Closed Bug 1109607 Opened 9 years ago Closed 9 years ago

Crash [@ ScriptFromCalleeToken] or [@ js::Debugger::removeDebuggeeGlobal] or Assertion failure: hasScript(), with OOM

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1109328
Tracking Flags:
Tracking Status
firefox37 --- affected

People

(Reporter: decoder, Unassigned)

Details

(4 keywords, Whiteboard: [jsbugmon:])

Crash Data

Attachments

(2 files)

Testcase
1.39 KB, application/octet-stream
Details
stack
4.56 KB, text/plain
Details 
The following testcase crashes on mozilla-central revision d7c76fe69e9a (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --enable-debug, run with --fuzzing-safe --thread-count=2 --ion-eager --ion-offthread-compile=off main.js):

See attachment.


Backtrace:

Program received signal SIGSEGV, Segmentation fault.
ScriptFromCalleeToken (token=0x0) at js/src/jit/JitFrames.h:81
81	        return CalleeTokenToFunction(token)->nonLazyScript();
#0  ScriptFromCalleeToken (token=0x0) at js/src/jit/JitFrames.h:81
#1  js::jit::BaselineFrame::script (this=0x7fffffffd1b0) at js/src/jit/BaselineFrame.h:155
#2  0x0000000000a385c1 in js::Debugger::removeDebuggeeGlobal (this=0x1b07a10, fop=0x7fffffffe1b0, global=(js::GlobalObject *) 0x7ffff695e060 [object global] delegate, debugEnum=0x0) at js/src/vm/Debugger.cpp:3027
#3  0x0000000000a38c45 in js::Debugger::detachAllDebuggersFromGlobal (fop=0x7fffffffe1b0, global=(js::GlobalObject *) 0x7ffff695e060 [object global] delegate) at js/src/vm/Debugger.cpp:2303
#4  0x00000000008bd306 in JSCompartment::sweepGlobalObject (this=0x1af5690, fop=0x7fffffffe1b0) at js/src/jscompartment.cpp:575
#5  0x000000000095b3c0 in js::gc::GCRuntime::beginSweepingZoneGroup (this=0x19e9480) at js/src/jsgc.cpp:5088
#6  0x000000000095eac5 in js::gc::GCRuntime::beginSweepPhase (this=0x19e9480, lastGC=<optimized out>) at js/src/jsgc.cpp:5257
#7  0x000000000095f27c in js::gc::GCRuntime::incrementalCollectSlice (this=0x19e9480, budget=..., reason=<optimized out>) at js/src/jsgc.cpp:5960
#8  0x000000000095fe6e in js::gc::GCRuntime::gcCycle (this=0x19e9480, incremental=<optimized out>, budget=..., gckind=js::GC_NORMAL, reason=JS::gcreason::DESTROY_CONTEXT) at js/src/jsgc.cpp:6170
#9  0x00000000009601ab in js::gc::GCRuntime::collect (this=0x19e9480, incremental=false, budget=..., gckind=js::GC_NORMAL, reason=JS::gcreason::DESTROY_CONTEXT) at js/src/jsgc.cpp:6297
#10 0x0000000000960d9a in js::gc::GCRuntime::gc (this=0x19e9480, gckind=js::GC_NORMAL, reason=JS::gcreason::DESTROY_CONTEXT) at js/src/jsgc.cpp:6343
#11 0x00000000008b2592 in js::DestroyContext (cx=0x1a0d320, mode=js::DCM_FORCE_GC) at js/src/jscntxt.cpp:261
#12 0x0000000000424413 in main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:6029
rax	0x0	0
rbx	0x1b07a10	28342800
rcx	0x1b07ae8	28343016
rdx	0x0	0
rsi	0x3	3
rdi	0x7fffffffd1b0	140737488343472
rbp	0x7fffffffe030	140737488347184
rsp	0x7fffffffe020	140737488347168
r8	0x6086e59a	1619453338
r9	0xc	12
r10	0x7	7
r11	0x0	0
r12	0x7fffffffe1b0	140737488347568
r13	0x7ffff698c100	140737330594048
r14	0x0	0
r15	0x1b07a30	28342832
rip	0x51ffb4 <js::jit::BaselineFrame::script() const+52>
=> 0x51ffb4 <js::jit::BaselineFrame::script() const+52>:	testb  $0x1,0x22(%rax)
   0x51ffb8 <js::jit::BaselineFrame::script() const+56>:	je     0x52004b <js::jit::BaselineFrame::script() const+203>
Attached file Testcase 

    
  
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:bisect]

    
    

    
  
JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.

    
    

    
  
Since this has Debugger in the stack, setting needinfo? from :fitzgen and CC'ing Shu-yu and :jimb.
Flags: needinfo?(nfitzgerald)

    
  
Whiteboard: [jsbugmon:bisect] → [jsbugmon:]

    
    

    
  

      
      
      
      

        Attached file
          
        stack
      

    


  
// Randomly chosen test: js/src/tests/js1_7/geniter/regress-349331.js
// -- reduced away --
// Randomly chosen test: js/src/jit-test/tests/debug/bug1106719.js
g = newGlobal()
g.parent = this
g.eval("Debugger(parent).onExceptionUnwind=(function(){})");
gcparam("maxBytes", gcparam("gcBytes") + 1);
// Randomly chosen test: js/src/tests/ecma/Statements/12.7-1-n.js
// -- reduced away --
// jsfunfuzz
function MersenneTwister19937() {
    const MAG01 = new Int32Array([0, 2567483615])
    var testingFunctions = Random.weighted([{
            v: function(d, b) {}
        }, {
            v: function(d, b) {}
        },
    ])
    return {
        enableGCZeal: enableGCZeal
    };
}
var iterableExprMakers = Random.weighted([{
        v: function(d, b) {}
    }, {
        v: makeArrayLiteral
    }, {
        v: function(d, b) {}
    }, {
        v: makeFunction
    }, {
        v: makeExpr
    },
])
var regexCharacterMakers = Random.weighted([{
        v: function() {}
    }, {
        v: function() {}
    }, {
        v: function() {}
    }, {
        v: function() {}
    }, {
        v: function() {}
    }, {
        v: function() {}
    }, {
        v: function() {}
    }, {
        v: function() {}
    }, {
        v: function() {}
    }, {
        v: function() {}
    }, {
        v: function() {}
    }, {
        v: function() {}
    }, {
        v: function() {}
    }, {
        v: function() {}
    },
])
(function setUpBuilderStuff() {
    ([{
            v: function(d, b) {}
        }, {
            v: function(d, b) {}
        }, {
            v: function(d, b) {}
        }, {
            v: function(d, b) {}
        }, {
            v: function(d, b) {}
        }, {
            v: function(d, b) {}
        }, {
            v: function(d, b) {}
        }, {
            v: function(d, b) {}
        }, {
            v: function(d, b) {}
        }, {
            v: function(d, b) {}
        }, {
            v: function(d, b) {
                return m("at") + "[" + arrayIndex(d, b) + "]" + ";";
            }
        }, {
            v: function(d, b) {}
        }, {
            v: function(d, b) {}
        }, {
            v: function(d, b) {}
        }, {
            v: function(d, b) {}
        }, {
            v: function(d, b) {}
        }, {
            v: makeStatement
        }, {
            v: initializeEverything
        },
    ]);
}());
var compareAsm = function() {
    return {
        compareBinaryFunctions: compareBinaryFunctions
    };
}();

crashes js debug shell on m-i rev 9f63a47fc181 with --fuzzing-safe --ion-eager --no-threads at JSCompartment::maybeGlobal with js::Debugger::removeDebuggeeGlobal on the stack.

This occasionally causes Assertion failure: hasScript(), at jsfun.h to appear.

Debug configure options:

CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-inbound/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --enable-optimize --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests
Crash Signature: [@ ScriptFromCalleeToken] → [@ ScriptFromCalleeToken]
[@ js::Debugger::removeDebuggeeGlobal]
Keywords: assertion
Summary: Crash [@ ScriptFromCalleeToken] with OOM → Crash [@ ScriptFromCalleeToken] or [@ js::Debugger::removeDebuggeeGlobal] or Assertion failure: hasScript(), with OOM

    
    

    
  
You haven't bisected this back to me, but you will.

This is fixed by the patch in bug 1109328.
Status: NEW → RESOLVED
Closed: 9 years ago
Flags: needinfo?(nfitzgerald)
Resolution: --- → DUPLICATE

          You need to log in
          before you can comment on or make changes to this bug.