Closed
Bug 1109607
Opened 10 years ago
Closed 10 years ago
Crash [@ ScriptFromCalleeToken] or [@ js::Debugger::removeDebuggeeGlobal] or Assertion failure: hasScript(), with OOM
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1109328
| Tracking | Status | |
|---|---|---|
| firefox37 | --- | affected |
People
(Reporter: decoder, Unassigned)
Details
(4 keywords, Whiteboard: [jsbugmon:])
Crash Data
Attachments
(2 files)
The following testcase crashes on mozilla-central revision d7c76fe69e9a (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --enable-debug, run with --fuzzing-safe --thread-count=2 --ion-eager --ion-offthread-compile=off main.js):
See attachment.
Backtrace:
Program received signal SIGSEGV, Segmentation fault.
ScriptFromCalleeToken (token=0x0) at js/src/jit/JitFrames.h:81
81 return CalleeTokenToFunction(token)->nonLazyScript();
#0 ScriptFromCalleeToken (token=0x0) at js/src/jit/JitFrames.h:81
#1 js::jit::BaselineFrame::script (this=0x7fffffffd1b0) at js/src/jit/BaselineFrame.h:155
#2 0x0000000000a385c1 in js::Debugger::removeDebuggeeGlobal (this=0x1b07a10, fop=0x7fffffffe1b0, global=(js::GlobalObject *) 0x7ffff695e060 [object global] delegate, debugEnum=0x0) at js/src/vm/Debugger.cpp:3027
#3 0x0000000000a38c45 in js::Debugger::detachAllDebuggersFromGlobal (fop=0x7fffffffe1b0, global=(js::GlobalObject *) 0x7ffff695e060 [object global] delegate) at js/src/vm/Debugger.cpp:2303
#4 0x00000000008bd306 in JSCompartment::sweepGlobalObject (this=0x1af5690, fop=0x7fffffffe1b0) at js/src/jscompartment.cpp:575
#5 0x000000000095b3c0 in js::gc::GCRuntime::beginSweepingZoneGroup (this=0x19e9480) at js/src/jsgc.cpp:5088
#6 0x000000000095eac5 in js::gc::GCRuntime::beginSweepPhase (this=0x19e9480, lastGC=<optimized out>) at js/src/jsgc.cpp:5257
#7 0x000000000095f27c in js::gc::GCRuntime::incrementalCollectSlice (this=0x19e9480, budget=..., reason=<optimized out>) at js/src/jsgc.cpp:5960
#8 0x000000000095fe6e in js::gc::GCRuntime::gcCycle (this=0x19e9480, incremental=<optimized out>, budget=..., gckind=js::GC_NORMAL, reason=JS::gcreason::DESTROY_CONTEXT) at js/src/jsgc.cpp:6170
#9 0x00000000009601ab in js::gc::GCRuntime::collect (this=0x19e9480, incremental=false, budget=..., gckind=js::GC_NORMAL, reason=JS::gcreason::DESTROY_CONTEXT) at js/src/jsgc.cpp:6297
#10 0x0000000000960d9a in js::gc::GCRuntime::gc (this=0x19e9480, gckind=js::GC_NORMAL, reason=JS::gcreason::DESTROY_CONTEXT) at js/src/jsgc.cpp:6343
#11 0x00000000008b2592 in js::DestroyContext (cx=0x1a0d320, mode=js::DCM_FORCE_GC) at js/src/jscntxt.cpp:261
#12 0x0000000000424413 in main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:6029
rax 0x0 0
rbx 0x1b07a10 28342800
rcx 0x1b07ae8 28343016
rdx 0x0 0
rsi 0x3 3
rdi 0x7fffffffd1b0 140737488343472
rbp 0x7fffffffe030 140737488347184
rsp 0x7fffffffe020 140737488347168
r8 0x6086e59a 1619453338
r9 0xc 12
r10 0x7 7
r11 0x0 0
r12 0x7fffffffe1b0 140737488347568
r13 0x7ffff698c100 140737330594048
r14 0x0 0
r15 0x1b07a30 28342832
rip 0x51ffb4 <js::jit::BaselineFrame::script() const+52>
=> 0x51ffb4 <js::jit::BaselineFrame::script() const+52>: testb $0x1,0x22(%rax)
0x51ffb8 <js::jit::BaselineFrame::script() const+56>: je 0x52004b <js::jit::BaselineFrame::script() const+203>
|
Reporter | |
Comment 1•10 years ago
|
||
|
|
Reporter | |
Updated•10 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:bisect]
|
|
Reporter | |
Comment 2•10 years ago
|
||
JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.
|
||
Comment 3•10 years ago
|
||
Since this has Debugger in the stack, setting needinfo? from :fitzgen and CC'ing Shu-yu and :jimb.
Flags: needinfo?(nfitzgerald)
|
|
Reporter | |
Updated•10 years ago
|
Whiteboard: [jsbugmon:bisect] → [jsbugmon:]
|
|
||
Comment 4•10 years ago
|
||
// Randomly chosen test: js/src/tests/js1_7/geniter/regress-349331.js
// -- reduced away --
// Randomly chosen test: js/src/jit-test/tests/debug/bug1106719.js
g = newGlobal()
g.parent = this
g.eval("Debugger(parent).onExceptionUnwind=(function(){})");
gcparam("maxBytes", gcparam("gcBytes") + 1);
// Randomly chosen test: js/src/tests/ecma/Statements/12.7-1-n.js
// -- reduced away --
// jsfunfuzz
function MersenneTwister19937() {
const MAG01 = new Int32Array([0, 2567483615])
var testingFunctions = Random.weighted([{
v: function(d, b) {}
}, {
v: function(d, b) {}
},
])
return {
enableGCZeal: enableGCZeal
};
}
var iterableExprMakers = Random.weighted([{
v: function(d, b) {}
}, {
v: makeArrayLiteral
}, {
v: function(d, b) {}
}, {
v: makeFunction
}, {
v: makeExpr
},
])
var regexCharacterMakers = Random.weighted([{
v: function() {}
}, {
v: function() {}
}, {
v: function() {}
}, {
v: function() {}
}, {
v: function() {}
}, {
v: function() {}
}, {
v: function() {}
}, {
v: function() {}
}, {
v: function() {}
}, {
v: function() {}
}, {
v: function() {}
}, {
v: function() {}
}, {
v: function() {}
}, {
v: function() {}
},
])
(function setUpBuilderStuff() {
([{
v: function(d, b) {}
}, {
v: function(d, b) {}
}, {
v: function(d, b) {}
}, {
v: function(d, b) {}
}, {
v: function(d, b) {}
}, {
v: function(d, b) {}
}, {
v: function(d, b) {}
}, {
v: function(d, b) {}
}, {
v: function(d, b) {}
}, {
v: function(d, b) {}
}, {
v: function(d, b) {
return m("at") + "[" + arrayIndex(d, b) + "]" + ";";
}
}, {
v: function(d, b) {}
}, {
v: function(d, b) {}
}, {
v: function(d, b) {}
}, {
v: function(d, b) {}
}, {
v: function(d, b) {}
}, {
v: makeStatement
}, {
v: initializeEverything
},
]);
}());
var compareAsm = function() {
return {
compareBinaryFunctions: compareBinaryFunctions
};
}();
crashes js debug shell on m-i rev 9f63a47fc181 with --fuzzing-safe --ion-eager --no-threads at JSCompartment::maybeGlobal with js::Debugger::removeDebuggeeGlobal on the stack.
This occasionally causes Assertion failure: hasScript(), at jsfun.h to appear.
Debug configure options:
CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-inbound/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --enable-optimize --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests
|
|
||
Updated•10 years ago
|
Crash Signature: [@ ScriptFromCalleeToken] → [@ ScriptFromCalleeToken]
[@ js::Debugger::removeDebuggeeGlobal]
Keywords: assertion
Summary: Crash [@ ScriptFromCalleeToken] with OOM → Crash [@ ScriptFromCalleeToken] or [@ js::Debugger::removeDebuggeeGlobal] or Assertion failure: hasScript(), with OOM
|
||
Comment 5•10 years ago
|
||
You haven't bisected this back to me, but you will.
This is fixed by the patch in bug 1109328.
Status: NEW → RESOLVED
Closed: 10 years ago
Flags: needinfo?(nfitzgerald)
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•