Closed
Bug 1264954
Opened 8 years ago
Closed 8 years ago
Crash [@ js::frontend::Parser<js::frontend::FullParseHandler>::addExprAndGetNextTemplStrToken] with OOM
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla48
| Tracking | Status | |
|---|---|---|
| firefox48 | --- | fixed |
People
(Reporter: decoder, Assigned: jandem)
References
(Blocks 1 open bug)
Details
(Keywords: crash, testcase, Whiteboard: [jsbugmon:update])
Crash Data
Attachments
(2 files, 1 obsolete file)
|
1.17 KB,
patch
|
jonco
:
review+
|
Details | Diff | Splinter Review |
|
10.34 KB,
text/plain
|
Details |
The following testcase crashes on mozilla-central revision 10f66b316457 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --ion-offthread-compile=off):
loadFile("");
loadFile("");
loadFile(`eval([ "x = \`\${new Error.lineNumber}" ].join())` );
function loadFile(lfVarx)
oomTest(function() eval(lfVarx));
Backtrace:
Program received signal SIGSEGV, Segmentation fault.
js::frontend::Parser<js::frontend::FullParseHandler>::addExprAndGetNextTemplStrToken (this=0x7fffffff9c40, yieldHandling=<optimized out>, nodeList=0x0, ttp=0x7fffffff8810) at js/src/frontend/Parser.cpp:2712
#0 js::frontend::Parser<js::frontend::FullParseHandler>::addExprAndGetNextTemplStrToken (this=0x7fffffff9c40, yieldHandling=<optimized out>, nodeList=0x0, ttp=0x7fffffff8810) at js/src/frontend/Parser.cpp:2712
#1 0x000000000050d455 in js::frontend::Parser<js::frontend::FullParseHandler>::templateLiteral (this=this@entry=0x7fffffff9c40, yieldHandling=yieldHandling@entry=js::frontend::YieldIsName) at js/src/frontend/Parser.cpp:2758
#2 0x000000000050f24b in js::frontend::Parser<js::frontend::FullParseHandler>::primaryExpr (this=this@entry=0x7fffffff9c40, yieldHandling=yieldHandling@entry=js::frontend::YieldIsName, tripledotHandling=tripledotHandling@entry=js::frontend::TripledotProhibited, possibleError=possibleError@entry=0x7fffffff8bd0, tt=<optimized out>, invoked=invoked@entry=js::frontend::Parser<js::frontend::FullParseHandler>::PredictUninvoked) at js/src/frontend/Parser.cpp:9520
#3 0x000000000050e595 in js::frontend::Parser<js::frontend::FullParseHandler>::memberExpr (this=this@entry=0x7fffffff9c40, yieldHandling=yieldHandling@entry=js::frontend::YieldIsName, tripledotHandling=tripledotHandling@entry=js::frontend::TripledotProhibited, possibleError=possibleError@entry=0x7fffffff8bd0, tt=js::frontend::TOK_TEMPLATE_HEAD, allowCallSyntax=allowCallSyntax@entry=true, invoked=invoked@entry=js::frontend::Parser<js::frontend::FullParseHandler>::PredictUninvoked) at js/src/frontend/Parser.cpp:8719
#4 0x0000000000511526 in js::frontend::Parser<js::frontend::FullParseHandler>::unaryExpr (this=this@entry=0x7fffffff9c40, yieldHandling=yieldHandling@entry=js::frontend::YieldIsName, tripledotHandling=js::frontend::TripledotProhibited, possibleError=possibleError@entry=0x7fffffff8bd0, invoked=invoked@entry=js::frontend::Parser<js::frontend::FullParseHandler>::PredictUninvoked) at js/src/frontend/Parser.cpp:8248
#5 0x000000000051179a in js::frontend::Parser<js::frontend::FullParseHandler>::orExpr1 (this=this@entry=0x7fffffff9c40, inHandling=inHandling@entry=js::frontend::InAllowed, yieldHandling=yieldHandling@entry=js::frontend::YieldIsName, tripledotHandling=tripledotHandling@entry=js::frontend::TripledotProhibited, possibleError=possibleError@entry=0x7fffffff8bd0, invoked=invoked@entry=js::frontend::Parser<js::frontend::FullParseHandler>::PredictUninvoked) at js/src/frontend/Parser.cpp:7724
#6 0x0000000000511c0e in js::frontend::Parser<js::frontend::FullParseHandler>::condExpr1 (this=this@entry=0x7fffffff9c40, inHandling=inHandling@entry=js::frontend::InAllowed, yieldHandling=yieldHandling@entry=js::frontend::YieldIsName, tripledotHandling=tripledotHandling@entry=js::frontend::TripledotProhibited, possibleError=possibleError@entry=0x7fffffff8bd0, invoked=invoked@entry=js::frontend::Parser<js::frontend::FullParseHandler>::PredictUninvoked) at js/src/frontend/Parser.cpp:7784
#7 0x0000000000508fbb in js::frontend::Parser<js::frontend::FullParseHandler>::assignExpr (this=this@entry=0x7fffffff9c40, inHandling=inHandling@entry=js::frontend::InAllowed, yieldHandling=yieldHandling@entry=js::frontend::YieldIsName, tripledotHandling=tripledotHandling@entry=js::frontend::TripledotProhibited, possibleError=possibleError@entry=0x7fffffff8ee0, invoked=invoked@entry=js::frontend::Parser<js::frontend::FullParseHandler>::PredictUninvoked) at js/src/frontend/Parser.cpp:7912
#8 0x0000000000509237 in js::frontend::Parser<js::frontend::FullParseHandler>::assignExpr (this=this@entry=0x7fffffff9c40, inHandling=inHandling@entry=js::frontend::InAllowed, yieldHandling=yieldHandling@entry=js::frontend::YieldIsName, tripledotHandling=tripledotHandling@entry=js::frontend::TripledotProhibited, possibleError=possibleError@entry=0x7fffffff8ee0, invoked=invoked@entry=js::frontend::Parser<js::frontend::FullParseHandler>::PredictUninvoked) at js/src/frontend/Parser.cpp:8017
#9 0x000000000050cde9 in js::frontend::Parser<js::frontend::FullParseHandler>::expr (this=this@entry=0x7fffffff9c40, inHandling=inHandling@entry=js::frontend::InAllowed, yieldHandling=yieldHandling@entry=js::frontend::YieldIsName, tripledotHandling=tripledotHandling@entry=js::frontend::TripledotProhibited, possibleError=possibleError@entry=0x7fffffff8ee0, invoked=invoked@entry=js::frontend::Parser<js::frontend::FullParseHandler>::PredictUninvoked) at js/src/frontend/Parser.cpp:7562
#10 0x000000000050d0bb in js::frontend::Parser<js::frontend::FullParseHandler>::expr (this=this@entry=0x7fffffff9c40, inHandling=inHandling@entry=js::frontend::InAllowed, yieldHandling=yieldHandling@entry=js::frontend::YieldIsName, tripledotHandling=tripledotHandling@entry=js::frontend::TripledotProhibited, invoked=invoked@entry=js::frontend::Parser<js::frontend::FullParseHandler>::PredictUninvoked) at js/src/frontend/Parser.cpp:7617
#11 0x000000000050e3e9 in js::frontend::Parser<js::frontend::FullParseHandler>::expressionStatement (this=this@entry=0x7fffffff9c40, yieldHandling=yieldHandling@entry=js::frontend::YieldIsName, invoked=invoked@entry=js::frontend::Parser<js::frontend::FullParseHandler>::PredictUninvoked) at js/src/frontend/Parser.cpp:5792
#12 0x000000000050715d in js::frontend::Parser<js::frontend::FullParseHandler>::statement (this=this@entry=0x7fffffff9c40, yieldHandling=yieldHandling@entry=js::frontend::YieldIsName, canHaveDirectives=<optimized out>) at js/src/frontend/Parser.cpp:7452
#13 0x000000000050788d in js::frontend::Parser<js::frontend::FullParseHandler>::statements (this=this@entry=0x7fffffff9c40, yieldHandling=yieldHandling@entry=js::frontend::YieldIsName) at js/src/frontend/Parser.cpp:3536
#14 0x00000000004e1977 in js::frontend::Parser<js::frontend::FullParseHandler>::evalBody (this=0x7fffffff9c40) at js/src/frontend/Parser.cpp:1090
#15 0x0000000000c1821c in BytecodeCompiler::compileScript (this=this@entry=0x7fffffff95d0, scopeChain=..., scopeChain@entry=..., evalCaller=..., evalCaller@entry=...) at js/src/frontend/BytecodeCompiler.cpp:529
#16 0x0000000000c185d3 in js::frontend::CompileScript (cx=cx@entry=0x7ffff6908800, alloc=<optimized out>, scopeChain=scopeChain@entry=..., enclosingStaticScope=..., enclosingStaticScope@entry=..., evalCaller=evalCaller@entry=..., options=..., srcBuf=..., source_=0x7ffff7e889e8, extraSct=extraSct@entry=0x0, sourceObjectOut=sourceObjectOut@entry=0x0) at js/src/frontend/BytecodeCompiler.cpp:742
#17 0x0000000000847979 in EvalKernel (cx=cx@entry=0x7ffff6908800, v=..., v@entry=..., evalType=evalType@entry=DIRECT_EVAL, caller=..., scopeobj=scopeobj@entry=..., pc=<optimized out>, vp=vp@entry=...) at js/src/builtin/Eval.cpp:315
#18 0x0000000000847ea9 in js::DirectEval (cx=cx@entry=0x7ffff6908800, v=..., vp=...) at js/src/builtin/Eval.cpp:439
#19 0x0000000000a81c06 in Interpret (cx=cx@entry=0x7ffff6908800, state=...) at js/src/vm/Interpreter.cpp:2746
#20 0x0000000000a8fb28 in js::RunScript (cx=cx@entry=0x7ffff6908800, state=...) at js/src/vm/Interpreter.cpp:426
#21 0x0000000000a92999 in js::ExecuteKernel (cx=cx@entry=0x7ffff6908800, script=..., script@entry=..., scopeChainArg=..., newTargetValue=..., evalInFrame=..., evalInFrame@entry=..., result=result@entry=0x7fffffffc130) at js/src/vm/Interpreter.cpp:704
#22 0x0000000000847559 in EvalKernel (cx=cx@entry=0x7ffff6908800, v=..., v@entry=..., evalType=evalType@entry=DIRECT_EVAL, caller=..., scopeobj=..., scopeobj@entry=..., pc=<optimized out>, vp=vp@entry=...) at js/src/builtin/Eval.cpp:328
#23 0x0000000000847ea9 in js::DirectEval (cx=cx@entry=0x7ffff6908800, v=..., vp=vp@entry=...) at js/src/builtin/Eval.cpp:439
#24 0x0000000000617ba6 in js::jit::DoCallFallback (cx=0x7ffff6908800, frame=0x7fffffffc1c8, stub_=<optimized out>, argc=<optimized out>, vp=0x7fffffffc178, res=...) at js/src/jit/BaselineIC.cpp:6101
#25 0x00007ffff7ff1a1f in ?? ()
[...]
#57 0x0000000000000000 in ?? ()
rax 0x7ffff698b418 140737330590744
rbx 0x0 0
rcx 0x0 0
rdx 0x3 3
rsi 0x7fffffff8680 140737488324224
rdi 0x7fffffff8770 140737488324464
rbp 0x7fffffff8800 140737488324608
rsp 0x7fffffff87d0 140737488324560
r8 0x7fffffff9f54 140737488330580
r9 0x0 0
r10 0x7fffffff80a0 140737488322720
r11 0x1c13b40 29440832
r12 0x7fffffff9c40 140737488329792
r13 0x7fffffff8810 140737488324624
r14 0x7fffffff8810 140737488324624
r15 0x7fffffff8930 140737488324912
rip 0x50d26c <js::frontend::Parser<js::frontend::FullParseHandler>::addExprAndGetNextTemplStrToken(js::frontend::YieldHandling, js::frontend::ParseNode*, js::frontend::TokenKind*)+44>
=> 0x50d26c <js::frontend::Parser<js::frontend::FullParseHandler>::addExprAndGetNextTemplStrToken(js::frontend::YieldHandling, js::frontend::ParseNode*, js::frontend::TokenKind*)+44>: movzbl 0x3(%rbx),%edx
0x50d270 <js::frontend::Parser<js::frontend::FullParseHandler>::addExprAndGetNextTemplStrToken(js::frontend::YieldHandling, js::frontend::ParseNode*, js::frontend::TokenKind*)+48>: and $0xf,%edx
|
||
Updated•8 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
|
|
||
Comment 1•8 years ago
|
||
JSBugMon: Bisection requested, result: === Treeherder Build Bisection Results by autoBisect === The "good" changeset has the timestamp "20151013053056" and the hash "8d9c20c241be7d7b3cfa90a3368a77db42172781". The "bad" changeset has the timestamp "20151013054956" and the hash "d80f9d6921f8209ef01aa730be9a97ab727704d1". Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=8d9c20c241be7d7b3cfa90a3368a77db42172781&tochange=d80f9d6921f8209ef01aa730be9a97ab727704d1
JIT assembler stuff is on the OOM_VERBOSE=1 stack, setting needinfo? from Jan/Hannes as a start.
Flags: needinfo?(jdemooij)
Flags: needinfo?(hv1989)
|
Assignee | |
Comment 4•8 years ago
|
||
Trivial OOM bug in the parser. Gary, the OOM stack looks unrelated. Are you sure that's the stack for the last OOM failure?
Assignee: nobody → jdemooij
Status: NEW → ASSIGNED
Flags: needinfo?(jdemooij)
Flags: needinfo?(hv1989)
Attachment #8742775 -
Flags: review?(jcoppeard)
|
||
Updated•8 years ago
|
Attachment #8742775 -
Flags: review?(jcoppeard) → review+
The previous OOM_VERBOSE stack was from the allocation number of the wrong thread, this one should now (hopefully) be correct.
Attachment #8742595 -
Attachment is obsolete: true
|
||
Comment 7•8 years ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/fdab10431cc9
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla48
You need to log in
before you can comment on or make changes to this bug.
Description
•