Closed
Bug 1109915
Opened 10 years ago
Closed 10 years ago
Crash [@ functionNonDelazifying] with Debugger
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla37
People
(Reporter: decoder, Assigned: shu)
References
Details
(Keywords: crash, regression, testcase, Whiteboard: [jsbugmon:])
Crash Data
Attachments
(1 file)
|
5.01 KB,
patch
|
luke
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision d7c76fe69e9a (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --enable-debug, run with --no-threads --fuzzing-safe --ion-eager):
var evalInFrame = (function (global) {
var dbgGlobal = newGlobal();
var dbg = new dbgGlobal.Debugger();
return function evalInFrame(upCount, code) {
dbg.addDebuggee(global);
var frame = dbg.getNewestFrame().older;
var completion = frame.eval(code);
};
})(this);
function g1(x, args) {}
function f1(x, y, o) {
for (var i=0; i<50; i++) {
o.apply(evalInFrame(0, "x"), x);
}
}
var o1 = {apply: g1};
assertEq(f1(3, 5, o1), 3630);
Backtrace:
Program received signal SIGSEGV, Segmentation fault.
0x0000000000ac0064 in functionNonDelazifying (this=0x7fff00000004) at js/src/jsscript.h:1440
1440 return function_;
#0 0x0000000000ac0064 in functionNonDelazifying (this=0x7fff00000004) at js/src/jsscript.h:1440
#1 isFunctionFrame (this=<optimized out>) at js/src/jit/RematerializedFrame.h:122
#2 maybeFun (this=0x1b0ac60) at js/src/jit/RematerializedFrame.h:140
#3 numFormalArgs (this=0x1b0ac60) at js/src/jit/RematerializedFrame.h:153
#4 unaliasedFormal (checkAliasing=js::DONT_CHECK_ALIASING, this=0x1b0ac60, i=0) at js/src/jit/RematerializedFrame.h:171
#5 js::AbstractFramePtr::unaliasedFormal (this=<optimized out>, i=0, checkAliasing=js::DONT_CHECK_ALIASING) at js/src/vm/Stack-inl.h:512
#6 0x0000000000aed06e in (anonymous namespace)::DebugScopeProxy::handleUnaliasedAccess (cx=0x1a07150, debugScope=(js::DebugScopeObject * const) 0x7ffff7e5f140 [object Proxy], scope=..., id=..., action=(anonymous namespace)::DebugScopeProxy::GET, vp=JSVAL_VOID, accessResult=0x7fffffff8f90, this=<optimized out>) at js/src/vm/ScopeObject.cpp:1417
#7 0x0000000000aed724 in (anonymous namespace)::DebugScopeProxy::get (this=<optimized out>, cx=0x1a07150, proxy=<error reading variable: Cannot access memory at address 0x7fff00000004>, receiver=..., id=$jsid("x"), vp=JSVAL_VOID) at js/src/vm/ScopeObject.cpp:1627
#8 0x00000000009ed259 in js::Proxy::get (cx=0x1a07150, proxy=(JSObject * const) 0x7ffff7e5f140 [object Proxy], receiver=(JSObject * const) 0x7ffff7e5f140 [object Proxy], id=$jsid("x"), vp=JSVAL_VOID) at js/src/proxy/Proxy.cpp:299
#9 0x0000000000475e9f in JSObject::getGeneric (cx=0x1a07150, obj=..., receiver=..., id=..., vp=...) at js/src/vm/NativeObject.h:1410
#10 0x000000000079486c in js::FetchName<false> (cx=0x1a07150, obj=(JSObject * const) 0x7ffff7e5f140 [object Proxy], obj2=(JSObject * const) 0x7ffff7e5f140 [object Proxy], name="x", shape=..., vp=JSVAL_VOID) at js/src/vm/Interpreter-inl.h:243
#11 0x0000000000a66783 in NameOperation (vp=JSVAL_VOID, pc=0x1b11829 ";", fp=<optimized out>, cx=0x1a07150) at js/src/vm/Interpreter.cpp:305
#12 Interpret (cx=0x1a07150, state=...) at js/src/vm/Interpreter.cpp:2651
#13 0x0000000000a6ced7 in js::RunScript (cx=0x1a07150, state=...) at js/src/vm/Interpreter.cpp:434
#14 0x0000000000a6d282 in js::ExecuteKernel (cx=0x1a07150, script=..., scopeChainArg=(JSObject &) @0x7ffff7e5f140 [object Proxy], thisv=..., type=<optimized out>, evalInFrame=..., result=0x7fffffffa240) at js/src/vm/Interpreter.cpp:643
#15 0x0000000000a6d894 in js::EvaluateInEnv (cx=0x1a07150, env=(JSObject * const) 0x7ffff7e5f140 [object Proxy], thisv=$jsval((JSObject *) 0x7ffff7e5e060 [object global] delegate), frame=..., chars=..., filename=<optimized out>, lineno=<optimized out>, rval=JSVAL_VOID) at js/src/vm/Debugger.cpp:5639
#16 0x0000000000a81f12 in DebuggerGenericEval (cx=0x1a07150, fullMethodName=<optimized out>, code=..., evalWithBindings=EvalWithDefaultBindings, bindings=..., options=JSVAL_VOID, vp=$jsval((JSObject *) 0x7ffff7e85880 [object Function "eval"]), dbg=0x1b0d360, scope=0x0, iter=0x7fffffffa4c8) at js/src/vm/Debugger.cpp:5776
#17 0x0000000000a82a56 in DebuggerFrame_eval (cx=0x1a07150, argc=<optimized out>, vp=<optimized out>) at js/src/vm/Debugger.cpp:5790
#18 0x0000000000a8c4a5 in js::CallJSNative (cx=0x1a07150, native=0xa827a0 <DebuggerFrame_eval(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:231
#19 0x0000000000a6db47 in js::Invoke (cx=0x1a07150, args=..., construct=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:484
#20 0x0000000000a6ef9d in js::Invoke (cx=0x1a07150, thisv=..., fval=..., argc=<optimized out>, argv=0x7fffffffbad8, rval=$jsval((JSObject *) 0x7ffff7e85880 [object Function "eval"])) at js/src/vm/Interpreter.cpp:540
#21 0x00000000009ec12e in js::DirectProxyHandler::call (this=<optimized out>, cx=0x1a07150, proxy=(JSObject * const) 0x7ffff7e5f120 [object Proxy], args=...) at js/src/proxy/DirectProxyHandler.cpp:75
#22 0x00000000009ec2a5 in js::CrossCompartmentWrapper::call (this=0x19bc540, cx=0x1a07150, wrapper=(JSObject * const) 0x7ffff7e5f120 [object Proxy], args=...) at js/src/proxy/CrossCompartmentWrapper.cpp:296
#23 0x00000000009ea57f in js::Proxy::call (cx=0x1a07150, proxy=(JSObject * const) 0x7ffff7e5f120 [object Proxy], args=...) at js/src/proxy/Proxy.cpp:430
#24 0x00000000009ea66a in js::proxy_Call (cx=0x1a07150, argc=<optimized out>, vp=<optimized out>) at js/src/proxy/Proxy.cpp:812
#25 0x0000000000a8c4a5 in js::CallJSNative (cx=0x1a07150, native=0x9ea600 <js::proxy_Call(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:231
#26 0x0000000000a6ddec in js::Invoke (cx=0x1a07150, args=..., construct=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:477
#27 0x0000000000a6ef9d in js::Invoke (cx=0x1a07150, thisv=..., fval=..., argc=<optimized out>, argv=0x7fffffffbf10, rval=JSVAL_VOID) at js/src/vm/Interpreter.cpp:540
#28 0x00000000006a868f in js::jit::DoCallFallback (cx=0x7fffffffbec0, frame=0x7fffffffbf60, stub_=<optimized out>, argc=1, vp=0x7fffffffbf00, res=JSVAL_VOID) at js/src/jit/BaselineIC.cpp:9444
#29 0x00007ffff7f754ad in ?? ()
#30 0xfffc7fff00000000 in ?? ()
#31 0x00007fffffffbeb8 in ?? ()
#32 0x0000000000000000 in ?? ()
rax 0x1b0ac60 28355680
rbx 0x0 0
rcx 0x7ffff7dd52c0 140737351865024
rdx 0x7fff00000004 140733193388036
rsi 0x0 0
rdi 0x7fffffff8eb0 140737488326320
rbp 0x7fffffff8e30 140737488326192
rsp 0x7fffffff8e20 140737488326176
r8 0x3 3
r9 0x4 4
r10 0x1 1
r11 0x0 0
r12 0x0 0
r13 0x7fffffff8eb0 140737488326320
r14 0x0 0
r15 0x0 0
rip 0xac0064 <js::AbstractFramePtr::unaliasedFormal(unsigned int, js::MaybeCheckAliasing)+36>
=> 0xac0064 <js::AbstractFramePtr::unaliasedFormal(unsigned int, js::MaybeCheckAliasing)+36>: mov 0x58(%rdx),%rdx
0xac0068 <js::AbstractFramePtr::unaliasedFormal(unsigned int, js::MaybeCheckAliasing)+40>: test %rdx,%rdx
|
Assignee | |
Comment 2•10 years ago
|
||
Attachment #8534713 -
Flags: review?(luke)
|
||
Updated•10 years ago
|
Attachment #8534713 -
Flags: review?(luke) → review+
|
Reporter | |
Updated•10 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:bisect]
|
|
Reporter | |
Comment 3•10 years ago
|
||
JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.
|
|
Reporter | |
Updated•10 years ago
|
Whiteboard: [jsbugmon:bisect] → [jsbugmon:]
|
||
Comment 4•10 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/90da6425dc9d
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla37
|
||
Comment 5•10 years ago
|
||
Fixed for Fx36 by the roll-up in bug 1114757.
You need to log in
before you can comment on or make changes to this bug.
Description
•