Closed
Bug 1260620
Opened 8 years ago
Closed 8 years ago
Crash [@ js::frontend::Parser<js::frontend::FullParseHandler>::expr]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla48
People
(Reporter: gkw, Assigned: mrrrgn)
References
Details
(Keywords: crash, testcase, Whiteboard: [jsbugmon:update])
Crash Data
Attachments
(1 file, 1 obsolete file)
2.06 KB,
patch
|
ritu
:
approval-mozilla-aurora+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision d5d53a3b4e50 (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --no-threads --ion-eager): x > (0, {a = b} ); Backtrace: 0 js-dbg-64-dm-clang-darwin-d5d53a3b4e50 0x000000010005d432 js::frontend::Parser<js::frontend::FullParseHandler>::expr(js::frontend::InHandling, js::frontend::YieldHandling, js::frontend::TripledotHandling, js::frontend::Parser<js::frontend::FullParseHandler>::PossibleError*, js::frontend::Parser<js::frontend::FullParseHandler>::InvokedPrediction) + 482 (Parser.cpp:3978) 1 js-dbg-64-dm-clang-darwin-d5d53a3b4e50 0x000000010005c95e js::frontend::Parser<js::frontend::FullParseHandler>::primaryExpr(js::frontend::YieldHandling, js::frontend::TripledotHandling, js::frontend::Parser<js::frontend::FullParseHandler>::PossibleError*, js::frontend::TokenKind, js::frontend::Parser<js::frontend::FullParseHandler>::InvokedPrediction) + 1614 (Parser.cpp:9614) 2 js-dbg-64-dm-clang-darwin-d5d53a3b4e50 0x000000010005faa9 js::frontend::Parser<js::frontend::FullParseHandler>::memberExpr(js::frontend::YieldHandling, js::frontend::TripledotHandling, js::frontend::Parser<js::frontend::FullParseHandler>::PossibleError*, js::frontend::TokenKind, bool, js::frontend::Parser<js::frontend::FullParseHandler>::InvokedPrediction) + 809 (Parser.cpp:8711) 3 js-dbg-64-dm-clang-darwin-d5d53a3b4e50 0x000000010005f3a1 js::frontend::Parser<js::frontend::FullParseHandler>::unaryExpr(js::frontend::YieldHandling, js::frontend::TripledotHandling, js::frontend::Parser<js::frontend::FullParseHandler>::PossibleError*, js::frontend::Parser<js::frontend::FullParseHandler>::InvokedPrediction) + 737 (Parser.cpp:8239) 4 js-dbg-64-dm-clang-darwin-d5d53a3b4e50 0x000000010005eeba js::frontend::Parser<js::frontend::FullParseHandler>::orExpr1(js::frontend::InHandling, js::frontend::YieldHandling, js::frontend::TripledotHandling, js::frontend::Parser<js::frontend::FullParseHandler>::PossibleError*, js::frontend::Parser<js::frontend::FullParseHandler>::InvokedPrediction) + 682 (Parser.cpp:7716) 5 js-dbg-64-dm-clang-darwin-d5d53a3b4e50 0x000000010005ea3f js::frontend::Parser<js::frontend::FullParseHandler>::condExpr1(js::frontend::InHandling, js::frontend::YieldHandling, js::frontend::TripledotHandling, js::frontend::Parser<js::frontend::FullParseHandler>::PossibleError*, js::frontend::Parser<js::frontend::FullParseHandler>::InvokedPrediction) + 31 (Parser.cpp:7776) 6 js-dbg-64-dm-clang-darwin-d5d53a3b4e50 0x000000010005d841 js::frontend::Parser<js::frontend::FullParseHandler>::assignExpr(js::frontend::InHandling, js::frontend::YieldHandling, js::frontend::TripledotHandling, js::frontend::Parser<js::frontend::FullParseHandler>::PossibleError*, js::frontend::Parser<js::frontend::FullParseHandler>::InvokedPrediction) + 753 (Parser.cpp:7904) 7 js-dbg-64-dm-clang-darwin-d5d53a3b4e50 0x000000010005d275 js::frontend::Parser<js::frontend::FullParseHandler>::expr(js::frontend::InHandling, js::frontend::YieldHandling, js::frontend::TripledotHandling, js::frontend::Parser<js::frontend::FullParseHandler>::PossibleError*, js::frontend::Parser<js::frontend::FullParseHandler>::InvokedPrediction) + 37 (Parser.cpp:7556) 8 js-dbg-64-dm-clang-darwin-d5d53a3b4e50 0x0000000100050ae3 js::frontend::Parser<js::frontend::FullParseHandler>::expressionStatement(js::frontend::YieldHandling, js::frontend::Parser<js::frontend::FullParseHandler>::InvokedPrediction) + 99 (Parser.cpp:7609) 9 js-dbg-64-dm-clang-darwin-d5d53a3b4e50 0x0000000100050086 js::frontend::Parser<js::frontend::FullParseHandler>::statement(js::frontend::YieldHandling, bool) + 1622 (Parser.cpp:7440) 10 js-dbg-64-dm-clang-darwin-d5d53a3b4e50 0x000000010004e0bb js::frontend::Parser<js::frontend::FullParseHandler>::statements(js::frontend::YieldHandling) + 571 (Parser.cpp:3531) 11 js-dbg-64-dm-clang-darwin-d5d53a3b4e50 0x00000001000477fd js::frontend::Parser<js::frontend::FullParseHandler>::globalBody() + 77 (Parser.cpp:1106) 12 js-dbg-64-dm-clang-darwin-d5d53a3b4e50 0x00000001009b669d BytecodeCompiler::compileScript(JS::Handle<JSObject*>, JS::Handle<JSScript*>) + 717 (BytecodeCompiler.cpp:527) 13 js-dbg-64-dm-clang-darwin-d5d53a3b4e50 0x00000001009b84b5 js::frontend::CompileScript(js::ExclusiveContext*, js::LifoAlloc*, JS::Handle<JSObject*>, JS::Handle<js::StaticScope*>, JS::Handle<JSScript*>, JS::ReadOnlyCompileOptions const&, JS::SourceBufferHolder&, JSString*, js::SourceCompressionTask*, js::ScriptSourceObject**) + 197 (BytecodeCompiler.cpp:738) 14 js-dbg-64-dm-clang-darwin-d5d53a3b4e50 0x0000000100594134 Compile(JSContext*, JS::ReadOnlyCompileOptions const&, SyntacticScopeOption, JS::SourceBufferHolder&, JS::MutableHandle<JSScript*>) + 404 (RootingAPI.h:482) 15 js-dbg-64-dm-clang-darwin-d5d53a3b4e50 0x00000001005944bb Compile(JSContext*, JS::ReadOnlyCompileOptions const&, SyntacticScopeOption, char const*, unsigned long, JS::MutableHandle<JSScript*>) + 267 (jsapi.cpp:3988) 16 js-dbg-64-dm-clang-darwin-d5d53a3b4e50 0x0000000100594610 JS::Compile(JSContext*, JS::ReadOnlyCompileOptions const&, __sFILE*, JS::MutableHandle<JSScript*>) + 112 (jsapi.cpp:4014) 17 js-dbg-64-dm-clang-darwin-d5d53a3b4e50 0x000000010002056a Process(JSContext*, char const*, bool, FileKind) + 3434 (js.cpp:522) 18 js-dbg-64-dm-clang-darwin-d5d53a3b4e50 0x0000000100005c7b main + 11739 (js.cpp:6732) 19 js-dbg-64-dm-clang-darwin-d5d53a3b4e50 0x0000000100000ee4 start + 52
Reporter | ||
Comment 1•8 years ago
|
||
While waiting for the bisection result, setting needinfo? from Morgan as a start, as she was poking around Error stuff previously.
Flags: needinfo?(winter2718)
Assignee | ||
Comment 2•8 years ago
|
||
I know what's causing this. A quick tweak on my end fixed this up (though it was an experiment and not a fix). Morgans-MacBook-Pro:_DBG.OBJ mrrrgn$ dist/bin/js js> x > (0, {a = b} ); typein:1:13 SyntaxError: missing : after property id: typein:1:13 x > (0, {a = b} ); typein:1:13 .............^ js> Somewhere we're using possibleError without checking to see if it's null.
Flags: needinfo?(winter2718)
Assignee | ||
Updated•8 years ago
|
Assignee: nobody → winter2718
Assignee | ||
Comment 3•8 years ago
|
||
Good news, I knew exactly where to look for the problem. Bad news, it was yet another careless derp.
Attachment #8736259 -
Flags: review?(jorendorff)
Updated•8 years ago
|
Attachment #8736259 -
Flags: review?(jorendorff) → review+
Comment 4•8 years ago
|
||
(In reply to Morgan Phillips [:mrrrgn] from comment #3) > Good news, I knew exactly where to look for the problem. > Bad news, it was yet another careless derp. I'm so happy to be in this situation, compared to last time!
Comment 6•8 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/ebee3c43dfac
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla48
Reporter | ||
Comment 7•8 years ago
|
||
=== Treeherder Build Bisection Results by autoBisect === The "good" changeset has the timestamp "20160319143127" and the hash "ed4fe05c868dd5156fd07ce2cd9fc387f7683fe8". The "bad" changeset has the timestamp "20160319181929" and the hash "5b73e989354691bca6fece76f378724aa6cb16e5". Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=ed4fe05c868dd5156fd07ce2cd9fc387f7683fe8&tochange=5b73e989354691bca6fece76f378724aa6cb16e5 Guessing bug 1257053 was probably related.
Blocks: 1257053
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
Assignee | ||
Updated•8 years ago
|
Attachment #8736259 -
Flags: approval-mozilla-aurora?
Assignee | ||
Comment 8•8 years ago
|
||
Note, this should not go to aurora until the patch in https://bugzilla.mozilla.org/show_bug.cgi?id=1257053 does.
status-firefox47:
--- → affected
Comment on attachment 8736259 [details] [diff] [review] nullpossibleerror.diff Morgan, could you please answer the questions on the uplift template? Without that it is hard for release management to evaluate the justification of uplifting the fix and risk associated. Thanks!
Flags: needinfo?(winter2718)
Attachment #8736259 -
Flags: approval-mozilla-aurora? → approval-mozilla-aurora-
Assignee | ||
Comment 10•8 years ago
|
||
(In reply to Ritu Kothari (:ritu) from comment #9) > Comment on attachment 8736259 [details] [diff] [review] > nullpossibleerror.diff > > Morgan, could you please answer the questions on the uplift template? > Without that it is hard for release management to evaluate the justification > of uplifting the fix and risk associated. Thanks! Sure thing, apologies.
Flags: needinfo?(winter2718)
Assignee | ||
Comment 11•8 years ago
|
||
Approval Request Comment [Feature/regressing bug #]: 1260620 [User impact if declined]: Crashes when impacted JS statements are executed. [Describe test coverage new/current, TreeHerder]: SpiderMonkey [jit] test cases are included in the patch. [Risks and why]: This patch must be applied after the patch (uplift requested) from bug 1257053: "possibleerrorfix.diff". [String/UUID change made/needed]:
Attachment #8736259 -
Attachment is obsolete: true
Attachment #8744081 -
Flags: approval-mozilla-aurora?
Assignee | ||
Updated•8 years ago
|
Attachment #8744081 -
Flags: approval-mozilla-aurora?
Assignee | ||
Comment 12•8 years ago
|
||
Comment on attachment 8744081 [details] [diff] [review] nullpossibleerror.diff Approval Request Comment [Feature/regressing bug #]: 1260620 [User impact if declined]: Crashes when impacted JS statements are executed. [Describe test coverage new/current, TreeHerder]: SpiderMonkey [jit] test cases are included in the patch. [Risks and why]: This patch must be applied after the patch (uplift requested) from bug 1257053: "possibleerrorfix.diff". Otherwise it will cause crashes/undefined behavior. [String/UUID change made/needed]:
Attachment #8744081 -
Flags: approval-mozilla-aurora?
Comment on attachment 8744081 [details] [diff] [review] nullpossibleerror.diff Crash fix, has automated test coverage, Aurora47+
Attachment #8744081 -
Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Comment 14•8 years ago
|
||
bugherder uplift |
https://hg.mozilla.org/releases/mozilla-aurora/rev/967a66bc2a5c
You need to log in
before you can comment on or make changes to this bug.
Description
•