Closed Bug 972961 Opened 6 years ago Closed 6 years ago

Crash [@ js::frontend::ParseNode::getKind] with over-recursion through [@ ContainsVarOrConst]

Categories

(Core :: JavaScript Engine, defect, critical)

x86_64
Linux
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla30
Tracking Status
firefox30 --- affected

People

(Reporter: decoder, Assigned: jorendorff)

References

(Blocks 1 open bug)

Details

(Keywords: crash, testcase, Whiteboard: [jsbugmon:])

Crash Data

Attachments

(2 files)

The following testcase crashes on mozilla-central revision 6687d299c464 (threadsafe build, run with --fuzzing-safe):


eval('if (null) {' + Array(0xdbaa).join(("a.b.c")) + '}');
Crash Signature: [@ js::frontend::ParseNode::getKind] with over-recursion through [@ ContainsVarOrConst] → [@ js::frontend::ParseNode::getKind] [@ ContainsVarOrConst]
Whiteboard: [jsbugmon:update,bisect]
Crash Signature: [@ js::frontend::ParseNode::getKind] [@ ContainsVarOrConst] → [@ js::frontend::ParseNode::getKind] [@ ContainsVarOrConst]
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:bisect]
JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.
Constant folding is overflowing the stack doing a recursive walk of the AST.
Assignee: nobody → jorendorff
Crash Signature: [@ js::frontend::ParseNode::getKind] [@ ContainsVarOrConst] → [@ js::frontend::ParseNode::getKind] [@ ContainsVarOrConst]
straightforward fix, devious test
Attachment #8377684 - Flags: review?(luke)
Comment on attachment 8377684 [details] [diff] [review]
bug-972961-recursion-v1.patch

That is quite a test, there.
Attachment #8377684 - Flags: review?(luke) → review+
Just wondering, is this ready for landing?
Flags: needinfo?(jorendorff)
Crash Signature: [@ js::frontend::ParseNode::getKind] [@ ContainsVarOrConst] → [@ js::frontend::ParseNode::getKind] [@ ContainsVarOrConst]
Whiteboard: [jsbugmon:bisect] → [jsbugmon:]
I have a stack of random stuff to land.

One last Try server test is respinning: https://tbpl.mozilla.org/?tree=Try&rev=711af7610af3
Crash Signature: [@ js::frontend::ParseNode::getKind] [@ ContainsVarOrConst] → [@ js::frontend::ParseNode::getKind] [@ ContainsVarOrConst]
Flags: needinfo?(jorendorff)
Windows didn't like the test. I put a cap on the stack depth to avoid timing out.

https://hg.mozilla.org/integration/mozilla-inbound/rev/236e257bf505
https://hg.mozilla.org/mozilla-central/rev/236e257bf505
Status: NEW → RESOLVED
Closed: 6 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla30
You need to log in before you can comment on or make changes to this bug.