1097585 - Crash [@ js::BaseProxyHandler::call] or Hit MOZ_CRASH(callable proxies should implement call trap) at proxy/BaseProxyHandler.cpp

Status: RESOLVED FIXED

(Core :: JavaScript Engine: JIT, defect)

Description

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

x = Proxy.createFunction(function() {}, function() {})
function f() {
    x = Proxy.create(function() {}, x())
}
f()
f()

asserts js debug shell on m-c changeset eb0d3b3c0b22 with --no-threads --baseline-eager at Hit MOZ_CRASH(callable proxies should implement call trap) at proxy/BaseProxyHandler.cpp and crashes opt shell at js::BaseProxyHandler::call.

Debug configure options:

CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --enable-optimize --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests

=== Tinderbox Build Bisection Results by autoBisect ===

The "good" changeset has the timestamp "20141104140142" and the hash "a9a7f16c817b".
The "bad" changeset has the timestamp "20141104142049" and the hash "ed6401282c18".

Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=a9a7f16c817b&tochange=ed6401282c18

Brian, is bug 1091015 a possible regressor?

Comment 1

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Attachment: stack for opt crash

(lldb) bt
* thread #1: tid = 0xb6f6c, 0x0000000100422a91 js-dbgDisabled-opt-64-dm-nsprBuild-darwin-eb0d3b3c0b22`js::BaseProxyHandler::call(this=0x000000010112d230, cx=0x0000000102801400, args=0x00007fff5fbfe508, proxy=<unavailable>) const + 1 at BaseProxyHandler.cpp:219, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
  * frame #0: 0x0000000100422a91 js-dbgDisabled-opt-64-dm-nsprBuild-darwin-eb0d3b3c0b22`js::BaseProxyHandler::call(this=0x000000010112d230, cx=0x0000000102801400, args=0x00007fff5fbfe508, proxy=<unavailable>) const + 1 at BaseProxyHandler.cpp:219
    frame #1: 0x000000010042a479 js-dbgDisabled-opt-64-dm-nsprBuild-darwin-eb0d3b3c0b22`js::Proxy::call(cx=<unavailable>, args=<unavailable>, proxy=<unavailable>) + 233 at Proxy.cpp:437
    frame #2: 0x000000010042b47b js-dbgDisabled-opt-64-dm-nsprBuild-darwin-eb0d3b3c0b22`js::proxy_Call(cx=<unavailable>, argc=<unavailable>, vp=<unavailable>) + 75 at Proxy.cpp:819
    frame #3: 0x00000001015f8f84
(lldb)

Comment 2

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Attachment: stack for debug assert

(lldb) bt
* thread #1: tid = 0xb7704, 0x00000001005ebe8a js-dbg-opt-64-dm-nsprBuild-darwin-eb0d3b3c0b22`js::BaseProxyHandler::call(this=<unavailable>, cx=<unavailable>, args=<unavailable>, proxy=<unavailable>) const + 58 at BaseProxyHandler.cpp:219, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
  * frame #0: 0x00000001005ebe8a js-dbg-opt-64-dm-nsprBuild-darwin-eb0d3b3c0b22`js::BaseProxyHandler::call(this=<unavailable>, cx=<unavailable>, args=<unavailable>, proxy=<unavailable>) const + 58 at BaseProxyHandler.cpp:219
    frame #1: 0x00000001005f6288 js-dbg-opt-64-dm-nsprBuild-darwin-eb0d3b3c0b22`js::Proxy::call(cx=0x0000000101b01440, args=0x00007fff5fbfdeb8, proxy=<unavailable>) + 248 at Proxy.cpp:437
    frame #2: 0x00000001005f86e5 js-dbg-opt-64-dm-nsprBuild-darwin-eb0d3b3c0b22`js::proxy_Call(cx=0x0000000101b01440, argc=<unavailable>, vp=<unavailable>) + 117 at Proxy.cpp:819
    frame #3: 0x00000001050765af
(lldb)

Comment 3

[Brian Hackett [Laid off!]]

Attachment: patch

Comment 4

[Brian Hackett [Laid off!]]

https://hg.mozilla.org/integration/mozilla-inbound/rev/58f75321e4c1

Comment 5

[Ryan VanderMeulen [:RyanVM]]

https://hg.mozilla.org/mozilla-central/rev/58f75321e4c1