Closed Bug 1032221 Opened 11 years ago Closed 11 years ago

Crash [@ js::StringBuffer::append] with saveStack

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1031168
Tracking Flags:
Tracking Status
firefox33 --- affected

People

(Reporter: decoder, Unassigned)

References

Details

(Keywords: crash, testcase, Whiteboard: [jsbugmon:update,bisect,ignore])

Crash Data

Attachments

(1 file)

[crash-signature] Machine-readable crash signature
201 bytes, text/plain
Details
The following testcase crashes on mozilla-central revision b6408c32a170 (run with --fuzzing-safe): loadFile("\ saveStack();\ gcPreserveCode = function() {};\ gc();\ saveStack() == 3\ "); function loadFile(lfVarx) { evaluate(lfVarx); }
Opt-crash trace: Program received signal SIGSEGV, Segmentation fault. js::StringBuffer::append (this=0x7fffffffb070, str=<optimized out>) at js/src/vm/StringBuffer.h:251 251 : twoByteChars().append(str->twoByteChars(nogc), str->length()); #0 js::StringBuffer::append (this=0x7fffffffb070, str=<optimized out>) at js/src/vm/StringBuffer.h:251 #1 0x000000000085f0cd in js::SavedFrame::toStringMethod (cx=0x161a6e0, argc=0, vp=0x7fffffffb758) at js/src/vm/SavedStacks.cpp:368 #2 0x000000000082ea52 in CallJSNative (args=..., native=0x85edf0 <js::SavedFrame::toStringMethod(JSContext*, unsigned int, JS::Value*)>, cx=0x161a6e0) at js/src/jscntxtinlines.h:230 #3 js::Invoke (cx=0x161a6e0, args=..., construct=<optimized out>) at js/src/vm/Interpreter.cpp:455 #4 0x000000000082f8db in js::Invoke (cx=0x161a6e0, thisv=..., fval=..., argc=0, argv=<optimized out>, rval=...) at js/src/vm/Interpreter.cpp:511 #5 0x00000000007953b1 in MaybeCallMethod (cx=0x161a6e0, obj=..., id=..., vp=...) at js/src/jsobj.cpp:5410 #6 0x000000000079b98a in js::DefaultValue (cx=0x161a6e0, obj=..., hint=JSTYPE_VOID, vp=...) at js/src/jsobj.cpp:5469 #7 0x000000000080aa93 in defaultValue (vp=..., hint=JSTYPE_VOID, obj=..., cx=0x161a6e0) at js/src/jsobj.h:1064 rbx 0x4b4b4b4b 5425512962855750475 rdx 0x0 0 => 0x49bd80 <js::StringBuffer::append(JSLinearString*)+176>: movdqu (%rbx,%rdx,1),%xmm0 Needinfo from :fitzgen because this involves saveStack. Also Ccing :jonco for GC help :)
status-firefox33: --- → affected
Flags: needinfo?(nfitzgerald)
Whiteboard: [jsbugmon:update,bisect]
You rock. I can't tell for sure, because this testcase does not crash 100% reliably for me, but I'm pretty sure this is a duplicate of bug 1031168.
Depends on: 1031168
Flags: needinfo?(nfitzgerald)
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update,bisect,ignore]
JSBugMon: The testcase found in this bug no longer reproduces (tried revision ac6960197eb6).
This landed in bug 1031168 with the testcase from comment 0 included. Thanks!
Status: NEW → RESOLVED
Closed: 11 years ago
Flags: in-testsuite+
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: