Closed Bug 1241581 Opened 4 years ago Closed 4 years ago

Crash [@ strlen] or [@ js::wasm::ModuleData::serializedSize]

Categories

(Core :: JavaScript Engine, defect, critical)

x86_64
macOS
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla46
Tracking Status
firefox46 --- fixed

People

(Reporter: gkw, Assigned: luke)

References

(Blocks 1 open bug)

Details

(Keywords: crash, regression, testcase, Whiteboard: [fuzzblocker][jsbugmon:update])

Crash Data

Attachments

(1 file)

The following testcase crashes on mozilla-central revision 66e07ef46853 (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --no-threads --no-ion --no-baseline):

evaluate("\
    (function() { \
        \"use asm\";\
        function f(i0) {\
            i0 = i0 | 0;\
        }\
        return f;\
    });\
    ", ({
    fileName: null
}));

Backtrace:

1   js-dbg-64-dm-clang-darwin-66e07ef46853	0x00000001000de9d1 js::wasm::ModuleData::serializedSize() const + 273 (WasmModule.cpp:407)
2   js-dbg-64-dm-clang-darwin-66e07ef46853	0x00000001000de7bd js::AsmJSModule::serializedSize() const + 29 (AsmJS.cpp:7901)
3   js-dbg-64-dm-clang-darwin-66e07ef46853	0x00000001000e3148 js::CompileAsmJS(js::ExclusiveContext*, js::frontend::Parser<js::frontend::FullParseHandler>&, js::frontend::ParseNode*, bool*) + 4344 (AsmJS.cpp:8179)
4   js-dbg-64-dm-clang-darwin-66e07ef46853	0x000000010003f59f js::frontend::Parser<js::frontend::FullParseHandler>::asmJS(js::frontend::ParseNode*) + 143 (Parser.cpp:3351)
5   js-dbg-64-dm-clang-darwin-66e07ef46853	0x000000010005275b js::frontend::Parser<js::frontend::FullParseHandler>::maybeParseDirective(js::frontend::ParseNode*, js::frontend::ParseNode*, bool*) + 347 (Parser.cpp:3426)
6   js-dbg-64-dm-clang-darwin-66e07ef46853	0x000000010004aeb6 js::frontend::Parser<js::frontend::FullParseHandler>::statements(js::frontend::YieldHandling) + 758 (Parser.cpp:3491)
7   js-dbg-64-dm-clang-darwin-66e07ef46853	0x00000001000528d3 js::frontend::Parser<js::frontend::FullParseHandler>::functionBody(js::frontend::InHandling, js::frontend::YieldHandling, js::frontend::FunctionSyntaxKind, js::frontend::Parser<js::frontend::FullParseHandler>::FunctionBodyType) + 307 (Parser.cpp:1331)
8   js-dbg-64-dm-clang-darwin-66e07ef46853	0x0000000100053f4c js::frontend::Parser<js::frontend::FullParseHandler>::functionArgsAndBodyGeneric(js::frontend::InHandling, js::frontend::YieldHandling, js::frontend::ParseNode*, JS::Handle<JSFunction*>, js::frontend::FunctionSyntaxKind) + 604 (Parser.cpp:3121)
9   js-dbg-64-dm-clang-darwin-66e07ef46853	0x0000000100042262 js::frontend::Parser<js::frontend::FullParseHandler>::functionArgsAndBody(js::frontend::InHandling, js::frontend::ParseNode*, JS::Handle<JSFunction*>, js::frontend::FunctionSyntaxKind, js::GeneratorKind, js::frontend::Directives, js::frontend::Directives*) + 802 (Parser.cpp:2926)
10  js-dbg-64-dm-clang-darwin-66e07ef46853	0x000000010005591f js::frontend::Parser<js::frontend::FullParseHandler>::functionDef(js::frontend::InHandling, js::frontend::YieldHandling, JS::Handle<js::PropertyName*>, js::frontend::FunctionSyntaxKind, js::GeneratorKind, js::frontend::Parser<js::frontend::FullParseHandler>::InvokedPrediction, js::frontend::ParseNode**) + 735 (Parser.cpp:2755)
11  js-dbg-64-dm-clang-darwin-66e07ef46853	0x00000001000560cf js::frontend::Parser<js::frontend::FullParseHandler>::functionExpr(js::frontend::Parser<js::frontend::FullParseHandler>::InvokedPrediction) + 447 (Parser.cpp:3278)
12  js-dbg-64-dm-clang-darwin-66e07ef46853	0x0000000100059d6b js::frontend::Parser<js::frontend::FullParseHandler>::primaryExpr(js::frontend::YieldHandling, js::frontend::TripledotHandling, js::frontend::TokenKind, js::frontend::Parser<js::frontend::FullParseHandler>::InvokedPrediction) + 1227 (Parser.cpp:9063)
13  js-dbg-64-dm-clang-darwin-66e07ef46853	0x000000010005c197 js::frontend::Parser<js::frontend::FullParseHandler>::memberExpr(js::frontend::YieldHandling, js::frontend::TripledotHandling, js::frontend::TokenKind, bool, js::frontend::Parser<js::frontend::FullParseHandler>::InvokedPrediction) + 807 (Parser.cpp:8377)
14  js-dbg-64-dm-clang-darwin-66e07ef46853	0x000000010005bad9 js::frontend::Parser<js::frontend::FullParseHandler>::unaryExpr(js::frontend::YieldHandling, js::frontend::TripledotHandling, js::frontend::Parser<js::frontend::FullParseHandler>::InvokedPrediction) + 809 (Parser.cpp:7897)
15  js-dbg-64-dm-clang-darwin-66e07ef46853	0x000000010005b43c js::frontend::Parser<js::frontend::FullParseHandler>::orExpr1(js::frontend::InHandling, js::frontend::YieldHandling, js::frontend::TripledotHandling, js::frontend::Parser<js::frontend::FullParseHandler>::InvokedPrediction) + 92 (Parser.cpp:7421)
16  js-dbg-64-dm-clang-darwin-66e07ef46853	0x000000010005b21f js::frontend::Parser<js::frontend::FullParseHandler>::condExpr1(js::frontend::InHandling, js::frontend::YieldHandling, js::frontend::TripledotHandling, js::frontend::Parser<js::frontend::FullParseHandler>::InvokedPrediction) + 31 (Parser.cpp:7473)
17  js-dbg-64-dm-clang-darwin-66e07ef46853	0x00000001000531ac js::frontend::Parser<js::frontend::FullParseHandler>::assignExpr(js::frontend::InHandling, js::frontend::YieldHandling, js::frontend::TripledotHandling, js::frontend::Parser<js::frontend::FullParseHandler>::InvokedPrediction) + 732 (Parser.cpp:7588)
18  js-dbg-64-dm-clang-darwin-66e07ef46853	0x000000010004c572 js::frontend::Parser<js::frontend::FullParseHandler>::expr(js::frontend::InHandling, js::frontend::YieldHandling, js::frontend::TripledotHandling, js::frontend::Parser<js::frontend::FullParseHandler>::InvokedPrediction) + 34 (Parser.cpp:7289)
19  js-dbg-64-dm-clang-darwin-66e07ef46853	0x0000000100059ef7 js::frontend::Parser<js::frontend::FullParseHandler>::primaryExpr(js::frontend::YieldHandling, js::frontend::TripledotHandling, js::frontend::TokenKind, js::frontend::Parser<js::frontend::FullParseHandler>::InvokedPrediction) + 1623 (Parser.cpp:9214)
20  js-dbg-64-dm-clang-darwin-66e07ef46853	0x000000010005c197 js::frontend::Parser<js::frontend::FullParseHandler>::memberExpr(js::frontend::YieldHandling, js::frontend::TripledotHandling, js::frontend::TokenKind, bool, js::frontend::Parser<js::frontend::FullParseHandler>::InvokedPrediction) + 807 (Parser.cpp:8377)
21  js-dbg-64-dm-clang-darwin-66e07ef46853	0x000000010005bad9 js::frontend::Parser<js::frontend::FullParseHandler>::unaryExpr(js::frontend::YieldHandling, js::frontend::TripledotHandling, js::frontend::Parser<js::frontend::FullParseHandler>::InvokedPrediction) + 809 (Parser.cpp:7897)
22  js-dbg-64-dm-clang-darwin-66e07ef46853	0x000000010005b43c js::frontend::Parser<js::frontend::FullParseHandler>::orExpr1(js::frontend::InHandling, js::frontend::YieldHandling, js::frontend::TripledotHandling, js::frontend::Parser<js::frontend::FullParseHandler>::InvokedPrediction) + 92 (Parser.cpp:7421)
23  js-dbg-64-dm-clang-darwin-66e07ef46853	0x000000010005b21f js::frontend::Parser<js::frontend::FullParseHandler>::condExpr1(js::frontend::InHandling, js::frontend::YieldHandling, js::frontend::TripledotHandling, js::frontend::Parser<js::frontend::FullParseHandler>::InvokedPrediction) + 31 (Parser.cpp:7473)
24  js-dbg-64-dm-clang-darwin-66e07ef46853	0x00000001000531ac js::frontend::Parser<js::frontend::FullParseHandler>::assignExpr(js::frontend::InHandling, js::frontend::YieldHandling, js::frontend::TripledotHandling, js::frontend::Parser<js::frontend::FullParseHandler>::InvokedPrediction) + 732 (Parser.cpp:7588)
25  js-dbg-64-dm-clang-darwin-66e07ef46853	0x000000010004c572 js::frontend::Parser<js::frontend::FullParseHandler>::expr(js::frontend::InHandling, js::frontend::YieldHandling, js::frontend::TripledotHandling, js::frontend::Parser<js::frontend::FullParseHandler>::InvokedPrediction) + 34 (Parser.cpp:7289)
26  js-dbg-64-dm-clang-darwin-66e07ef46853	0x000000010004dcb3 js::frontend::Parser<js::frontend::FullParseHandler>::expressionStatement(js::frontend::YieldHandling, js::frontend::Parser<js::frontend::FullParseHandler>::InvokedPrediction) + 83 (Parser.cpp:5521)
27  js-dbg-64-dm-clang-darwin-66e07ef46853	0x000000010004d337 js::frontend::Parser<js::frontend::FullParseHandler>::statement(js::frontend::YieldHandling, bool) + 1575 (Parser.cpp:7129)
28  js-dbg-64-dm-clang-darwin-66e07ef46853	0x000000010004adfc js::frontend::Parser<js::frontend::FullParseHandler>::statements(js::frontend::YieldHandling) + 572 (Parser.cpp:3469)
29  js-dbg-64-dm-clang-darwin-66e07ef46853	0x000000010004491d js::frontend::Parser<js::frontend::FullParseHandler>::globalBody() + 77 (Parser.cpp:1073)
30  js-dbg-64-dm-clang-darwin-66e07ef46853	0x00000001008defd4 BytecodeCompiler::compileScript(JS::Handle<JSObject*>, JS::Handle<JSScript*>) + 820 (BytecodeCompiler.cpp:527)
31  js-dbg-64-dm-clang-darwin-66e07ef46853	0x00000001008e0e9d js::frontend::CompileScript(js::ExclusiveContext*, js::LifoAlloc*, JS::Handle<JSObject*>, JS::Handle<js::ScopeObject*>, JS::Handle<JSScript*>, JS::ReadOnlyCompileOptions const&, JS::SourceBufferHolder&, JSString*, js::SourceCompressionTask*, js::ScriptSourceObject**) + 189 (BytecodeCompiler.cpp:738)
32  js-dbg-64-dm-clang-darwin-66e07ef46853	0x000000010054a8f4 Compile(JSContext*, JS::ReadOnlyCompileOptions const&, SyntacticScopeOption, JS::SourceBufferHolder&, JS::MutableHandle<JSScript*>) + 404 (RootingAPI.h:481)
33  js-dbg-64-dm-clang-darwin-66e07ef46853	0x000000010054ad3c JS::Compile(JSContext*, JS::ReadOnlyCompileOptions const&, char16_t const*, unsigned long, JS::MutableHandle<JSScript*>) + 60 (jsapi.cpp:3976)
34  js-dbg-64-dm-clang-darwin-66e07ef46853	0x000000010000be55 Evaluate(JSContext*, unsigned int, JS::Value*) + 3013 (js.cpp:1374)
35  js-dbg-64-dm-clang-darwin-66e07ef46853	0x00000001006f3fa2 js::Invoke(JSContext*, JS::CallArgs const&, js::MaybeConstruct) + 738 (jscntxtinlines.h:236)
36  js-dbg-64-dm-clang-darwin-66e07ef46853	0x0000000100711f27 Interpret(JSContext*, js::RunState&) + 49159 (Interpreter.cpp:2802)
37  js-dbg-64-dm-clang-darwin-66e07ef46853	0x0000000100705e9c js::RunScript(JSContext*, js::RunState&) + 412 (Interpreter.cpp:425)
38  js-dbg-64-dm-clang-darwin-66e07ef46853	0x000000010071df7c js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::ExecuteType, js::AbstractFramePtr, JS::Value*) + 604 (Interpreter.cpp:684)
39  js-dbg-64-dm-clang-darwin-66e07ef46853	0x000000010071e34f js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) + 479 (RootingAPI.h:719)
40  js-dbg-64-dm-clang-darwin-66e07ef46853	0x000000010054bff1 ExecuteScript(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSScript*>, JS::Value*) + 417 (jsapi.cpp:4360)
41  js-dbg-64-dm-clang-darwin-66e07ef46853	0x000000010054c262 JS_ExecuteScript(JSContext*, JS::Handle<JSScript*>) + 82 (RootingAPI.h:719)
42  js-dbg-64-dm-clang-darwin-66e07ef46853	0x000000010001e6c9 Process(JSContext*, char const*, bool, FileKind) + 3273 (js.cpp:521)
43  js-dbg-64-dm-clang-darwin-66e07ef46853	0x0000000100004749 main + 11769 (js.cpp:6299)
44  js-dbg-64-dm-clang-darwin-66e07ef46853	0x0000000100000d34 start + 52

Setting [fuzzblocker] as this seems to be happening fairly often. Also crashes opt builds.

=== Treeherder Build Bisection Results by autoBisect ===

The "good" changeset has the timestamp "20160120092526" and the hash "1079f6d91f65f24c401133e6c313c7f405749c82".
The "bad" changeset has the timestamp "20160120095426" and the hash "3842b1992f25049b7230930c30d8e646ceb778ae".

Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=1079f6d91f65f24c401133e6c313c7f405749c82&tochange=3842b1992f25049b7230930c30d8e646ceb778ae

Luke, is bug 1234985 a likely regressor?
Flags: needinfo?(luke)
Crash Signature: [@ strlen] → [@ strlen] [@ js::wasm::ModuleData::serializedSize]
Summary: Crash [@ strlen] → Crash [@ strlen] or [@ js::wasm::ModuleData::serializedSize]
Attached patch fix-bugSplinter Review
D'oh, when de-templatizing CacheableUniquePtr<CharsT> to be just CacheableChars, I accidentally took out the null filename check.  I of course should've added test cases for this the first time; add now.
Assignee: nobody → luke
Status: NEW → ASSIGNED
Flags: needinfo?(luke)
Attachment #8710608 - Flags: review?(bbouvier)
Attachment #8710608 - Flags: review?(bbouvier) → review+
https://hg.mozilla.org/mozilla-central/rev/fa5e60f6adaa
Status: ASSIGNED → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla46
You need to log in before you can comment on or make changes to this bug.