Closed Bug 1260620 Opened 4 years ago Closed 4 years ago

Crash [@ js::frontend::Parser<js::frontend::FullParseHandler>::expr]

Categories

(Core :: JavaScript Engine, defect, critical)

x86_64
macOS
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla48
Tracking Status
firefox47 --- fixed
firefox48 --- fixed

People

(Reporter: gkw, Assigned: mrrrgn)

References

(Blocks 2 open bugs)

Details

(Keywords: crash, testcase, Whiteboard: [jsbugmon:update])

Crash Data

Attachments

(1 file, 1 obsolete file)

The following testcase crashes on mozilla-central revision d5d53a3b4e50 (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --no-threads --ion-eager):

x > (0, {a = b} );

Backtrace:

0   js-dbg-64-dm-clang-darwin-d5d53a3b4e50	0x000000010005d432 js::frontend::Parser<js::frontend::FullParseHandler>::expr(js::frontend::InHandling, js::frontend::YieldHandling, js::frontend::TripledotHandling, js::frontend::Parser<js::frontend::FullParseHandler>::PossibleError*, js::frontend::Parser<js::frontend::FullParseHandler>::InvokedPrediction) + 482 (Parser.cpp:3978)
1   js-dbg-64-dm-clang-darwin-d5d53a3b4e50	0x000000010005c95e js::frontend::Parser<js::frontend::FullParseHandler>::primaryExpr(js::frontend::YieldHandling, js::frontend::TripledotHandling, js::frontend::Parser<js::frontend::FullParseHandler>::PossibleError*, js::frontend::TokenKind, js::frontend::Parser<js::frontend::FullParseHandler>::InvokedPrediction) + 1614 (Parser.cpp:9614)
2   js-dbg-64-dm-clang-darwin-d5d53a3b4e50	0x000000010005faa9 js::frontend::Parser<js::frontend::FullParseHandler>::memberExpr(js::frontend::YieldHandling, js::frontend::TripledotHandling, js::frontend::Parser<js::frontend::FullParseHandler>::PossibleError*, js::frontend::TokenKind, bool, js::frontend::Parser<js::frontend::FullParseHandler>::InvokedPrediction) + 809 (Parser.cpp:8711)
3   js-dbg-64-dm-clang-darwin-d5d53a3b4e50	0x000000010005f3a1 js::frontend::Parser<js::frontend::FullParseHandler>::unaryExpr(js::frontend::YieldHandling, js::frontend::TripledotHandling, js::frontend::Parser<js::frontend::FullParseHandler>::PossibleError*, js::frontend::Parser<js::frontend::FullParseHandler>::InvokedPrediction) + 737 (Parser.cpp:8239)
4   js-dbg-64-dm-clang-darwin-d5d53a3b4e50	0x000000010005eeba js::frontend::Parser<js::frontend::FullParseHandler>::orExpr1(js::frontend::InHandling, js::frontend::YieldHandling, js::frontend::TripledotHandling, js::frontend::Parser<js::frontend::FullParseHandler>::PossibleError*, js::frontend::Parser<js::frontend::FullParseHandler>::InvokedPrediction) + 682 (Parser.cpp:7716)
5   js-dbg-64-dm-clang-darwin-d5d53a3b4e50	0x000000010005ea3f js::frontend::Parser<js::frontend::FullParseHandler>::condExpr1(js::frontend::InHandling, js::frontend::YieldHandling, js::frontend::TripledotHandling, js::frontend::Parser<js::frontend::FullParseHandler>::PossibleError*, js::frontend::Parser<js::frontend::FullParseHandler>::InvokedPrediction) + 31 (Parser.cpp:7776)
6   js-dbg-64-dm-clang-darwin-d5d53a3b4e50	0x000000010005d841 js::frontend::Parser<js::frontend::FullParseHandler>::assignExpr(js::frontend::InHandling, js::frontend::YieldHandling, js::frontend::TripledotHandling, js::frontend::Parser<js::frontend::FullParseHandler>::PossibleError*, js::frontend::Parser<js::frontend::FullParseHandler>::InvokedPrediction) + 753 (Parser.cpp:7904)
7   js-dbg-64-dm-clang-darwin-d5d53a3b4e50	0x000000010005d275 js::frontend::Parser<js::frontend::FullParseHandler>::expr(js::frontend::InHandling, js::frontend::YieldHandling, js::frontend::TripledotHandling, js::frontend::Parser<js::frontend::FullParseHandler>::PossibleError*, js::frontend::Parser<js::frontend::FullParseHandler>::InvokedPrediction) + 37 (Parser.cpp:7556)
8   js-dbg-64-dm-clang-darwin-d5d53a3b4e50	0x0000000100050ae3 js::frontend::Parser<js::frontend::FullParseHandler>::expressionStatement(js::frontend::YieldHandling, js::frontend::Parser<js::frontend::FullParseHandler>::InvokedPrediction) + 99 (Parser.cpp:7609)
9   js-dbg-64-dm-clang-darwin-d5d53a3b4e50	0x0000000100050086 js::frontend::Parser<js::frontend::FullParseHandler>::statement(js::frontend::YieldHandling, bool) + 1622 (Parser.cpp:7440)
10  js-dbg-64-dm-clang-darwin-d5d53a3b4e50	0x000000010004e0bb js::frontend::Parser<js::frontend::FullParseHandler>::statements(js::frontend::YieldHandling) + 571 (Parser.cpp:3531)
11  js-dbg-64-dm-clang-darwin-d5d53a3b4e50	0x00000001000477fd js::frontend::Parser<js::frontend::FullParseHandler>::globalBody() + 77 (Parser.cpp:1106)
12  js-dbg-64-dm-clang-darwin-d5d53a3b4e50	0x00000001009b669d BytecodeCompiler::compileScript(JS::Handle<JSObject*>, JS::Handle<JSScript*>) + 717 (BytecodeCompiler.cpp:527)
13  js-dbg-64-dm-clang-darwin-d5d53a3b4e50	0x00000001009b84b5 js::frontend::CompileScript(js::ExclusiveContext*, js::LifoAlloc*, JS::Handle<JSObject*>, JS::Handle<js::StaticScope*>, JS::Handle<JSScript*>, JS::ReadOnlyCompileOptions const&, JS::SourceBufferHolder&, JSString*, js::SourceCompressionTask*, js::ScriptSourceObject**) + 197 (BytecodeCompiler.cpp:738)
14  js-dbg-64-dm-clang-darwin-d5d53a3b4e50	0x0000000100594134 Compile(JSContext*, JS::ReadOnlyCompileOptions const&, SyntacticScopeOption, JS::SourceBufferHolder&, JS::MutableHandle<JSScript*>) + 404 (RootingAPI.h:482)
15  js-dbg-64-dm-clang-darwin-d5d53a3b4e50	0x00000001005944bb Compile(JSContext*, JS::ReadOnlyCompileOptions const&, SyntacticScopeOption, char const*, unsigned long, JS::MutableHandle<JSScript*>) + 267 (jsapi.cpp:3988)
16  js-dbg-64-dm-clang-darwin-d5d53a3b4e50	0x0000000100594610 JS::Compile(JSContext*, JS::ReadOnlyCompileOptions const&, __sFILE*, JS::MutableHandle<JSScript*>) + 112 (jsapi.cpp:4014)
17  js-dbg-64-dm-clang-darwin-d5d53a3b4e50	0x000000010002056a Process(JSContext*, char const*, bool, FileKind) + 3434 (js.cpp:522)
18  js-dbg-64-dm-clang-darwin-d5d53a3b4e50	0x0000000100005c7b main + 11739 (js.cpp:6732)
19  js-dbg-64-dm-clang-darwin-d5d53a3b4e50	0x0000000100000ee4 start + 52
While waiting for the bisection result, setting needinfo? from Morgan as a start, as she was poking around Error stuff previously.
Flags: needinfo?(winter2718)
I know what's causing this. A quick tweak on my end fixed this up (though it was an experiment and not a fix).

Morgans-MacBook-Pro:_DBG.OBJ mrrrgn$ dist/bin/js
js> x > (0, {a = b} );
typein:1:13 SyntaxError: missing : after property id:
typein:1:13 x > (0, {a = b} );
typein:1:13 .............^
js>

Somewhere we're using possibleError without checking to see if it's null.
Flags: needinfo?(winter2718)
Assignee: nobody → winter2718
Attached patch nullpossibleerror.diff (obsolete) — Splinter Review
Good news, I knew exactly where to look for the problem.
Bad news, it was yet another careless derp.
Attachment #8736259 - Flags: review?(jorendorff)
Attachment #8736259 - Flags: review?(jorendorff) → review+
(In reply to Morgan Phillips [:mrrrgn] from comment #3)
> Good news, I knew exactly where to look for the problem.
> Bad news, it was yet another careless derp.

I'm so happy to be in this situation, compared to last time!
https://hg.mozilla.org/mozilla-central/rev/ebee3c43dfac
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla48
=== Treeherder Build Bisection Results by autoBisect ===

The "good" changeset has the timestamp "20160319143127" and the hash "ed4fe05c868dd5156fd07ce2cd9fc387f7683fe8".
The "bad" changeset has the timestamp "20160319181929" and the hash "5b73e989354691bca6fece76f378724aa6cb16e5".

Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=ed4fe05c868dd5156fd07ce2cd9fc387f7683fe8&tochange=5b73e989354691bca6fece76f378724aa6cb16e5

Guessing bug 1257053 was probably related.
Blocks: 1257053
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
Attachment #8736259 - Flags: approval-mozilla-aurora?
Note, this should not go to aurora until the patch in https://bugzilla.mozilla.org/show_bug.cgi?id=1257053 does.
Comment on attachment 8736259 [details] [diff] [review]
nullpossibleerror.diff

Morgan, could you please answer the questions on the uplift template? Without that it is hard for release management to evaluate the justification of uplifting the fix and risk associated. Thanks!
Flags: needinfo?(winter2718)
Attachment #8736259 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora-
(In reply to Ritu Kothari (:ritu) from comment #9)
> Comment on attachment 8736259 [details] [diff] [review]
> nullpossibleerror.diff
> 
> Morgan, could you please answer the questions on the uplift template?
> Without that it is hard for release management to evaluate the justification
> of uplifting the fix and risk associated. Thanks!

Sure thing, apologies.
Flags: needinfo?(winter2718)
Approval Request Comment
[Feature/regressing bug #]: 1260620
[User impact if declined]: Crashes when impacted JS statements are executed.
[Describe test coverage new/current, TreeHerder]: SpiderMonkey [jit] test cases are included in the patch.
[Risks and why]: This patch must be applied after the patch (uplift requested) from bug 1257053: "possibleerrorfix.diff".
[String/UUID change made/needed]:
Attachment #8736259 - Attachment is obsolete: true
Attachment #8744081 - Flags: approval-mozilla-aurora?
Attachment #8744081 - Flags: approval-mozilla-aurora?
Comment on attachment 8744081 [details] [diff] [review]
nullpossibleerror.diff

Approval Request Comment
[Feature/regressing bug #]: 1260620
[User impact if declined]: Crashes when impacted JS statements are executed.
[Describe test coverage new/current, TreeHerder]: SpiderMonkey [jit] test cases are included in the patch.
[Risks and why]: This patch must be applied after the patch (uplift requested) from bug 1257053: "possibleerrorfix.diff". Otherwise it will cause crashes/undefined behavior.
[String/UUID change made/needed]:
Attachment #8744081 - Flags: approval-mozilla-aurora?
Comment on attachment 8744081 [details] [diff] [review]
nullpossibleerror.diff

Crash fix, has automated test coverage, Aurora47+
Attachment #8744081 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
You need to log in before you can comment on or make changes to this bug.