Bug 126990 - ASSERTION FAILED: !hasError() in JSC::Parser<LexerType>::createSavePoint()
Summary: ASSERTION FAILED: !hasError() in JSC::Parser<LexerType>::createSavePoint()
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: 528+ (Nightly build)
Hardware: PC Linux
: P2 Normal
Assignee: Mark Lam
URL:
Keywords:
Depends on:
Blocks: 116980
  Show dependency treegraph
 
Reported: 2014-01-14 10:20 PST by Renata Hodovan
Modified: 2014-01-14 14:08 PST (History)
3 users (show)

See Also:


Attachments
Test case (42 bytes, application/javascript)
2014-01-14 10:20 PST, Renata Hodovan
no flags Details
the patch. (3.90 KB, patch)
2014-01-14 13:02 PST, Mark Lam
ggaren: review+
Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Renata Hodovan 2014-01-14 10:20:01 PST
Created attachment 221175 [details]
Test case

The test fails on x86_64, Ubuntu 12.10:

const var_0 = (null < !), var_0 = 1 + { };


Backtrace:

ASSERTION FAILED: !hasError()
/home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/parser/Parser.h(782) : JSC::Parser<LexerType>::SavePoint JSC::Parser<LexerType>::createSavePoint() [with LexerType = JSC::Lexer<unsigned char>]
1   0x7ffff74a3e44 WTFCrash
2   0x7ffff72a554e JSC::Parser<JSC::Lexer<unsigned char> >::createSavePoint()
3   0x7ffff72fae78 JSC::ASTBuilder::Expression JSC::Parser<JSC::Lexer<unsigned char> >::parseObjectLiteral<JSC::ASTBuilder>(JSC::ASTBuilder&)
4   0x7ffff72f26f5 JSC::ASTBuilder::Expression JSC::Parser<JSC::Lexer<unsigned char> >::parsePrimaryExpression<JSC::ASTBuilder>(JSC::ASTBuilder&)
5   0x7ffff72eba4f JSC::ASTBuilder::Expression JSC::Parser<JSC::Lexer<unsigned char> >::parseMemberExpression<JSC::ASTBuilder>(JSC::ASTBuilder&)
6   0x7ffff72dd6fe JSC::ASTBuilder::Expression JSC::Parser<JSC::Lexer<unsigned char> >::parseUnaryExpression<JSC::ASTBuilder>(JSC::ASTBuilder&)
7   0x7ffff72db55d JSC::ASTBuilder::Expression JSC::Parser<JSC::Lexer<unsigned char> >::parseBinaryExpression<JSC::ASTBuilder>(JSC::ASTBuilder&)
8   0x7ffff72d57c7 JSC::ASTBuilder::Expression JSC::Parser<JSC::Lexer<unsigned char> >::parseConditionalExpression<JSC::ASTBuilder>(JSC::ASTBuilder&)
9   0x7ffff72ca55c JSC::ASTBuilder::Expression JSC::Parser<JSC::Lexer<unsigned char> >::parseAssignmentExpression<JSC::ASTBuilder>(JSC::ASTBuilder&)
10  0x7ffff72bd2d2 JSC::ASTBuilder::ConstDeclList JSC::Parser<JSC::Lexer<unsigned char> >::parseConstDeclarationList<JSC::ASTBuilder>(JSC::ASTBuilder&)
11  0x7ffff72af8f3 JSC::ASTBuilder::Statement JSC::Parser<JSC::Lexer<unsigned char> >::parseConstDeclaration<JSC::ASTBuilder>(JSC::ASTBuilder&)
12  0x7ffff72ace7b JSC::ASTBuilder::Statement JSC::Parser<JSC::Lexer<unsigned char> >::parseStatement<JSC::ASTBuilder>(JSC::ASTBuilder&, JSC::Identifier const*&, unsigned int*)
13  0x7ffff72aa45b JSC::ASTBuilder::SourceElements JSC::Parser<JSC::Lexer<unsigned char> >::parseSourceElements<JSC::ASTBuilder>(JSC::ASTBuilder&, JSC::SourceElementsMode)
14  0x7ffff72a4012 JSC::Parser<JSC::Lexer<unsigned char> >::parseInner()
15  0x7ffff6f90a37 WTF::PassRefPtr<JSC::ProgramNode> JSC::Parser<JSC::Lexer<unsigned char> >::parse<JSC::ProgramNode>(JSC::ParserError&)
16  0x7ffff6f90641 WTF::PassRefPtr<JSC::ProgramNode> JSC::parse<JSC::ProgramNode>(JSC::VM*, JSC::SourceCode const&, JSC::FunctionParameters*, JSC::Identifier const&, JSC::JSParserStrictness, JSC::JSParserMode, JSC::ParserError&, JSC::JSTextPosition*)
17  0x7ffff733be82 JSC::UnlinkedProgramCodeBlock* JSC::CodeCache::getGlobalCodeBlock<JSC::UnlinkedProgramCodeBlock, JSC::ProgramExecutable>(JSC::VM&, JSC::ProgramExecutable*, JSC::SourceCode const&, JSC::JSParserStrictness, JSC::DebuggerMode, JSC::ProfilerMode, JSC::ParserError&)
18  0x7ffff733a55f JSC::CodeCache::getProgramCodeBlock(JSC::VM&, JSC::ProgramExecutable*, JSC::SourceCode const&, JSC::JSParserStrictness, JSC::DebuggerMode, JSC::ProfilerMode, JSC::ParserError&)
19  0x7ffff7382c49 JSC::JSGlobalObject::createProgramCodeBlock(JSC::ExecState*, JSC::ProgramExecutable*, JSC::JSObject**)
20  0x7ffff7354d87 JSC::ProgramExecutable::initializeGlobalProperties(JSC::VM&, JSC::ExecState*, JSC::JSScope*)
21  0x7ffff722f1dd JSC::Interpreter::execute(JSC::ProgramExecutable*, JSC::ExecState*, JSC::JSObject*)
22  0x7ffff73480bc JSC::evaluate(JSC::ExecState*, JSC::SourceCode const&, JSC::JSValue, JSC::JSValue*)
23  0x41747c
24  0x41824b jscmain(int, char**)
25  0x417268 main
26  0x7ffff5a4d76d __libc_start_main
27  0x415a79

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff74a3e49 in WTFCrash () at /home/reni/Data/REPOS/webkit_sec/Source/WTF/wtf/Assertions.cpp:333
333	    *(int *)(uintptr_t)0xbbadbeef = 0;
(gdb) bt
#0  0x00007ffff74a3e49 in WTFCrash () at /home/reni/Data/REPOS/webkit_sec/Source/WTF/wtf/Assertions.cpp:333
#1  0x00007ffff72a554e in JSC::Parser<JSC::Lexer<unsigned char> >::createSavePoint (this=0x7fffffffac20)
    at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/parser/Parser.h:782
#2  0x00007ffff72fae78 in JSC::Parser<JSC::Lexer<unsigned char> >::parseObjectLiteral<JSC::ASTBuilder> (this=0x7fffffffac20, context=...)
    at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/parser/Parser.cpp:1760
#3  0x00007ffff72f26f5 in JSC::Parser<JSC::Lexer<unsigned char> >::parsePrimaryExpression<JSC::ASTBuilder> (this=0x7fffffffac20, context=...)
    at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/parser/Parser.cpp:1936
#4  0x00007ffff72eba4f in JSC::Parser<JSC::Lexer<unsigned char> >::parseMemberExpression<JSC::ASTBuilder> (this=0x7fffffffac20, context=...)
    at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/parser/Parser.cpp:2082
#5  0x00007ffff72dd6fe in JSC::Parser<JSC::Lexer<unsigned char> >::parseUnaryExpression<JSC::ASTBuilder> (this=0x7fffffffac20, context=...)
    at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/parser/Parser.cpp:2206
#6  0x00007ffff72db55d in JSC::Parser<JSC::Lexer<unsigned char> >::parseBinaryExpression<JSC::ASTBuilder> (this=0x7fffffffac20, context=...)
    at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/parser/Parser.cpp:1640
#7  0x00007ffff72d57c7 in JSC::Parser<JSC::Lexer<unsigned char> >::parseConditionalExpression<JSC::ASTBuilder> (this=0x7fffffffac20, context=...)
    at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/parser/Parser.cpp:1600
#8  0x00007ffff72ca55c in JSC::Parser<JSC::Lexer<unsigned char> >::parseAssignmentExpression<JSC::ASTBuilder> (this=0x7fffffffac20, context=...)
    at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/parser/Parser.cpp:1534
#9  0x00007ffff72bd2d2 in JSC::Parser<JSC::Lexer<unsigned char> >::parseConstDeclarationList<JSC::ASTBuilder> (this=0x7fffffffac20, context=...)
    at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/parser/Parser.cpp:662
#10 0x00007ffff72af8f3 in JSC::Parser<JSC::Lexer<unsigned char> >::parseConstDeclaration<JSC::ASTBuilder> (this=0x7fffffffac20, context=...)
    at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/parser/Parser.cpp:360
#11 0x00007ffff72ace7b in JSC::Parser<JSC::Lexer<unsigned char> >::parseStatement<JSC::ASTBuilder> (this=0x7fffffffac20, context=..., 
    directive=@0x7fffffffa2f8: 0x0, directiveLiteralLength=0x7fffffffa314) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/parser/Parser.cpp:1089
#12 0x00007ffff72aa45b in JSC::Parser<JSC::Lexer<unsigned char> >::parseSourceElements<JSC::ASTBuilder> (this=0x7fffffffac20, context=..., 
    mode=JSC::CheckForStrictMode) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/parser/Parser.cpp:301
#13 0x00007ffff72a4012 in JSC::Parser<JSC::Lexer<unsigned char> >::parseInner (this=0x7fffffffac20)
    at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/parser/Parser.cpp:248
#14 0x00007ffff6f90a37 in JSC::Parser<JSC::Lexer<unsigned char> >::parse<JSC::ProgramNode> (this=0x7fffffffac20, error=...)
    at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/parser/Parser.h:887
#15 0x00007ffff6f90641 in JSC::parse<JSC::ProgramNode> (vm=0x6472c0, source=..., parameters=0x0, name=..., strictness=JSC::JSParseNormal, 
    parserMode=JSC::JSParseProgramCode, error=..., positionBeforeLastNewline=0x0)
    at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/parser/Parser.h:957
#16 0x00007ffff733be82 in JSC::CodeCache::getGlobalCodeBlock<JSC::UnlinkedProgramCodeBlock, JSC::ProgramExecutable> (this=0x659100, vm=..., 
    executable=0x7fffa97ffef0, source=..., strictness=JSC::JSParseNormal, debuggerMode=JSC::DebuggerOff, profilerMode=JSC::ProfilerOff, error=...)
    at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/runtime/CodeCache.cpp:95
#17 0x00007ffff733a55f in JSC::CodeCache::getProgramCodeBlock (this=0x659100, vm=..., executable=0x7fffa97ffef0, source=..., strictness=JSC::JSParseNormal, 
    debuggerMode=JSC::DebuggerOff, profilerMode=JSC::ProfilerOff, error=...)
    at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/runtime/CodeCache.cpp:129
#18 0x00007ffff7382c49 in JSC::JSGlobalObject::createProgramCodeBlock (this=0x7fffa98af970, callFrame=0x7fffa98af9b0, executable=0x7fffa97ffef0, 
    exception=0x7fffffffc4c0) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/runtime/JSGlobalObject.cpp:723
#19 0x00007ffff7354d87 in JSC::ProgramExecutable::initializeGlobalProperties (this=0x7fffa97ffef0, vm=..., callFrame=0x7fffa98af9b0, scope=0x7fffa98af970)
    at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/runtime/Executable.cpp:466
#20 0x00007ffff722f1dd in JSC::Interpreter::execute (this=0x6591c0, program=0x7fffa97ffef0, callFrame=0x7fffa98af9b0, thisObj=0x7fffa986fb90)
    at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/interpreter/Interpreter.cpp:879
#21 0x00007ffff73480bc in JSC::evaluate (exec=0x7fffa98af9b0, source=..., thisValue=..., returnedException=0x7fffffffdac0)
    at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/runtime/Completion.cpp:82
#22 0x000000000041747c in runWithScripts (globalObject=0x7fffa98af970, scripts=..., dump=false)
    at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/jsc.cpp:660
#23 0x000000000041824b in jscmain (argc=2, argv=0x7fffffffdd68) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/jsc.cpp:877
#24 0x0000000000417268 in main (argc=2, argv=0x7fffffffdd68) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/jsc.cpp:618
Comment 1 Mark Lam 2014-01-14 11:38:25 PST
I've reproduced this assertion failure on Mac running the jsc shell on the provided test script.  Still investigating.
Comment 2 Mark Lam 2014-01-14 13:02:34 PST
Created attachment 221191 [details]
the patch.
Comment 3 Geoffrey Garen 2014-01-14 13:14:04 PST
Comment on attachment 221191 [details]
the patch.

r=me
Comment 4 Mark Lam 2014-01-14 14:08:21 PST
Thanks.  Landed in r162006: <http://trac.webkit.org/r162006>.