Closed
Bug 884920
Opened 12 years ago
Closed 12 years ago
Crash [@ js::frontend::EmitTree]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla25
People
(Reporter: decoder, Assigned: bhackett1024)
Details
(Keywords: crash, regression, testcase, Whiteboard: [jsbugmon:update])
Crash Data
Attachments
(2 files)
|
675 bytes,
text/plain
|
Details | |
|
6.44 KB,
patch
|
luke
:
review+
lsblakk
:
approval-mozilla-esr24-
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision d2a7cfa34154 (no options required):
function testcase({}, a = b, ... x) {
"use strict";
function f() { };
with ( f(3) );
}
|
Reporter | |
Comment 1•12 years ago
|
||
|
|
Reporter | |
Comment 2•12 years ago
|
||
Crash trace:
Program received signal SIGSEGV, Segmentation fault.
0x00000000004402e3 in js::frontend::EmitTree (cx=0x18741a0, bce=0x7fffffffbf10, pn=0x1893a00) at js/src/frontend/BytecodeEmitter.cpp:5696
5696 while (rest->pn_next != pnlast)
#0 0x00000000004402e3 in js::frontend::EmitTree (cx=0x18741a0, bce=0x7fffffffbf10, pn=0x1893a00) at js/src/frontend/BytecodeEmitter.cpp:5696
#1 0x0000000000442e4d in EmitTree (pn=0x1893a00, bce=0x7fffffffbf10, cx=0x18741a0) at js/src/frontend/BytecodeEmitter.cpp:5631
#2 EmitFunctionScript (body=0x1893a00, bce=0x7fffffffbf10, cx=0x18741a0) at js/src/frontend/BytecodeEmitter.cpp:2585
#3 EmitFunc (cx=0x18741a0, bce=0x7fffffffc3a0, pn=0x1893668) at js/src/frontend/BytecodeEmitter.cpp:4568
#4 0x000000000043ed16 in js::frontend::EmitTree (cx=0x18741a0, bce=0x7fffffffc3a0, pn=0x1893668) at js/src/frontend/BytecodeEmitter.cpp:5645
#5 0x0000000000a2b98b in js::frontend::CompileScript (cx=0x18741a0, scopeChain=..., evalCaller=0x0, options=..., chars=0x1885800, length=<optimized out>, source_=0x0, staticLevel=0, extraSct=0x0) at js/src/frontend/BytecodeCompiler.cpp:311
#6 0x000000000059b252 in JS::Compile (cx=0x18741a0, obj=(JSObject * const) 0x7ffff5e4d060 [object global] delegate, options=..., chars=0x1885800, length=99) at js/src/jsapi.cpp:5336
#7 0x000000000059b5cc in JS::Compile (cx=0x18741a0, obj=(JSObject * const) 0x7ffff5e4d060 [object global] delegate, options=..., bytes=<optimized out>, length=99) at js/src/jsapi.cpp:5351
rdx 0x0 0
=> 0x4402e3 <js::frontend::EmitTree(JSContext*, js::frontend::BytecodeEmitter*, js::frontend::ParseNode*)+5971>: mov 0x10(%rdx),%rax
Whiteboard: [jsbugmon:update,bisect]
|
||
Updated•12 years ago
|
Crash Signature: [@ js::frontend::EmitTree] → [@ js::frontend::EmitTree(JSContext*, js::frontend::BytecodeEmitter*, js::frontend::ParseNode*) ]
|
|
Reporter | |
Updated•12 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
|
|
Reporter | |
Comment 3•12 years ago
|
||
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: http://hg.mozilla.org/mozilla-central/rev/ce43d28276e4
user: Brian Hackett
date: Fri Jun 14 05:58:28 2013 -0600
summary: Bug 678037 - Enable lazy JS parsing and fix various bugs, r=waldo,evilpie,nobody.
This iteration took 11.878 seconds to run.
|
|
Reporter | |
Comment 4•12 years ago
|
||
Needinfo from Brian based on comment 3 :)
Flags: needinfo?(bhackett1024)
|
||
Comment 5•12 years ago
|
||
Another testcase:
function d(c = (function h() {
return {
r: (1 for (x in []))
}
}), ...x) {
"use strict"
}
Keywords: regression
|
Assignee | |
Comment 6•12 years ago
|
||
If we abort a syntax parse then the tokenStream's lastFunctionKeyword isn't reset and the restarted parse gets confused --- it parses the inner function as if it's the outer function. lastFunctionKeyword is pretty hacky, and with the current state of the parser is totally unnecessary --- it lets the parser find the position of the last |function|, but the parser only ever tries to do this immediately after it gets a |function| token. The attached patch removes this field.
Assignee: general → bhackett1024
Attachment #766456 -
Flags: review?(luke)
Flags: needinfo?(bhackett1024)
|
|
||
Updated•12 years ago
|
Attachment #766456 -
Flags: review?(luke) → review+
|
|
Assignee | |
Comment 7•12 years ago
|
||
|
||
Comment 8•12 years ago
|
||
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla25
|
|
Reporter | |
Updated•12 years ago
|
status-firefox24:
--- → affected
|
|
||
Comment 9•11 years ago
|
||
Let's backport this to ESR 24, although the crash volume is low (~20 crashes in the past month, about 5 a week - see URL), a crash is a crash is a crash, and there's a patch here anyway.
https://crash-stats.mozilla.com/query/?product=Firefox&version=Firefox%3A24.2.0esr&version=Firefox%3A24.1.1esr&version=Firefox%3A24.1.0esr&version=Firefox%3A24.0esr&version=Firefox%3A24.0&range_value=1&range_unit=weeks&date=12%2F26%2F2013+22%3A00%3A00&query_search=signature&query_type=contains&query=js%3A%3Afrontend%3A%3AEmitTree&reason=&release_channels=&build_id=&process_type=any&hang_type=any
|
|
Assignee | |
Comment 10•11 years ago
|
||
Comment on attachment 766456 [details] [diff] [review]
nuke lastFunctionKeyword
[Approval Request Comment]
User impact if declined: See comment 9
Fix Landed on Version: 25
Risk to taking this patch (and alternatives if risky): none
Attachment #766456 -
Flags: approval-mozilla-esr24?
Flags: needinfo?(bhackett1024)
|
||
Updated•11 years ago
|
|
|
||
Comment 11•11 years ago
|
||
Comment on attachment 766456 [details] [diff] [review]
nuke lastFunctionKeyword
Actually, that's explicitly not how the ESR branch works and this doesn't meet the criteria[1]. Especially considering the low volume of crashes, this will be in the next major update.
[1] https://wiki.mozilla.org/Release_Management/ESR_Landing_Process
Attachment #766456 -
Flags: approval-mozilla-esr24? → approval-mozilla-esr24-
You need to log in
before you can comment on or make changes to this bug.
Description
•