Closed Bug 862228 Opened 12 years ago Closed 12 years ago

Crash [@ JSFlatString::isIndex] or [@ js::frontend::Parser] or Assertion failure: JSString::isLinear(), at vm/String.h or Assertion failure: !isIndex(&dummy), at vm/String.h

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla23

People

(Reporter: gkw, Assigned: bhackett1024)

References

Details

(4 keywords, Whiteboard: [fuzzblocker][jsbugmon:update])

Crash Data

Attachments

(3 files)

stack
7.42 KB, text/plain
Details
stack for assertion
6.74 KB, text/plain
Details
patch
1.40 KB, patch
jorendorff
: review+
Details | Diff | Splinter Review
Attached file stack
({"":y=""}= crashes js debug shell on m-c changeset 1d9c510b3742 without any CLI arguments at JSFlatString::isIndex with js::frontend::Parser on the stack. Fuzzblocker since this just broke the fuzzers. Tested on a 32-bit non-deterministic non-threadsafe build. autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: 128791:bd17606091d2 parent: 128764:53c2e7b9753b user: Brian Hackett date: Mon Apr 15 06:02:16 2013 -0600 summary: Bug 845596 - Keep track of free variables during syntax parsing, r=jorendorff.
Attached file stack for assertion
({x:/x/}= Assertion failure: JSString::isLinear(), at vm/String.h
Keywords: assertion
Summary: Crash [@ JSFlatString::isIndex] or [@ js::frontend::Parser] → Crash [@ JSFlatString::isIndex] or [@ js::frontend::Parser] or Assertion failure: JSString::isLinear(), at vm/String.h
({y:"7"}= Assertion failure: !isIndex(&dummy), at vm/String.h
Summary: Crash [@ JSFlatString::isIndex] or [@ js::frontend::Parser] or Assertion failure: JSString::isLinear(), at vm/String.h → Crash [@ JSFlatString::isIndex] or [@ js::frontend::Parser] or Assertion failure: JSString::isLinear(), at vm/String.h or Assertion failure: !isIndex(&dummy), at vm/String.h
Attached patch patchSplinter Review
One of the name roots added was derived from a node that might not always be a property name.
Attachment #737904 - Flags: review?(jorendorff)
Since this seems to be affecting the fuzzers a lot and the fix is trivial, pushing to inbound pending review: https://hg.mozilla.org/integration/mozilla-inbound/rev/1347f8fd9726
Comment on attachment 737904 [details] [diff] [review] patch Review of attachment 737904 [details] [diff] [review]: ----------------------------------------------------------------- ::: js/src/jit-test/tests/basic/bug862228.js @@ +1,1 @@ > +// |jit-test| error: ReferenceError Shouldn't it be a SyntaxError?
Attachment #737904 - Flags: review?(jorendorff) → review+
> Shouldn't it be a SyntaxError? I checked with older builds and they seem to show the following error with the testcases: ReferenceError: invalid assignment left-hand side
https://hg.mozilla.org/mozilla-central/rev/1347f8fd9726
Status: NEW → RESOLVED
Closed: 12 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla23
Assignee: general → bhackett1024
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: