Closed
Bug 1662260
Opened 4 years ago
Closed 4 years ago
Crash [@ js::frontend::ParserAtomEntry::isIndex] with OOM and private methods
Categories
(Core :: JavaScript Engine, defect, P1)
Tracking
()
RESOLVED
FIXED
82 Branch
People
(Reporter: decoder, Assigned: djvj)
Details
(Keywords: crash, regression, testcase, Whiteboard: [bugmon:update,bisect,confirmed])
Crash Data
Attachments
(2 files)
The following testcase crashes on mozilla-central revision 20200831-b4055ac79297 (debug build, run with --fuzzing-safe --cpu-count=2 --ion-offthread-compile=off --enable-private-fields --enable-private-methods):
function loadX(lfVarx) {
oomTest(function() {
let m55 = parseModule(lfVarx);
});
}
loadX(`
class B50 {
#priv() {}
}
`)
Backtrace:
received signal SIGSEGV, Segmentation fault.
#0 js::frontend::ParserAtomEntry::isIndex (this=0x0, indexp=0x7fffffff92fc) at js/src/frontend/ParserAtom.cpp:134
#1 0x0000555556f905d9 in js::frontend::ParserAtomEntry::isIndex (this=0x0) at js/src/frontend/ParserAtom.h:290
#2 js::frontend::ParserAtomEntry::asName (this=0x0) at js/src/frontend/ParserAtom.h:339
#3 0x000055555749f5f9 in js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::classMember (this=0x7fffffffa7c0, yieldHandling=<optimized out>, classStmt=..., className=0x7fff00000000, classStartOffset=3, hasHeritage=js::frontend::HasHeritage::No, classInitializedMembers=..., classMembers=@0x7fffffff9518: 0x7ffff5663090, done=0x7fffffff94ef) at js/src/frontend/Parser.cpp:7330
#4 0x000055555748dce0 in js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::classDefinition (this=0x7fffffffa7c0, yieldHandling=js::frontend::YieldIsName, classContext=js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::ClassStatement, defaultHandling=<optimized out>) at js/src/frontend/Parser.cpp:7526
#5 0x0000555557488603 in js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::statementListItem (this=0x7fffffffa7c0, yieldHandling=js::frontend::YieldIsName, canHaveDirectives=true) at js/src/frontend/Parser.cpp:8579
#6 0x00005555574864b5 in js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::statementList (this=<optimized out>, yieldHandling=js::frontend::YieldIsName) at js/src/frontend/Parser.cpp:3779
#7 0x00005555574bd810 in js::frontend::Parser<js::frontend::FullParseHandler, char16_t>::moduleBody (this=0x7fffffffa7c0, modulesc=<optimized out>) at js/src/frontend/Parser.cpp:1698
#8 0x0000555557509746 in js::frontend::ModuleCompiler<char16_t>::compile (this=0x7fffffffa210, compilationInfo=..., gcOutput=...) at js/src/frontend/BytecodeCompiler.cpp:609
#9 0x00005555574d452f in InternalParseModule<char16_t> (cx=<optimized out>, optionsInput=..., srcBuf=..., gcOutput=...) at js/src/frontend/BytecodeCompiler.cpp:764
#10 js::frontend::ParseModule (cx=<optimized out>, optionsInput=..., srcBuf=..., gcOutput=...) at js/src/frontend/BytecodeCompiler.cpp:779
#11 0x00005555574d4fd3 in CreateModule<char16_t> (cx=0x7ffff6027000, options=..., srcBuf=...) at js/src/frontend/BytecodeCompiler.cpp:800
#12 js::frontend::CompileModule (cx=0x7ffff6027000, options=..., srcBuf=...) at js/src/frontend/BytecodeCompiler.cpp:817
#13 0x0000555556b74a66 in ParseModule (cx=0x7ffff6027000, argc=<optimized out>, vp=<optimized out>) at js/src/shell/js.cpp:4954
#14 0x00000556bde1e16f in ?? ()
#15 0x5ae8154b79719500 in ?? ()
#16 0x00007fffffffb158 in ?? ()
#17 0x0000000000000008 in ?? ()
#18 0x0000000000000000 in ?? ()
rax 0x5ae8154b79719500 6550509071914603776
rbx 0x0 0
rcx 0x5ae8154b79719500 6550509071914603776
rdx 0x7fffffff92fc 140737488327420
rsi 0x7fffffff92fc 140737488327420
rdi 0x0 0
rbp 0x7fffffff9310 140737488327440
rsp 0x7fffffff92e8 140737488327400
r8 0x0 0
r9 0x7ffff6027000 140737320742912
r10 0x37207d04 924876036
r11 0xce08 52744
r12 0x7fffffff93c8 140737488327624
r13 0x0 0
r14 0x7ffff5663108 140737310503176
r15 0x7ffff56630d0 140737310503120
rip 0x55555753cfb3 <js::frontend::ParserAtomEntry::isIndex(unsigned int*) const+3>
=> 0x55555753cfb3 <js::frontend::ParserAtomEntry::isIndex(unsigned int*) const+3>: mov 0x8(%rdi),%esi
0x55555753cfb6 <js::frontend::ParserAtomEntry::isIndex(unsigned int*) const+6>: lea -0x1(%rsi),%eax
Reporter | ||
Comment 1•4 years ago
|
||
Comment 2•4 years ago
|
||
Something is up with parser atoms here :
const ParserAtom* storedMethodAtom =
storedMethodName.finishParserAtom(this->compilationInfo_);
const ParserName* storedMethodProp = storedMethodAtom->asName();
Missing OOM handling it seems.
Flags: needinfo?(kvijayan)
Updated•4 years ago
|
Keywords: bugmon
Whiteboard: [bugmon:update,bisect] → [bugmon:update,bisect,confirmed]
Comment 3•4 years ago
|
||
Bugmon Analysis:
Unable to reproduce bug using the following builds:
> mozilla-central 20200831215215-93d8458a0c4d
> mozilla-central 20200831091558-b4055ac79297
Removing bugmon keyword as no further action possible.
Please review the bug and re-add the keyword for further analysis.
Assignee | ||
Comment 4•4 years ago
|
||
(In reply to Matthew Gaudet (he/him) [:mgaudet] from comment #2)
Something is up with parser atoms here :
const ParserAtom* storedMethodAtom = storedMethodName.finishParserAtom(this->compilationInfo_); const ParserName* storedMethodProp = storedMethodAtom->asName();
Missing OOM handling it seems.
Thanks matthew.
Assignee | ||
Comment 5•4 years ago
|
||
Updated•4 years ago
|
Assignee: nobody → kvijayan
Status: NEW → ASSIGNED
Pushed by kvijayan@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/f90f01b99ece OOM check in parser. r=mgaudet DONTBUILD
Comment 7•4 years ago
|
||
Updated•4 years ago
|
Severity: -- → S4
Priority: -- → P1
Pushed by kvijayan@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/e7f884691bf5 OOM check in parser. r=mgaudet
Comment 9•4 years ago
|
||
bugherder |
Status: ASSIGNED → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → 82 Branch
Updated•4 years ago
|
status-firefox80:
--- → wontfix
status-firefox81:
--- → wontfix
status-firefox-esr68:
--- → wontfix
status-firefox-esr78:
--- → wontfix
Flags: needinfo?(kvijayan) → in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•