The following testcase crashes on mozilla-central revision d9f557b5fc76 (build with --enable-address-sanitizer, run with --fuzzing-safe --no-threads --ion-eager): // Adapted from randomly chosen test: js/src/jit-test/tests/debug/resumption-08.js g = newGlobal({ newCompartment: true }); dbg = new Debugger; dbg.addDebuggee(g); f = function(resumptionVal) { dbg.onEnterFrame = function(frame) { frame.onStep = function() { dbg.removeDebuggee(g); return { return: "" }; } } } f(); g.eval("(" + function() {} + ")"); Backtrace: ``` ==18260==ERROR: LeakSanitizer: detected memory leaks Direct leak of 48 byte(s) in 1 object(s) allocated from: #0 0x555cd4888397 in __interceptor_malloc (/home/ubuntu/shell-cache/js-64-asan-linux-x86_64-d9f557b5fc76/js-64-asan-linux-x86_64-d9f557b5fc76+0x1465397) #1 0x555cd60c8779 in js_arena_malloc(unsigned long, unsigned long) /home/ubuntu/shell-cache/js-64-asan-linux-x86_64-d9f557b5fc76/objdir-js/dist/include/js/Utility.h:392:10 #2 0x555cd60c8779 in unsigned char* js_pod_arena_malloc<unsigned char>(unsigned long, unsigned long) /home/ubuntu/shell-cache/js-64-asan-linux-x86_64-d9f557b5fc76/objdir-js/dist/include/js/Utility.h:600 #3 0x555cd60c8779 in unsigned char* js::MallocProvider<JSContext>::maybe_pod_malloc<unsigned char>(unsigned long, unsigned long) js/src/vm/MallocProvider.h:53 #4 0x555cd60c8779 in unsigned char* js::MallocProvider<JSContext>::pod_malloc<unsigned char>(unsigned long, unsigned long) js/src/vm/MallocProvider.h:90 /snip ``` For detailed crash information, see attachment.
Bug 1566189 Comment 0 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
The following testcase crashes on mozilla-central revision d9f557b5fc76 (build with --enable-address-sanitizer, run with --fuzzing-safe --no-threads --ion-eager): // Adapted from randomly chosen test: js/src/jit-test/tests/debug/resumption-08.js g = newGlobal({ newCompartment: true }); dbg = new Debugger; dbg.addDebuggee(g); f = function(resumptionVal) { dbg.onEnterFrame = function(frame) { frame.onStep = function() { dbg.removeDebuggee(g); return { return: "" }; } } } f(); g.eval("(" + function() {} + ")"); Backtrace: ``` ==18260==ERROR: LeakSanitizer: detected memory leaks Direct leak of 48 byte(s) in 1 object(s) allocated from: #0 0x555cd4888397 in __interceptor_malloc (/home/ubuntu/shell-cache/js-64-asan-linux-x86_64-d9f557b5fc76/js-64-asan-linux-x86_64-d9f557b5fc76+0x1465397) #1 0x555cd60c8779 in js_arena_malloc(unsigned long, unsigned long) /home/ubuntu/shell-cache/js-64-asan-linux-x86_64-d9f557b5fc76/objdir-js/dist/include/js/Utility.h:392:10 #2 0x555cd60c8779 in unsigned char* js_pod_arena_malloc<unsigned char>(unsigned long, unsigned long) /home/ubuntu/shell-cache/js-64-asan-linux-x86_64-d9f557b5fc76/objdir-js/dist/include/js/Utility.h:600 #3 0x555cd60c8779 in unsigned char* js::MallocProvider<JSContext>::maybe_pod_malloc<unsigned char>(unsigned long, unsigned long) js/src/vm/MallocProvider.h:53 #4 0x555cd60c8779 in unsigned char* js::MallocProvider<JSContext>::pod_malloc<unsigned char>(unsigned long, unsigned long) js/src/vm/MallocProvider.h:90 #5 0x555cd60c8779 in js::jit::BaselineDebugModeOSRInfo* js::MallocProvider<JSContext>::new_<js::jit::BaselineDebugModeOSRInfo, unsigned char*&, js::jit::RetAddrEntry::Kind&>(unsigned char*&, js::jit::RetAddrEntry::Kind&) js/src/vm/MallocProvider.h:196 #6 0x555cd60c8779 in DebugModeOSREntry::allocateRecompileInfo(JSContext*) js/src/jit/BaselineDebugModeOSR.cpp:114 #7 0x555cd5fee88c in CollectJitStackScripts(JSContext*, js::Debugger::ExecutionObservableSet const&, js::ActivationIterator const&, mozilla::Vector<DebugModeOSREntry, 0ul, js::TempAllocPolicy>&) js/src/jit/BaselineDebugModeOSR.cpp:210:31 /snip ``` For detailed crash information, see attachment.
The following testcase crashes on mozilla-central revision d9f557b5fc76 (build with --enable-address-sanitizer, run with --fuzzing-safe --no-threads --ion-eager and the environment variables ASAN_OPTIONS=detect_leaks=1 LSAN_OPTIONS=max_leaks=1): // Adapted from randomly chosen test: js/src/jit-test/tests/debug/resumption-08.js g = newGlobal({ newCompartment: true }); dbg = new Debugger; dbg.addDebuggee(g); f = function(resumptionVal) { dbg.onEnterFrame = function(frame) { frame.onStep = function() { dbg.removeDebuggee(g); return { return: "" }; } } } f(); g.eval("(" + function() {} + ")"); Backtrace: ``` ==18260==ERROR: LeakSanitizer: detected memory leaks Direct leak of 48 byte(s) in 1 object(s) allocated from: #0 0x555cd4888397 in __interceptor_malloc (/home/ubuntu/shell-cache/js-64-asan-linux-x86_64-d9f557b5fc76/js-64-asan-linux-x86_64-d9f557b5fc76+0x1465397) #1 0x555cd60c8779 in js_arena_malloc(unsigned long, unsigned long) /home/ubuntu/shell-cache/js-64-asan-linux-x86_64-d9f557b5fc76/objdir-js/dist/include/js/Utility.h:392:10 #2 0x555cd60c8779 in unsigned char* js_pod_arena_malloc<unsigned char>(unsigned long, unsigned long) /home/ubuntu/shell-cache/js-64-asan-linux-x86_64-d9f557b5fc76/objdir-js/dist/include/js/Utility.h:600 #3 0x555cd60c8779 in unsigned char* js::MallocProvider<JSContext>::maybe_pod_malloc<unsigned char>(unsigned long, unsigned long) js/src/vm/MallocProvider.h:53 #4 0x555cd60c8779 in unsigned char* js::MallocProvider<JSContext>::pod_malloc<unsigned char>(unsigned long, unsigned long) js/src/vm/MallocProvider.h:90 #5 0x555cd60c8779 in js::jit::BaselineDebugModeOSRInfo* js::MallocProvider<JSContext>::new_<js::jit::BaselineDebugModeOSRInfo, unsigned char*&, js::jit::RetAddrEntry::Kind&>(unsigned char*&, js::jit::RetAddrEntry::Kind&) js/src/vm/MallocProvider.h:196 #6 0x555cd60c8779 in DebugModeOSREntry::allocateRecompileInfo(JSContext*) js/src/jit/BaselineDebugModeOSR.cpp:114 #7 0x555cd5fee88c in CollectJitStackScripts(JSContext*, js::Debugger::ExecutionObservableSet const&, js::ActivationIterator const&, mozilla::Vector<DebugModeOSREntry, 0ul, js::TempAllocPolicy>&) js/src/jit/BaselineDebugModeOSR.cpp:210:31 /snip ``` For detailed crash information, see attachment.