Closed
Bug 972961
Opened 11 years ago
Closed 11 years ago
Crash [@ js::frontend::ParseNode::getKind] with over-recursion through [@ ContainsVarOrConst]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla30
Tracking | Status | |
---|---|---|
firefox30 | --- | affected |
People
(Reporter: decoder, Assigned: jorendorff)
Details
(Keywords: crash, testcase, Whiteboard: [jsbugmon:])
Crash Data
Attachments
(2 files)
317 bytes,
text/plain
|
Details | |
5.58 KB,
patch
|
luke
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision 6687d299c464 (threadsafe build, run with --fuzzing-safe):
eval('if (null) {' + Array(0xdbaa).join(("a.b.c")) + '}');
Reporter | ||
Comment 1•11 years ago
|
||
Reporter | ||
Updated•11 years ago
|
Crash Signature: [@ js::frontend::ParseNode::getKind] with over-recursion through [@ ContainsVarOrConst] → [@ js::frontend::ParseNode::getKind]
[@ ContainsVarOrConst]
status-firefox30:
--- → affected
Whiteboard: [jsbugmon:update,bisect]
Reporter | ||
Updated•11 years ago
|
Crash Signature: [@ js::frontend::ParseNode::getKind]
[@ ContainsVarOrConst] → [@ js::frontend::ParseNode::getKind]
[@ ContainsVarOrConst]
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:bisect]
Reporter | ||
Comment 2•11 years ago
|
||
JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.
Assignee | ||
Comment 3•11 years ago
|
||
Constant folding is overflowing the stack doing a recursive walk of the AST.
Assignee: nobody → jorendorff
Crash Signature: [@ js::frontend::ParseNode::getKind]
[@ ContainsVarOrConst] → [@ js::frontend::ParseNode::getKind]
[@ ContainsVarOrConst]
Assignee | ||
Comment 4•11 years ago
|
||
straightforward fix, devious test
Attachment #8377684 -
Flags: review?(luke)
Comment 5•11 years ago
|
||
Comment on attachment 8377684 [details] [diff] [review]
bug-972961-recursion-v1.patch
That is quite a test, there.
Attachment #8377684 -
Flags: review?(luke) → review+
Reporter | ||
Updated•11 years ago
|
Crash Signature: [@ js::frontend::ParseNode::getKind]
[@ ContainsVarOrConst] → [@ js::frontend::ParseNode::getKind]
[@ ContainsVarOrConst]
Whiteboard: [jsbugmon:bisect] → [jsbugmon:]
Assignee | ||
Comment 7•11 years ago
|
||
I have a stack of random stuff to land.
One last Try server test is respinning: https://tbpl.mozilla.org/?tree=Try&rev=711af7610af3
Crash Signature: [@ js::frontend::ParseNode::getKind]
[@ ContainsVarOrConst] → [@ js::frontend::ParseNode::getKind]
[@ ContainsVarOrConst]
Flags: needinfo?(jorendorff)
Assignee | ||
Comment 8•11 years ago
|
||
Windows didn't like the test. I put a cap on the stack depth to avoid timing out.
https://hg.mozilla.org/integration/mozilla-inbound/rev/236e257bf505
Comment 9•11 years ago
|
||
Status: NEW → RESOLVED
Closed: 11 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla30
You need to log in
before you can comment on or make changes to this bug.
Description
•