1462286 - Crash [@ js::frontend::Parser<js::frontend::FullParseHandler, char16_t>::checkExportedNamesForObjectBinding] or Assertion failure: node->isKind ... with export

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect, P2)

Description

[Christian Holler (:decoder)]

The following testcase crashes on mozilla-central revision 3c9d69736f4a (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --disable-debug --enable-optimize, run with --fuzzing-safe --no-threads):

let m = parseModule(`
  export var { ... get } = 0;
`);


Backtrace:

received signal SIGSEGV, Segmentation fault.
js::frontend::Parser<js::frontend::FullParseHandler, char16_t>::checkExportedNamesForObjectBinding (this=0x7fffffffc6c8, pn=<optimized out>) at js/src/frontend/Parser.cpp:5433
#0  js::frontend::Parser<js::frontend::FullParseHandler, char16_t>::checkExportedNamesForObjectBinding (this=0x7fffffffc6c8, pn=<optimized out>) at js/src/frontend/Parser.cpp:5433
#1  0x0000000000522895 in js::frontend::Parser<js::frontend::FullParseHandler, char16_t>::checkExportedNamesForDeclarationList (this=this@entry=0x7fffffffc6c8, node=node@entry=0x7ffff5f6e080) at js/src/frontend/Parser.cpp:5503
#2  0x000000000053f491 in js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::checkExportedNamesForDeclarationList (node=0x7ffff5f6e080, this=0x7fffffffc6c8) at js/src/frontend/Parser.cpp:5522
#3  js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::exportVariableStatement (this=this@entry=0x7fffffffc6c8, begin=begin@entry=3) at js/src/frontend/Parser.cpp:5826
#4  0x0000000000540972 in js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::exportDeclaration (this=this@entry=0x7fffffffc6c8) at js/src/frontend/Parser.cpp:6071
#5  0x0000000000540c48 in js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::statementListItem (this=this@entry=0x7fffffffc6c8, yieldHandling=yieldHandling@entry=js::frontend::YieldIsName, canHaveDirectives=<optimized out>) at js/src/frontend/Parser.cpp:7891
#6  0x00000000005418e5 in js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::statementList (this=this@entry=0x7fffffffc6c8, yieldHandling=yieldHandling@entry=js::frontend::YieldIsName) at js/src/frontend/Parser.cpp:4260
#7  0x000000000054614d in js::frontend::Parser<js::frontend::FullParseHandler, char16_t>::moduleBody (this=this@entry=0x7fffffffc6c8, modulesc=modulesc@entry=0x7fffffffb6c0) at js/src/frontend/Parser.cpp:2319
#8  0x0000000000bd0409 in BytecodeCompiler::compileModule (this=this@entry=0x7fffffffc180) at js/src/frontend/BytecodeCompiler.cpp:410
#9  0x0000000000bd0d41 in js::frontend::CompileModule (cx=cx@entry=0x7ffff5f14000, optionsInput=..., srcBuf=..., alloc=..., sourceObjectOut=sourceObjectOut@entry=0x0) at js/src/frontend/BytecodeCompiler.cpp:710
#10 0x0000000000bd0e21 in js::frontend::CompileModule (cx=cx@entry=0x7ffff5f14000, options=..., srcBuf=...) at js/src/frontend/BytecodeCompiler.cpp:728
#11 0x000000000044ddec in ParseModule (cx=0x7ffff5f14000, argc=<optimized out>, vp=0x7ffff5aea090) at js/src/shell/js.cpp:4259
#12 0x0000000000565231 in js::CallJSNative (args=..., native=0x44dbb0 <ParseModule(JSContext*, unsigned int, JS::Value*)>, cx=0x7ffff5f14000) at js/src/vm/JSContext-inl.h:280
[...]
#25 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:9301
rax	0x12	18
rbx	0x7ffff5f6e110	140737319985424
rcx	0x0	0
rdx	0x2	2
rsi	0x0	0
rdi	0x7fffffffc6c8	140737488340680
rbp	0x7fffffffc6c8	140737488340680
rsp	0x7fffffffb200	140737488335360
r8	0x1	1
r9	0x1d	29
r10	0x7fffffffc958	140737488341336
r11	0x7fffffffc6f8	140737488340728
r12	0x7ffff5f6e080	140737319985280
r13	0x3	3
r14	0x7fffffffb2f0	140737488335600
r15	0x7ffff5f6e050	140737319985232
rip	0x5227ec <js::frontend::Parser<js::frontend::FullParseHandler, char16_t>::checkExportedNamesForObjectBinding(js::frontend::ParseNode*)+28>
=> 0x5227ec <js::frontend::Parser<js::frontend::FullParseHandler, char16_t>::checkExportedNamesForObjectBinding(js::frontend::ParseNode*)+28>:	cmpw   $0x77,(%rsi)
   0x5227f0 <js::frontend::Parser<js::frontend::FullParseHandler, char16_t>::checkExportedNamesForObjectBinding(js::frontend::ParseNode*)+32>:	je     0x522817 <js::frontend::Parser<js::frontend::FullParseHandler, char16_t>::checkExportedNamesForObjectBinding(js::frontend::ParseNode*)+71>


This was found due to the recent ES grammar updates.

Comment 1

[Jon Coppeard (:jonco)]

Currently we don't handle all cases when exporting object destructuring bindings.  This was added in bug 1446811.

Comment 2

[Fuzzing Team]

JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/66ad093f7e6a
user:        André Bargull
date:        Thu May 04 05:05:26 2017 -0700
summary:     Bug 1339395 - Part 2: Add parser support for rest and spread object properties. r=shu

This iteration took 213.499 seconds to run.

Comment 3

[Jon Coppeard (:jonco)]

Attachment: bug1462286-export-object-spread

Patch to support handling of spread nodes when exporting object destructuring bindings and add a test.

Comment 4

[Christian Holler (:decoder)]

Highly frequent crash in fuzzing, marking as fuzzblocker.

Jason, can you help unblocking fuzzing here by prioritizing this review? Thanks!

Comment 5

[Pulsebot]

Pushed by jcoppeard@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/c2c5734903b2
Fix handling of spread operator when exporting destructuring object bindings r=jorendorff

Comment 6

[Andrei Ciure[:aciure]]

https://hg.mozilla.org/mozilla-central/rev/c2c5734903b2

Comment 7

[Ryan VanderMeulen [:RyanVM]]

I think this can just ride the trains given where we are in the cycle, but feel free to nominate it for backport if you feel strongly otherwise.