Closed Bug 884920 Opened 8 years ago Closed 8 years ago

Crash [@ js::frontend::EmitTree]

Categories

(Core :: JavaScript Engine, defect)

x86_64
Linux
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla25
Tracking Status
firefox24 --- affected
firefox-esr24 - affected

People

(Reporter: decoder, Assigned: bhackett1024)

Details

(Keywords: crash, regression, testcase, Whiteboard: [jsbugmon:update])

Crash Data

Attachments

(2 files)

The following testcase crashes on mozilla-central revision d2a7cfa34154 (no options required):


function testcase({}, a = b, ... x)  {
  "use strict";
  function f() { };
  with ( f(3) );
}
Crash trace:


Program received signal SIGSEGV, Segmentation fault.
0x00000000004402e3 in js::frontend::EmitTree (cx=0x18741a0, bce=0x7fffffffbf10, pn=0x1893a00) at js/src/frontend/BytecodeEmitter.cpp:5696
5696                    while (rest->pn_next != pnlast)
#0  0x00000000004402e3 in js::frontend::EmitTree (cx=0x18741a0, bce=0x7fffffffbf10, pn=0x1893a00) at js/src/frontend/BytecodeEmitter.cpp:5696
#1  0x0000000000442e4d in EmitTree (pn=0x1893a00, bce=0x7fffffffbf10, cx=0x18741a0) at js/src/frontend/BytecodeEmitter.cpp:5631
#2  EmitFunctionScript (body=0x1893a00, bce=0x7fffffffbf10, cx=0x18741a0) at js/src/frontend/BytecodeEmitter.cpp:2585
#3  EmitFunc (cx=0x18741a0, bce=0x7fffffffc3a0, pn=0x1893668) at js/src/frontend/BytecodeEmitter.cpp:4568
#4  0x000000000043ed16 in js::frontend::EmitTree (cx=0x18741a0, bce=0x7fffffffc3a0, pn=0x1893668) at js/src/frontend/BytecodeEmitter.cpp:5645
#5  0x0000000000a2b98b in js::frontend::CompileScript (cx=0x18741a0, scopeChain=..., evalCaller=0x0, options=..., chars=0x1885800, length=<optimized out>, source_=0x0, staticLevel=0, extraSct=0x0) at js/src/frontend/BytecodeCompiler.cpp:311
#6  0x000000000059b252 in JS::Compile (cx=0x18741a0, obj=(JSObject * const) 0x7ffff5e4d060 [object global] delegate, options=..., chars=0x1885800, length=99) at js/src/jsapi.cpp:5336
#7  0x000000000059b5cc in JS::Compile (cx=0x18741a0, obj=(JSObject * const) 0x7ffff5e4d060 [object global] delegate, options=..., bytes=<optimized out>, length=99) at js/src/jsapi.cpp:5351
rdx     0x0     0
=> 0x4402e3 <js::frontend::EmitTree(JSContext*, js::frontend::BytecodeEmitter*, js::frontend::ParseNode*)+5971>:        mov    0x10(%rdx),%rax
Whiteboard: [jsbugmon:update,bisect]
Crash Signature: [@ js::frontend::EmitTree] → [@ js::frontend::EmitTree(JSContext*, js::frontend::BytecodeEmitter*, js::frontend::ParseNode*) ]
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   http://hg.mozilla.org/mozilla-central/rev/ce43d28276e4
user:        Brian Hackett
date:        Fri Jun 14 05:58:28 2013 -0600
summary:     Bug 678037 - Enable lazy JS parsing and fix various bugs, r=waldo,evilpie,nobody.

This iteration took 11.878 seconds to run.
Needinfo from Brian based on comment 3 :)
Flags: needinfo?(bhackett1024)
Another testcase:

function d(c = (function h() {
    return {
        r: (1 for (x in []))
    }
}), ...x) {
    "use strict"
}
Keywords: regression
If we abort a syntax parse then the tokenStream's lastFunctionKeyword isn't reset and the restarted parse gets confused --- it parses the inner function as if it's the outer function.  lastFunctionKeyword is pretty hacky, and with the current state of the parser is totally unnecessary --- it lets the parser find the position of the last |function|, but the parser only ever tries to do this immediately after it gets a |function| token.  The attached patch removes this field.
Assignee: general → bhackett1024
Attachment #766456 - Flags: review?(luke)
Flags: needinfo?(bhackett1024)
Attachment #766456 - Flags: review?(luke) → review+
https://hg.mozilla.org/mozilla-central/rev/2c6a7766ae44
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla25
Comment on attachment 766456 [details] [diff] [review]
nuke lastFunctionKeyword

[Approval Request Comment]
User impact if declined: See comment 9
Fix Landed on Version: 25
Risk to taking this patch (and alternatives if risky): none
Attachment #766456 - Flags: approval-mozilla-esr24?
Flags: needinfo?(bhackett1024)
Comment on attachment 766456 [details] [diff] [review]
nuke lastFunctionKeyword

Actually, that's explicitly not how the ESR branch works and this doesn't meet the criteria[1].  Especially considering the low volume of crashes, this will be in the next major update.  

[1] https://wiki.mozilla.org/Release_Management/ESR_Landing_Process
Attachment #766456 - Flags: approval-mozilla-esr24? → approval-mozilla-esr24-
You need to log in before you can comment on or make changes to this bug.