@entry=0x7f8801d06800, thisv=..., fval=..., argc=argc@entry=1, argv=argv@entry=0x7ffd3397ae70, rval=..., rval@entry=...) at js/src/vm/Interpreter.cpp:818
#7  0x000000000090bc8a in js::jit::DoCallFallback (cx=0x7f8801d06800, frame=0x7ffd3397aeb8, stub_=<optimized out>, argc=<optimized out>, vp=0x7ffd3397ae60, res=...) at js/src/jit/BaselineIC.cpp:9363
#8  0x00007f88033f5edf in ?? ()
[...]
#32 0x0000000000000000 in ?? ()
rax	0x0	0
rbx	0x7ffd33979c20	140725469027360
rcx	0x7f880208b88d	140222126405773
rdx	0x0	0
rsi	0x7f88023609d0	140222129375696
rdi	0x7f880235f1c0	140222129369536
rbp	0x7ffd339790c0	140725469024448
rsp	0x7ffd33978c90	140725469023376
r8	0x7f8803400780	140222146807680
r9	0x6372732f736a2f6c	7165916604736876396
r10	0x7f880235cbe0	140222129359840
r11	0x0	0
r12	0x7ffd33978d50	140725469023568
r13	0x7f8801d8b058	140222123257944
r14	0x7ffd33979c50	140725469027408
r15	0x7f8801d8b020	140222123257888
rip	0x501bc2 <js::frontend::Parser<js::frontend::FullParseHandler>::standaloneModule(JS::Handle<js::ModuleObject*>)+994>
=> 0x501bc2 <js::frontend::Parser<js::frontend::FullParseHandler>::standaloneModule(JS::Handle<js::ModuleObject*>)+994>:	movl   $0x362,0x0
   0x501bcd <js::frontend::Parser<js::frontend::FullParseHandler>::standaloneModule(JS::Handle<js::ModuleObject*>)+1005>:	callq  0x49c3d0 <abort()>
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result:
=== Treeherder Build Bisection Results by autoBisect ===

The "good" changeset has the timestamp "20150824065141" and the hash "793916ec6dd4c589a8d589967158ccff532527ac".
The "bad" changeset has the timestamp "20150824080140" and the hash "0773712473c9cea41fa3a063f97cbd2dc55d86a4".

Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=793916ec6dd4c589a8d589967158ccff532527ac&tochange=0773712473c9cea41fa3a063f97cbd2dc55d86a4
Needinfo from jonco based on comment 1.
Flags: needinfo?(jcoppeard)
Assignee: nobody → jcoppeard
Patch to report an error rather than asserting.
Flags: needinfo?(jcoppeard)
Attachment #8663628 - Flags: review?(efaustbmo)
Comment on attachment 8663628 [details] [diff] [review]
bug1204857-trailing-garbage

Review of attachment 8663628 [details] [diff] [review]:
-----------------------------------------------------------------

Seems reasonable.
Attachment #8663628 - Flags: review?(efaustbmo) → review+
https://hg.mozilla.org/mozilla-central/rev/30d5d66ab33c
Status: NEW → RESOLVED
Closed: 9 years ago
status-firefox44: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla44
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: