Assertion failure: next.type != TOK_DIV && next.type != TOK_REGEXP (next token requires contextual specifier to be parsed unambiguously), at js/src/frontend/TokenStream.h:486

RESOLVED FIXED in Firefox 44

Status

()

Core
JavaScript Engine
--
critical
RESOLVED FIXED
3 years ago
3 years ago

People

(Reporter: decoder, Assigned: Waldo)

Tracking

(Blocks: 1 bug, {assertion, regression, testcase})

Trunk
mozilla44
x86
Linux
assertion, regression, testcase
Points:
---

Firefox Tracking Flags

(firefox43 affected, firefox44 fixed)

Details

(Whiteboard: [jsbugmon:update])

Attachments

(1 attachment)

(Reporter)

Description

3 years ago
The following testcase crashes on mozilla-central revision ccd6b5f5e544 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --target=i686-pc-linux-gnu --disable-tests --enable-debug, run with --fuzzing-safe):

Reflect.parse('export { x, y as z } from "a" \n/bar/g;', {target: "module"});



Backtrace:

Program received signal SIGSEGV, Segmentation fault.
0x0812b908 in js::frontend::TokenStream::addModifierException (this=0xffffbe18, modifierException=js::frontend::Token::OperandIsNone) at js/src/frontend/TokenStream.h:485
#0  0x0812b908 in js::frontend::TokenStream::addModifierException (this=0xffffbe18, modifierException=js::frontend::Token::OperandIsNone) at js/src/frontend/TokenStream.h:485
#1  0x0811c69c in js::frontend::MatchOrInsertSemicolon (ts=..., modifier=js::frontend::Token::None) at js/src/frontend/Parser.cpp:1474
#2  0x08128d0c in js::frontend::Parser<js::frontend::FullParseHandler>::exportDeclaration (this=this@entry=0xffffbe00) at js/src/frontend/Parser.cpp:4864
#3  0x0814e2a8 in js::frontend::Parser<js::frontend::FullParseHandler>::statement (this=this@entry=0xffffbe00, yieldHandling=yieldHandling@entry=js::frontend::YieldIsKeyword, canHaveDirectives=true) at js/src/frontend/Parser.cpp:6820
#4  0x0814e94e in js::frontend::Parser<js::frontend::FullParseHandler>::statements (this=this@entry=0xffffbe00, yieldHandling=yieldHandling@entry=js::frontend::YieldIsKeyword) at js/src/frontend/Parser.cpp:3117
#5  0x08158f1e in js::frontend::Parser<js::frontend::FullParseHandler>::standaloneModule (this=this@entry=0xffffbe00, module=module@entry=...) at js/src/frontend/Parser.cpp:866
#6  0x081d5305 in reflect_parse (cx=0xf7a87020, argc=2, vp=0xf44c4068) at js/src/builtin/ReflectParse.cpp:3858
#7  0x083621ea in js::CallJSNative (cx=0xf7a87020, native=0x81d3ff0 <reflect_parse(JSContext*, uint32_t, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235
#8  0x0835737f in js::Invoke (cx=0xf7a87020, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:765
#9  0x08348500 in Interpret (cx=cx@entry=0xf7a87020, state=...) at js/src/vm/Interpreter.cpp:3068
#10 0x08356991 in js::RunScript (cx=cx@entry=0xf7a87020, state=...) at js/src/vm/Interpreter.cpp:706
#11 0x0835cb95 in js::ExecuteKernel (cx=cx@entry=0xf7a87020, script=..., script@entry=..., scopeChainArg=..., thisv=..., newTargetValue=..., type=type@entry=js::EXECUTE_GLOBAL, evalInFrame=evalInFrame@entry=..., result=result@entry=0x0) at js/src/vm/Interpreter.cpp:980
#12 0x0835cef2 in js::Execute (cx=cx@entry=0xf7a87020, script=script@entry=..., scopeChainArg=..., rval=rval@entry=0x0) at js/src/vm/Interpreter.cpp:1014
#13 0x087e2cda in ExecuteScript (cx=cx@entry=0xf7a87020, scope=..., script=script@entry=..., rval=rval@entry=0x0) at js/src/jsapi.cpp:4370
#14 0x087e2e16 in JS_ExecuteScript (cx=cx@entry=0xf7a87020, scriptArg=scriptArg@entry=...) at js/src/jsapi.cpp:4401
#15 0x0806b4b2 in RunFile (compileOnly=false, file=0xf7af49e0, filename=0xffffd058 "min.js", cx=0xf7a87020) at js/src/shell/js.cpp:462
#16 Process (cx=cx@entry=0xf7a87020, filename=0xffffd058 "min.js", forceTTY=forceTTY@entry=false) at js/src/shell/js.cpp:580
#17 0x080ce475 in ProcessArgs (op=0xffffcd20, cx=0xf7a87020) at js/src/shell/js.cpp:5834
#18 Shell (envp=<optimized out>, op=0xffffcd20, cx=0xf7a87020) at js/src/shell/js.cpp:6132
#19 main (argc=3, argv=0xffffce74, envp=0xffffce84) at js/src/shell/js.cpp:6488
eax	0x0	0
ebx	0x9785474	158880884
ecx	0xf7e3b88c	-136071028
edx	0x0	0
esi	0x0	0
edi	0xffffc09c	-16228
ebp	0xffffb498	4294947992
esp	0xffffb470	4294947952
eip	0x812b908 <js::frontend::TokenStream::addModifierException(js::frontend::Token::ModifierException)+328>
=> 0x812b908 <js::frontend::TokenStream::addModifierException(js::frontend::Token::ModifierException)+328>:	movl   $0x1e6,0x0
   0x812b912 <js::frontend::TokenStream::addModifierException(js::frontend::Token::ModifierException)+338>:	call   0x80ee4d0 <abort()>

Updated

3 years ago
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]

Comment 1

3 years ago
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/05f838caf076
user:        Tooru Fujisawa
date:        Fri Aug 07 04:11:59 2015 +0900
summary:     Bug 1089045 - Part 1: Supply consistent modifiers to TokenStream. r=Waldo

This iteration took 278.472 seconds to run.
(Assignee)

Comment 2

3 years ago
Created attachment 8663892 [details] [diff] [review]
Patch
Attachment #8663892 - Flags: review?(arai.unmht)
(Assignee)

Updated

3 years ago
Assignee: nobody → jwalden+bmo
Status: NEW → ASSIGNED
Comment on attachment 8663892 [details] [diff] [review]
Patch

Review of attachment 8663892 [details] [diff] [review]:
-----------------------------------------------------------------

Thanks!
As noted in IRC, would you please apply same fix to |export *| part too?

https://dxr.mozilla.org/mozilla-central/rev/9ed17db42e3e46f1c712e4dffd62d54e915e0fac/js/src/frontend/Parser.cpp#4829
>            if (!MatchOrInsertSemicolon(tokenStream))
So, this.

>                return null();
>
>            return handler.newExportFromDeclaration(begin, kid, moduleSpec);
>        } else {
>            report(ParseError, false, null(), JSMSG_FROM_AFTER_EXPORT_STAR);
>            return null();
>        }
>
>        if (!MatchOrInsertSemicolon(tokenStream))
>            return null();
and this is dead, sorry I should've noticed :P
Attachment #8663892 - Flags: review?(arai.unmht) → review+
https://hg.mozilla.org/mozilla-central/rev/384a3e1b2a99
Status: ASSIGNED → RESOLVED
Last Resolved: 3 years ago
status-firefox44: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla44
You need to log in before you can comment on or make changes to this bug.