Closed Bug 1287344 Opened 8 years ago Closed 8 years ago

Crash [@ js::frontend::Definition::kind]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
firefox50 --- affected
firefox51 --- fixed

People

(Reporter: gkw, Unassigned)

References

Details

(Keywords: crash, testcase)

Crash Data

Attachments

(2 files)

Detailed Crash Information
46.30 KB, text/plain
Details
OOM_VERBOSE=1 stack from m-c rev 711963e8daa3
26.29 KB, text/plain
Details 
The following testcase crashes on mozilla-central revision 711963e8daa3 (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --no-threads --no-baseline --no-ion):

// Adapted from randomly chosen test: js/src/tests/ecma_6/Comprehensions/generator-semantics.js
oomTest(function(y) {
    load("testcase.js");
})

and testcase.js is:

function f() {
    return [for (i of (for (j of[]) {}))
            function g() {
                return [for (x of (for (i of[0]) {}))]
            }]
}



Backtrace:

0   js-dbg-64-dm-clang-darwin-711963e8daa3	0x000000010dde6526 js::frontend::Definition::kind() + 6 (ParseNode.h:1666)
1   js-dbg-64-dm-clang-darwin-711963e8daa3	0x000000010d374121 js::frontend::ParseContext<js::frontend::FullParseHandler>::popLetDecl(JSAtom*) + 33 (Parser.cpp:480)
2   js-dbg-64-dm-clang-darwin-711963e8daa3	0x000000010d34160c js::frontend::Parser<js::frontend::FullParseHandler>::AutoPushStmtInfoPC::~AutoPushStmtInfoPC() + 556 (Parser.cpp:3862)
3   js-dbg-64-dm-clang-darwin-711963e8daa3	0x000000010d35923e js::frontend::Parser<js::frontend::FullParseHandler>::comprehensionFor(js::GeneratorKind) + 2078 (Parser.cpp:3937)
4   js-dbg-64-dm-clang-darwin-711963e8daa3	0x000000010d359e4c js::frontend::Parser<js::frontend::FullParseHandler>::arrayComprehension(unsigned int) + 60 (Parser.cpp:8561)
5   js-dbg-64-dm-clang-darwin-711963e8daa3	0x000000010d356447 js::frontend::Parser<js::frontend::FullParseHandler>::arrayInitializer(js::frontend::YieldHandling) + 263 (Parser.cpp:9012)
6   js-dbg-64-dm-clang-darwin-711963e8daa3	0x000000010d3515f7 js::frontend::Parser<js::frontend::FullParseHandler>::primaryExpr(js::frontend::YieldHandling, js::frontend::TripledotHandling, js::frontend::Parser<js::frontend::FullParseHandler>::PossibleError*, js::frontend::TokenKind, js::frontend::Parser<js::frontend::FullParseHandler>::InvokedPrediction) + 887 (Parser.cpp:9514)
7   js-dbg-64-dm-clang-darwin-711963e8daa3	0x000000010d354a16 js::frontend::Parser<js::frontend::FullParseHandler>::memberExpr(js::frontend::YieldHandling, js::frontend::TripledotHandling, js::frontend::Parser<js::frontend::FullParseHandler>::PossibleError*, js::frontend::TokenKind, bool, js::frontend::Parser<js::frontend::FullParseHandler>::InvokedPrediction) + 806 (Parser.cpp:8753)
/snip

For detailed crash information, see attachment.
autoBisect only points back to the introduction of oomTest:

=== Treeherder Build Bisection Results by autoBisect ===

The "good" changeset has the timestamp "20151013053056" and the hash "8d9c20c241be7d7b3cfa90a3368a77db42172781".
The "bad" changeset has the timestamp "20151013054956" and the hash "d80f9d6921f8209ef01aa730be9a97ab727704d1".

Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=8d9c20c241be7d7b3cfa90a3368a77db42172781&tochange=d80f9d6921f8209ef01aa730be9a97ab727704d1

Attaching the OOM_VERBOSE=1 stack may help instead. Since this is Parser territory, setting needinfo? from :jorendorff and :Waldo instead.
Flags: needinfo?(jwalden+bmo)
Flags: needinfo?(jorendorff)
This involves definitions, which means it's hairy-old-parser territory.  Should regroup on this after the new parser lands.
Depends on: 1263355
Flags: needinfo?(jwalden+bmo)
(In reply to Jeff Walden [:Waldo] (remove +bmo to email) from comment #3)
> This involves definitions, which means it's hairy-old-parser territory. 
> Should regroup on this after the new parser lands.

The new parser stuff in bug 1263355 has landed. What's next?

(re-setting ni? from Waldo, setting ni? from Shu-yu because he fixed bug 1263355...)
Flags: needinfo?(shu)
Flags: needinfo?(jwalden+bmo)
Does it still crash? If not, we should close.
Flags: needinfo?(shu)
Due to skipped revisions, the first good revision could be any of:
changeset:   https://hg.mozilla.org/mozilla-central/rev/cb6fc6d38f8d
user:        Shu-yu Guo
date:        Thu Aug 25 01:28:47 2016 -0700
summary:     Bug 1263355 - Rewrite the frontend: bindings. (r=jorendorff,Waldo)

changeset:   https://hg.mozilla.org/mozilla-central/rev/18bec78f348e
user:        Shu-yu Guo
date:        Thu Aug 25 01:28:47 2016 -0700
summary:     Bug 1263355 - Report memory metrics for Scopes. (r=njn)

No, it no longer seems to occur, and resolving FIXED as per comment 5 and this fix window.
Status: NEW → RESOLVED
Closed: 8 years ago
Flags: needinfo?(jwalden+bmo)
Flags: needinfo?(jorendorff)
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: