Closed
Bug 1141382
Opened 9 years ago
Closed 9 years ago
Crash [@ markIfUnmarked] or Assertion failure: entry.isJs(), at vm/SPSProfiler.cpp:371
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
People
(Reporter: decoder, Unassigned)
References
Details
(5 keywords, Whiteboard: [jsbugmon:update][adv-main46+])
Crash Data
The following testcase crashes on mozilla-central revision eab4a81e4457 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-debug, run with --fuzzing-safe --no-threads): setJitCompilerOption("baseline.warmup.trigger", 045133); enableSPSProfilingWithSlowAssertions(); DoWhile(new DoWhileObject()); function DoWhileObject() {} function DoWhile(object) { do { throw DoWhile(1) } while(object.value); } Backtrace: Program received signal SIGSEGV, Segmentation fault. markIfUnmarked (cell=<optimized out>, this=<optimized out>, color=0) at js/src/gc/Heap.h:857 857 if (*word & mask) #0 markIfUnmarked (cell=<optimized out>, this=<optimized out>, color=0) at js/src/gc/Heap.h:857 #1 markIfUnmarked (color=0, this=<optimized out>) at js/src/gc/Heap.h:1285 #2 js::gc::MarkPermanentAtom (trc=trc@entry=0x16b21d8, atom=<optimized out>, name=name@entry=0xaa2ecf "length2-static-string") at js/src/gc/Marking.cpp:338 #3 0x00000000005cc7e7 in js::StaticStrings::trace (this=0x16c8b90, trc=trc@entry=0x16b21d8) at js/src/vm/String.cpp:718 #4 0x0000000000446424 in js::MarkPermanentAtoms (trc=trc@entry=0x16b21d8) at js/src/jsatom.cpp:223 #5 0x0000000000628fcf in js::gc::GCRuntime::markRuntime (this=this@entry=0x16aa550, trc=trc@entry=0x16b21d8, traceOrMark=traceOrMark@entry=js::gc::GCRuntime::MarkRuntime, rootsSource=rootsSource@entry=js::gc::GCRuntime::TraceRoots) at js/src/gc/RootMarking.cpp:472 #6 0x00000000008727bc in js::gc::GCRuntime::beginMarkPhase (this=this@entry=0x16aa550, reason=reason@entry=JS::gcreason::DESTROY_CONTEXT) at js/src/jsgc.cpp:4017 #7 0x00000000008982b9 in js::gc::GCRuntime::incrementalCollectSlice (this=this@entry=0x16aa550, budget=..., reason=reason@entry=JS::gcreason::DESTROY_CONTEXT) at js/src/jsgc.cpp:5889 #8 0x0000000000898ebe in js::gc::GCRuntime::gcCycle (this=this@entry=0x16aa550, incremental=incremental@entry=false, budget=..., reason=reason@entry=JS::gcreason::DESTROY_CONTEXT) at js/src/jsgc.cpp:6126 #9 0x0000000000899183 in js::gc::GCRuntime::collect (this=this@entry=0x16aa550, incremental=incremental@entry=false, budget=..., reason=reason@entry=JS::gcreason::DESTROY_CONTEXT) at js/src/jsgc.cpp:6238 #10 0x0000000000899767 in js::gc::GCRuntime::gc (this=this@entry=0x16aa550, gckind=gckind@entry=GC_NORMAL, reason=reason@entry=JS::gcreason::DESTROY_CONTEXT) at js/src/jsgc.cpp:6299 #11 0x0000000000819b43 in js::DestroyContext (cx=0x16c7fe0, mode=js::DCM_FORCE_GC) at js/src/jscntxt.cpp:185 #12 0x0000000000819c4a in JS_DestroyContext (cx=<optimized out>) at js/src/jsapi.cpp:675 #13 0x0000000000416ab9 in DestroyContext (withGC=true, cx=0x16c7fe0) at js/src/shell/js.cpp:5639 #14 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:6394 rax 0x80000 524288 rbx 0x16b21d8 23798232 rcx 0x13 19 rdx 0x7ff7f7efc618 140702993335832 rsi 0x7ff7f7efc0a0 140702993334432 rdi 0x16b21d8 23798232 rbp 0x16b21d8 23798232 rsp 0x7fffffffd380 140737488343936 r8 0x6e 110 r9 0x1 1 r10 0x1 1 r11 0x1738b10 24349456 r12 0x16c8b90 23890832 r13 0x16b21d8 23798232 r14 0x1 1 r15 0x16bcd40 23842112 rip 0x4d6056 <js::gc::MarkPermanentAtom(JSTracer*, JSAtom*, char const*)+134> => 0x4d6056 <js::gc::MarkPermanentAtom(JSTracer*, JSAtom*, char const*)+134>: mov (%rdx),%rcx 0x4d6059 <js::gc::MarkPermanentAtom(JSTracer*, JSAtom*, char const*)+137>: test %rax,%rcx Marking s-s because the crash looks bad and involves GC.
See also bug 1134515.
See Also: → 1134515
Reporter | ||
Updated•9 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
Reporter | ||
Comment 2•9 years ago
|
||
JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/70a8168c7d24 user: Kannan Vijayan date: Thu Jan 15 20:11:21 2015 -0500 summary: Bug 1057082 - 3/7 - Modify jits to use lastProfilingFrame and lastProfilingCallSite fields. r=jandem This iteration took 154.722 seconds to run.
Updated•9 years ago
|
Keywords: sec-moderate
Reporter | ||
Updated•9 years ago
|
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
Reporter | ||
Comment 3•9 years ago
|
||
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 42afc7ef5ccb).
Updated•9 years ago
|
Group: core-security → javascript-core-security
Updated•9 years ago
|
Whiteboard: [jsbugmon:update,ignore] → [jsbugmon:bisectfix]
Updated•9 years ago
|
Whiteboard: [jsbugmon:bisectfix] → [jsbugmon:]
Comment 4•9 years ago
|
||
JSBugMon: Fix Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first good revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/2d5eaa85e9da user: Kannan Vijayan date: Thu Mar 12 12:13:16 2015 -0400 summary: Bug 1134515 - Ensure SPSBaselineOSRMarker checks pseudostack size properly. r=shu This iteration took 164.591 seconds to run.
Assuming FIXED by bug 1134515.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Whiteboard: [jsbugmon:] → [jsbugmon:update]
Updated•9 years ago
|
Status: RESOLVED → VERIFIED
status-firefox46:
--- → verified
Comment 6•9 years ago
|
||
JSBugMon: This bug has been automatically verified fixed.
Updated•8 years ago
|
Group: javascript-core-security → core-security-release
Updated•8 years ago
|
status-firefox45:
--- → wontfix
status-firefox-esr45:
--- → wontfix
Whiteboard: [jsbugmon:update] → [jsbugmon:update][adv-main45+]
Updated•8 years ago
|
Whiteboard: [jsbugmon:update][adv-main45+] → [jsbugmon:update][adv-main46+]
Updated•7 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•