Closed
Bug 1287406
Opened 8 years ago
Closed 8 years ago
Crash [@ EncodeLatin1] or Assertion failure: name, at frontend/Parser.cpp:1026
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla51
People
(Reporter: decoder, Assigned: jonco)
References
Details
(4 keywords, Whiteboard: [jsbugmon:])
Crash Data
Attachments
(1 file)
|
2.75 KB,
patch
|
shu
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision 711963e8daa3 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-debug --enable-optimize, run with --fuzzing-safe):
function startTest() {}
function test_syntax(postfixes, check_error, ignore_opts) {
function test_reflect(code, module) {
options = {target: "module"};
for (var postfix of postfixes) {
var cur_code = code + postfix;
Reflect.parse(cur_code, options);
}
}
function test(code, opts={}) {
let module = "module" in opts && opts.module;
test_reflect(code, module);
}
var opts = { no_fun: true, no_eval: true, module: true };
test("export default ", opts);
}
var postfixes = [
startTest(Array, Array * 2) ? (yield) : () => uint16(3.14) == 3,
];
function check_syntax_error(e, code) {}
test_syntax(postfixes, check_syntax_error, undefined);
Backtrace:
received signal SIGSEGV, Segmentation fault.
EncodeLatin1 (cx=0x7ffff696e000, str=str@entry=0x0) at js/src/jsapi.cpp:5302
#0 EncodeLatin1 (cx=0x7ffff696e000, str=str@entry=0x0) at js/src/jsapi.cpp:5302
#1 0x000000000074103f in JSAutoByteString::encodeLatin1 (this=this@entry=0x7fffffffbc90, cx=<optimized out>, str=str@entry=0x0) at js/src/jsapi.cpp:6496
#2 0x00000000004896ea in js::frontend::Parser<js::frontend::FullParseHandler>::standaloneModule (this=this@entry=0x7fffffffc7a0, module=..., module@entry=..., builder=...) at js/src/frontend/Parser.cpp:1031
#3 0x00000000009de9f8 in reflect_parse (cx=<optimized out>, argc=<optimized out>, vp=<optimized out>) at js/src/builtin/ReflectParse.cpp:3759
#4 0x00000000008ad523 in js::CallJSNative (args=..., native=<optimized out>, cx=0x7ffff696e000) at js/src/jscntxtinlines.h:232
[...]
#17 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:7519
rax 0x0 0
rbx 0x7fffffffbc90 140737488338064
rcx 0x7ffff692e500 140737330210048
rdx 0x0 0
rsi 0x0 0
rdi 0x7ffff696e000 140737330470912
rbp 0x0 0
rsp 0x7fffffffbc20 140737488337952
r8 0x0 0
r9 0x1af 431
r10 0x7ffff69a22c8 140737330684616
r11 0x7fffffffc3e8 140737488339944
r12 0x7fffffffc7a0 140737488340896
r13 0x7ffff696e000 140737330470912
r14 0x0 0
r15 0x7fffffffbd00 140737488338176
rip 0x740bce <EncodeLatin1(js::ExclusiveContext*, JSString*)+14>
=> 0x740bce <EncodeLatin1(js::ExclusiveContext*, JSString*)+14>: mov (%rsi),%eax
0x740bd0 <EncodeLatin1(js::ExclusiveContext*, JSString*)+16>: mov %rsi,%rbx
|
||
Updated•8 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
|
|
||
Comment 1•8 years ago
|
||
JSBugMon: Bisection requested, result:
=== Treeherder Build Bisection Results by autoBisect ===
The "good" changeset has the timestamp "20160105064937" and the hash "f18072a8592581df42c0be4f669151334757565c".
The "bad" changeset has the timestamp "20160105073330" and the hash "a110885c2b5b808c78cb695a2202d481dcb559fb".
Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=f18072a8592581df42c0be4f669151334757565c&tochange=a110885c2b5b808c78cb695a2202d481dcb559fb
Jon, would bug 1233109 be a likely regressor?
Blocks: 1233109
Flags: needinfo?(jcoppeard)
|
Assignee | |
Comment 3•8 years ago
|
||
It seem we assert when parsing the module 'export default () => 1'.
Assignee: nobody → jcoppeard
Flags: needinfo?(jcoppeard)
|
|
Assignee | |
Comment 4•8 years ago
|
||
The problem here is that we get confused between the following productions when processing module exports:
export default HoistableDeclaration
export default AssignmentExpression
Because an assignment expression can be an arrow function.
This leads to use trying to use the arrow function's name (which is nullptr) for its local name.
Attachment #8772478 -
Flags: review?(shu)
|
||
Updated•8 years ago
|
|
||
Updated•8 years ago
|
Version: Trunk → 46 Branch
|
|
||
Updated•8 years ago
|
Whiteboard: [jsbugmon:update] → [jsbugmon:]
|
|
||
Comment 5•8 years ago
|
||
JSBugMon: Cannot process bug: Error: Unsupported branch "46 Branch" required by bug
|
||
Comment 6•8 years ago
|
||
Crash volume for signature 'EncodeLatin1':
- nightly (version 50): 0 crash from 2016-06-06.
- aurora (version 49): 0 crash from 2016-06-07.
- beta (version 48): 2 crashes from 2016-06-06.
- release (version 47): 28 crashes from 2016-05-31.
- esr (version 45): 2 crashes from 2016-04-07.
Crash volume on the last weeks:
Week N-1 Week N-2 Week N-3 Week N-4 Week N-5 Week N-6 Week N-7
- nightly 0 0 0 0 0 0 0
- aurora 0 0 0 0 0 0 0
- beta 0 0 1 0 1 0 0
- release 2 6 10 3 1 6 0
- esr 0 0 0 1 0 0 0
Affected platforms: Windows, Mac OS X, Linux
status-firefox-esr45:
--- → affected
|
||
Updated•8 years ago
|
Attachment #8772478 -
Flags: review?(shu) → review+
Pushed by jcoppeard@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/4cc1c950241b
Fix exporting an arrow function as the default export r=shu
|
||
Comment 8•8 years ago
|
||
| bugherder | ||
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla51
|
|
||
Updated•8 years ago
|
You need to log in
before you can comment on or make changes to this bug.
Description
•