Closed
Bug 1028863
Opened 10 years ago
Closed 10 years ago
Assertion failure: hasTwoByteChars(), at vm/String.h:1460 or Crash [@ js::StringBuffer::append] with saveStack
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla33
Tracking | Status | |
---|---|---|
firefox33 | --- | affected |
People
(Reporter: decoder, Assigned: jonco)
References
Details
(4 keywords, Whiteboard: [fuzzblocker] [jsbugmon:update])
Attachments
(2 files, 2 obsolete files)
535 bytes,
text/plain
|
Details | |
17.29 KB,
patch
|
terrence
:
review+
|
Details | Diff | Splinter Review |
The following testcase asserts on mozilla-central revision 366b5c0c02d3 (run with --fuzzing-safe): function writeTestCaseResult( expect, actual, string ) {} schedulegc(10); if (saveStack() == 3) done = true;
Reporter | ||
Comment 1•10 years ago
|
||
Reporter | ||
Comment 2•10 years ago
|
||
Marked as fuzzblocker because this triggers quite easily.
Assignee | ||
Updated•10 years ago
|
Assignee: nobody → jcoppeard
Reporter | ||
Comment 3•10 years ago
|
||
Attachment #8444337 -
Attachment is obsolete: true
Reporter | ||
Comment 4•10 years ago
|
||
Attachment #8444344 -
Attachment is obsolete: true
Reporter | ||
Updated•10 years ago
|
Whiteboard: [jsbugmon:update,bisect][fuzzblocker] → [fuzzblocker] [jsbugmon:update]
Reporter | ||
Comment 5•10 years ago
|
||
JSBugMon: Bisection requested, failed due to error (try manually).
Assignee | ||
Comment 6•10 years ago
|
||
SavedStacks::insertFrames() does this: SavedFrame::Lookup lookup(location.source, location.line, location.column, callee ? callee->displayAtom() : nullptr, parentFrame, thisFrame.compartment()->principals); frame.set(getOrCreateSavedFrame(cx, lookup)); Lookup contains unrooted GC things and getOrCreateSavedFrame() creates an new JSObject before using its contents, so this should really be a rooting hazard. However, lookup is passed as a reference so at a guess the analysis assumes it's rooted in createFrameFromLookup() where it's is used after the possibility of GC. I checked and this is one of our unsafe refs: Function '_ZN2js11SavedStacks12insertFramesEP9JSContextRNS_15ScriptFrameIterEN2JS13MutableHandleIPNS_10SavedFrameEEE|uint8 js::SavedStacks::insertFrames(JSContext*, js::ScriptFrameIter*, class JS::MutableHandle<js::SavedFrame*>)' takes unsafe address of unrooted 'lookup' at js/src/vm/SavedStacks.cpp:464 js/src/vm/SavedStacks.cpp:464: Call(35,36, __temp_14 := this*.getOrCreateSavedFrame(cx*,lookup)) It would be great if we could make this be reported as a hazard somehow. It also means we should audit the unsafe refs list again.
Assignee | ||
Comment 7•10 years ago
|
||
Add an autorooter for SavedFrame::Lookup and use this to root Lookup around object creation. I also added typedefs for HandleSavedFrame etc.
Attachment #8444427 -
Flags: review?(terrence)
Comment 8•10 years ago
|
||
Comment on attachment 8444427 [details] [diff] [review] bug1028863-root-lookup Review of attachment 8444427 [details] [diff] [review]: ----------------------------------------------------------------- Gah! When reviewing, I walked through the places where a Lookup is on the stack call by call with mrgiggles and figured the analysis would catch anything I missed. Just goes to show how impossible this stuff is to get right even with all the helpful tools we've built. I'd consider this bug as solid positive evidence that we need to take the time to push the unsafe refs to 0 too: I'll add it to our list for triaging.
Attachment #8444427 -
Flags: review?(terrence) → review+
Comment 9•10 years ago
|
||
> JSBugMon: Bisection requested, failed due to error (try manually). autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/466812b83481 user: Nick Fitzgerald date: Tue Jun 17 16:32:00 2014 -0400 summary: Bug 1004110 - Memoize PCToLineNumber lookups in SavedStacks. r=terrence Guessing this might be due to bug 1004110...
Blocks: 1004110
Keywords: regression
Assignee | ||
Comment 10•10 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/6dbb4388563b
Comment 11•10 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/6dbb4388563b
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla33
You need to log in
before you can comment on or make changes to this bug.
Description
•