Closed Bug 1204857 Opened 10 years ago Closed 10 years ago

Assertion failure: tt == TOK_EOF, at js/src/frontend/Parser.cpp:866 with parseModule

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla44
Tracking Flags:
Tracking Status
firefox43 --- affected
firefox44 --- fixed

People

(Reporter: decoder, Assigned: jonco)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update])

Attachments

(1 file)

bug1204857-trailing-garbage
1.27 KB, patch
efaust
: review+
Details | Diff | Splinter Review
The following testcase crashes on mozilla-central revision a6786bf8d71d (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --thread-count=2 --baseline-eager): parseModule(("}")); Backtrace: Program terminated with signal 11, Segmentation fault. #0 0x0000000000501bc2 in js::frontend::Parser<js::frontend::FullParseHandler>::standaloneModule (this=this@entry=0x7ffd33979c20, module=..., module@entry=...) at js/src/frontend/Parser.cpp:866 #1 0x000000000063c73d in BytecodeCompiler::compileModule (this=this@entry=0x7ffd339795a0) at js/src/frontend/BytecodeCompiler.cpp:648 #2 0x000000000063ce01 in js::frontend::CompileModule (cx=cx@entry=0x7f8801d06800, obj=..., obj@entry=..., optionsInput=..., srcBuf=...) at js/src/frontend/BytecodeCompiler.cpp:843 #3 0x000000000048af32 in ParseModule (cx=0x7f8801d06800, argc=<optimized out>, vp=0x7ffd3397a9b8) at js/src/shell/js.cpp:3099 #4 0x00000000006cd872 in js::CallJSNative (cx=0x7f8801d06800, native=0x48ac70 <ParseModule(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235 #5 0x00000000006be0f0 in js::Invoke (cx=cx@entry=0x7f8801d06800, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:763 #6 0x00000000006c007d in js::Invoke (cx=cx@entry=0x7f8801d06800, thisv=..., fval=..., argc=argc@entry=1, argv=argv@entry=0x7ffd3397ae70, rval=..., rval@entry=...) at js/src/vm/Interpreter.cpp:818 #7 0x000000000090bc8a in js::jit::DoCallFallback (cx=0x7f8801d06800, frame=0x7ffd3397aeb8, stub_=<optimized out>, argc=<optimized out>, vp=0x7ffd3397ae60, res=...) at js/src/jit/BaselineIC.cpp:9363 #8 0x00007f88033f5edf in ?? () [...] #32 0x0000000000000000 in ?? () rax 0x0 0 rbx 0x7ffd33979c20 140725469027360 rcx 0x7f880208b88d 140222126405773 rdx 0x0 0 rsi 0x7f88023609d0 140222129375696 rdi 0x7f880235f1c0 140222129369536 rbp 0x7ffd339790c0 140725469024448 rsp 0x7ffd33978c90 140725469023376 r8 0x7f8803400780 140222146807680 r9 0x6372732f736a2f6c 7165916604736876396 r10 0x7f880235cbe0 140222129359840 r11 0x0 0 r12 0x7ffd33978d50 140725469023568 r13 0x7f8801d8b058 140222123257944 r14 0x7ffd33979c50 140725469027408 r15 0x7f8801d8b020 140222123257888 rip 0x501bc2 <js::frontend::Parser<js::frontend::FullParseHandler>::standaloneModule(JS::Handle<js::ModuleObject*>)+994> => 0x501bc2 <js::frontend::Parser<js::frontend::FullParseHandler>::standaloneModule(JS::Handle<js::ModuleObject*>)+994>: movl $0x362,0x0 0x501bcd <js::frontend::Parser<js::frontend::FullParseHandler>::standaloneModule(JS::Handle<js::ModuleObject*>)+1005>: callq 0x49c3d0 <abort()>
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result: === Treeherder Build Bisection Results by autoBisect === The "good" changeset has the timestamp "20150824065141" and the hash "793916ec6dd4c589a8d589967158ccff532527ac". The "bad" changeset has the timestamp "20150824080140" and the hash "0773712473c9cea41fa3a063f97cbd2dc55d86a4". Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=793916ec6dd4c589a8d589967158ccff532527ac&tochange=0773712473c9cea41fa3a063f97cbd2dc55d86a4
Needinfo from jonco based on comment 1.
Flags: needinfo?(jcoppeard)
Assignee: nobody → jcoppeard
Patch to report an error rather than asserting.
Flags: needinfo?(jcoppeard)
Attachment #8663628 - Flags: review?(efaustbmo)
Comment on attachment 8663628 [details] [diff] [review] bug1204857-trailing-garbage Review of attachment 8663628 [details] [diff] [review]: ----------------------------------------------------------------- Seems reasonable.
Attachment #8663628 - Flags: review?(efaustbmo) → review+
https://hg.mozilla.org/mozilla-central/rev/30d5d66ab33c
Status: NEW → RESOLVED
Closed: 10 years ago
status-firefox44: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla44
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: