Closed
Bug 635599
Opened 13 years ago
Closed 13 years ago
Assertion failure: isScriptFrame() // GC related Crash @ js::Bindings::countArgsAndVars
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 635811
Tracking | Status | |
---|---|---|
blocking2.0 | --- | final+ |
People
(Reporter: decoder, Assigned: luke)
References
Details
(Keywords: assertion, crash, testcase, Whiteboard: [hardblocker][sg:critical?])
Attachments
(1 file)
434 bytes,
application/javascript
|
Details |
The attached testcase (shell with -j,-m) causes the following assertion on TM tip: Assertion failure: isScriptFrame(), at ../jsinterp.h:278 Passing through the assertion reveals a garbage collector related crash: Program received signal SIGSEGV, Segmentation fault. 0x00000000004110fa in js::Bindings::countArgsAndVars (this=0xdededede00700072) at ../jsscript.h:198 198 uintN countArgsAndVars() const { return nargs + nvars; } (gdb) bt #0 0x00000000004110fa in js::Bindings::countArgsAndVars (this=0xdededede00700072) at ../jsscript.h:198 #1 0x00000000004a873a in call_trace (trc=0x7ffffff899d0, obj=0x7ffff690e0b0) at jsfun.cpp:1385 #2 0x00000000004fabea in js_TraceObject (trc=0x7ffffff899d0, obj=0x7ffff690e0b0) at jsobj.cpp:6552 #3 0x00000000004b0f41 in MarkChildren (trc=0x7ffffff899d0, obj=0x7ffff690e0b0) at jsgcinlines.h:289 #4 0x00000000004b117a in TypedMarker (trc=0x7ffffff899d0, thing=0x7ffff690e0b0) at jsgcinlines.h:347 #5 0x00000000004bb3f0 in Mark<JSObject_Slots2> (trc=0x7ffffff899d0, thing=0x7ffff690e0b0) at jsgcinlines.h:222 #6 0x00000000004c1a18 in js::gc::Arena<JSObject_Slots2>::mark (this=0x7ffff690e000, thing=0x7ffff690e0b0, trc=0x7ffffff899d0) at jsgc.cpp:226 #7 0x00000000004b69d7 in MarkCell<JSObject_Slots2> (cell=0x7ffff690e0b0, trc=0x7ffffff899d0) at jsgc.cpp:583 #8 0x00000000004bce78 in js::MarkIfGCThingWord (trc=0x7ffffff899d0, w=140737330077872, thingKind=@0x7ffffff8987c) at jsgc.cpp:649 #9 0x00000000004b2796 in MarkWordConservatively (trc=0x7ffffff899d0, w=140737330077872) at jsgc.cpp:712 #10 0x00000000004b28c4 in MarkRangeConservatively (trc=0x7ffffff899d0, begin=0x7ffffff89b20, end=0x7ffffffff000) at jsgc.cpp:743 #11 0x00000000004b2977 in MarkThreadDataConservatively (trc=0x7ffffff899d0, td=0x7ffff7e5d360) at jsgc.cpp:760 #12 0x00000000004b2a19 in js::MarkConservativeStackRoots (trc=0x7ffffff899d0) at jsgc.cpp:800 #13 0x00000000004b44ea in js::MarkRuntime (trc=0x7ffffff899d0) at jsgc.cpp:1651 #14 0x00000000004b5893 in MarkAndSweep (cx=0xb05530, gckind=GC_NORMAL) at jsgc.cpp:2407 #15 0x00000000004b5db9 in GCUntilDone (cx=0xb05530, comp=0x0, gckind=GC_NORMAL) at jsgc.cpp:2750 #16 0x00000000004b5f86 in js_GC (cx=0xb05530, comp=0x0, gckind=GC_NORMAL) at jsgc.cpp:2819 #17 0x00000000004280f4 in JS_GC (cx=0xb05530) at jsapi.cpp:2563 #18 0x0000000000407a78 in GC (cx=0xb05530, argc=0, vp=0x7ffff6a920a0) at js.cpp:1404 #19 0x00000000004d3f82 in js::CallJSNative (cx=0xb05530, native=0x407a21 <GC>, argc=0, vp=0x7ffff6a920a0) at jscntxtinlines.h:701 #20 0x00000000006a0cc3 in CallCompiler::generateNativeStub (this=0x7ffffff8a580) at ./methodjit/MonoIC.cpp:808 #21 0x000000000069cf10 in js::mjit::ic::NativeCall (f=..., ic=0xb6b9e8) at ./methodjit/MonoIC.cpp:1016 Security lock and blocker nomination because of crash/possible security problem.
Reporter | ||
Comment 1•13 years ago
|
||
Tested this on x86 with mozilla-central and it also asserts with Assertion failure: hasCallObj(), at jsinterpinlines.h:479 and then crashes after a few other asserts. Tried optimized builds on both platforms and got no crash (maybe different gc timing/strategy there?) The bug itself seems to be no recent regression but an old bug, I didn't get a reliable bisect though (maybe introduced with MethodJIT).
Hardware: x86_64 → x86
Updated•13 years ago
|
Assignee: general → jwalden+bmo
Comment 2•13 years ago
|
||
Is this also the call_trace crash?
Assignee | ||
Comment 3•13 years ago
|
||
Since there are generators at play, I think this falls into bug 635811 comment 3. So we should re-test this with bug 635811's patch.
Comment 4•13 years ago
|
||
DMandelin and Waldo have talked themselves into believing this might be sg:crit - final+
blocking2.0: ? → final+
Whiteboard: [hardblocker][sg:critical?]
Comment 5•13 years ago
|
||
Shifting to Luke since he thinks it's probably the other bug he already has a handle on, more or less.
Assignee: jwalden+bmo → lw
Updated•13 years ago
|
Assignee | ||
Comment 6•13 years ago
|
||
I was wrong in comment 3; generators don't have a problem. But this is a dup of bug 635811 (as can be seen by applying the asserting patch in that bug).
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → DUPLICATE
Updated•10 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•