Closed Bug 1233115 Opened 10 years ago Closed 10 years ago

Crash [@ getKind] or Crash [@ js::frontend::FullParseHandler::addClassMethodDefinition]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla46
Tracking Flags:
Tracking Status
firefox46 --- fixed

People

(Reporter: decoder, Assigned: jandem)

References

Details

(Keywords: crash, regression, testcase, Whiteboard: [jsbugmon:update])

Crash Data

Attachments

(1 file)

Patch
1.50 KB, patch
efaust
: review+
Details | Diff | Splinter Review
The following testcase crashes on mozilla-central revision 749f9328dd76 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --thread-count=2): oomTest(() => { offThreadCompileScript(` function f(x) { class of extends ("ABCDEFGHIJK") { test () { return true; }; static get() {}; static get() {}; } return 1 + f(x - 1); } return g("try{}catch(e){}", n) `); runOffThreadScript(); }); Backtrace: Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 0x7ffff5ec4700 (LWP 2662)] 0x00000000004d9116 in getKind (this=<optimized out>) at js/src/frontend/ParseNode.h:550 #0 0x00000000004d9116 in getKind (this=<optimized out>) at js/src/frontend/ParseNode.h:550 #1 isKind (kind=js::frontend::PNK_CLASSMETHODLIST, this=<optimized out>) at js/src/frontend/ParseNode.h:557 #2 addClassMethodDefinition (isStatic=false, op=JSOP_INITPROP, fn=0x7ffff3c7e278, key=0x7ffff3c7e240, methodList=<optimized out>, this=0x7ffff5ec3910) at js/src/frontend/FullParseHandler.h:414 #3 js::frontend::Parser<js::frontend::FullParseHandler>::classDefinition (this=this@entry=0x7ffff5ec33e0, yieldHandling=yieldHandling@entry=js::frontend::YieldIsName, classContext=classContext@entry=js::frontend::Parser<js::frontend::FullParseHandler>::ClassStatement, defaultHandling=defaultHandling@entry=js::frontend::NameRequired) at js/src/frontend/Parser.cpp:6653 #4 0x00000000004fec0a in js::frontend::Parser<js::frontend::FullParseHandler>::statement (this=this@entry=0x7ffff5ec33e0, yieldHandling=yieldHandling@entry=js::frontend::YieldIsName, canHaveDirectives=<optimized out>) at js/src/frontend/Parser.cpp:6914 #5 0x00000000004ff141 in js::frontend::Parser<js::frontend::FullParseHandler>::statements (this=this@entry=0x7ffff5ec33e0, yieldHandling=yieldHandling@entry=js::frontend::YieldIsName) at js/src/frontend/Parser.cpp:3306 #6 0x00000000004ff50b in js::frontend::Parser<js::frontend::FullParseHandler>::functionBody (this=this@entry=0x7ffff5ec33e0, inHandling=inHandling@entry=js::frontend::InAllowed, yieldHandling=yieldHandling@entry=js::frontend::YieldIsName, kind=kind@entry=js::frontend::Statement, type=type@entry=js::frontend::Parser<js::frontend::FullParseHandler>::StatementListBody) at js/src/frontend/Parser.cpp:1325 #7 0x00000000004ff9f0 in js::frontend::Parser<js::frontend::FullParseHandler>::functionArgsAndBodyGeneric (this=this@entry=0x7ffff5ec33e0, inHandling=inHandling@entry=js::frontend::InAllowed, yieldHandling=yieldHandling@entry=js::frontend::YieldIsName, pn=pn@entry=0x7ffff3c7e058, fun=fun@entry=..., kind=kind@entry=js::frontend::Statement) at js/src/frontend/Parser.cpp:2999 #8 0x00000000004d7335 in js::frontend::Parser<js::frontend::FullParseHandler>::functionArgsAndBody (this=this@entry=0x7ffff5ec33e0, inHandling=inHandling@entry=js::frontend::InAllowed, pn=0x7ffff3c7e058, fun=..., fun@entry=..., kind=kind@entry=js::frontend::Statement, generatorKind=generatorKind@entry=js::NotGenerator, inheritedDirectives=..., newDirectives=newDirectives@entry=0x7ffff5ec2600) at js/src/frontend/Parser.cpp:2802 #9 0x00000000004ffdda in js::frontend::Parser<js::frontend::FullParseHandler>::functionDef (this=this@entry=0x7ffff5ec33e0, inHandling=inHandling@entry=js::frontend::InAllowed, yieldHandling=yieldHandling@entry=js::frontend::YieldIsName, funName=..., funName@entry=..., kind=kind@entry=js::frontend::Statement, generatorKind=generatorKind@entry=js::NotGenerator, invoked=invoked@entry=js::frontend::Parser<js::frontend::FullParseHandler>::PredictUninvoked) at js/src/frontend/Parser.cpp:2634 #10 0x00000000005000a9 in js::frontend::Parser<js::frontend::FullParseHandler>::functionStmt (this=this@entry=0x7ffff5ec33e0, yieldHandling=yieldHandling@entry=js::frontend::YieldIsName, defaultHandling=defaultHandling@entry=js::frontend::NameRequired) at js/src/frontend/Parser.cpp:3083 #11 0x00000000004fec3d in js::frontend::Parser<js::frontend::FullParseHandler>::statement (this=this@entry=0x7ffff5ec33e0, yieldHandling=yieldHandling@entry=js::frontend::YieldIsName, canHaveDirectives=<optimized out>) at js/src/frontend/Parser.cpp:6908 #12 0x00000000004ff141 in js::frontend::Parser<js::frontend::FullParseHandler>::statements (this=this@entry=0x7ffff5ec33e0, yieldHandling=yieldHandling@entry=js::frontend::YieldIsName) at js/src/frontend/Parser.cpp:3306 #13 0x00000000004d68ba in js::frontend::Parser<js::frontend::FullParseHandler>::globalBody (this=this@entry=0x7ffff5ec33e0) at js/src/frontend/Parser.cpp:1055 #14 0x0000000000b9f778 in BytecodeCompiler::compileScript (this=this@entry=0x7ffff5ec2d70, scopeChain=..., scopeChain@entry=..., evalCaller=evalCaller@entry=...) at js/src/frontend/BytecodeCompiler.cpp:527 #15 0x0000000000b9fdeb in js::frontend::CompileScript (cx=cx@entry=0x7ffff45028b0, alloc=alloc@entry=0x7ffff46d77c8, scopeChain=scopeChain@entry=..., enclosingStaticScope=..., enclosingStaticScope@entry=..., evalCaller=evalCaller@entry=..., options=..., srcBuf=..., source_=source_@entry=0x0, extraSct=extraSct@entry=0x0, sourceObjectOut=sourceObjectOut@entry=0x7ffff46d7838) at js/src/frontend/BytecodeCompiler.cpp:738 #16 0x0000000000a12547 in js::HelperThread::handleParseWorkload (this=this@entry=0x7ffff6933600) at js/src/vm/HelperThreads.cpp:1388 #17 0x0000000000a13b0e in js::HelperThread::threadLoop (this=0x7ffff6933600) at js/src/vm/HelperThreads.cpp:1584 #18 0x0000000000a94ee1 in nspr::Thread::ThreadRoutine (arg=0x7ffff692e140) at js/src/vm/PosixNSPR.cpp:45 #19 0x00007ffff7bc4182 in start_thread (arg=0x7ffff5ec4700) at pthread_create.c:312 #20 0x00007ffff6cb3fbd in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:111 rax 0x0 0 rbx 0x7ffff5ec3410 140737319285776 rcx 0x6 6 rdx 0x5d 93 rsi 0x0 0 rdi 0x6 6 rbp 0x7ffff5ec1f20 140737319280416 rsp 0x7ffff5ec1d30 140737319279920 r8 0x0 0 r9 0x7ffff6a00f38 140737331072824 r10 0x7ffff5ec12a0 140737319277216 r11 0x9d446772 2638505842 r12 0x7ffff3c7e278 140737283351160 r13 0x7ffff5ec33e0 140737319285728 r14 0x7ffff3c7e240 140737283351104 r15 0x0 0 rip 0x4d9116 <js::frontend::Parser<js::frontend::FullParseHandler>::classDefinition(js::frontend::YieldHandling, js::frontend::Parser<js::frontend::FullParseHandler>::ClassContext, js::frontend::DefaultHandling)+1638> => 0x4d9116 <js::frontend::Parser<js::frontend::FullParseHandler>::classDefinition(js::frontend::YieldHandling, js::frontend::Parser<js::frontend::FullParseHandler>::ClassContext, js::frontend::DefaultHandling)+1638>: movzwl (%rax),%ecx 0x4d9119 <js::frontend::Parser<js::frontend::FullParseHandler>::classDefinition(js::frontend::YieldHandling, js::frontend::Parser<js::frontend::FullParseHandler>::ClassContext, js::frontend::DefaultHandling)+1641>: cmp $0x85,%cx
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/de72e2291ae8 user: Jan de Mooij date: Wed Dec 09 22:55:50 2015 -0500 summary: Bug 1225396 part 3 - Make %GeneratorPrototype% inherit from %IteratorPrototype%. r=jorendorff This iteration took 0.876 seconds to run.
Jan, is bug 1225396 a likely regressor?
Blocks: 1225396
Flags: needinfo?(jdemooij)
(In reply to Gary Kwong [:gkw] [:nth10sd] from comment #2) > Jan, is bug 1225396 a likely regressor? No, a number of OOM bugs seem to bisect to that, probably because it affects memory allocation. Anyways the fix is simple so I'll post a patch.
No longer blocks: 1225396
Attached patch PatchSplinter Review
Missing an OOM check in Parser::classDefinition.
Assignee: nobody → jdemooij
Status: NEW → ASSIGNED
Flags: needinfo?(jdemooij)
Attachment #8699466 - Flags: review?(efaustbmo)
Comment on attachment 8699466 [details] [diff] [review] Patch Review of attachment 8699466 [details] [diff] [review]: ----------------------------------------------------------------- This is what I get for trying to add error handling after I got it working....r=me
Attachment #8699466 - Flags: review?(efaustbmo) → review+
https://hg.mozilla.org/mozilla-central/rev/ac009a72b8cd
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
status-firefox46: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla46
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: