Closed
Bug 1114571
Opened 9 years ago
Closed 9 years ago
Crash [@ storeBuffer]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1113940
People
(Reporter: decoder, Unassigned)
Details
(Keywords: crash, testcase, Whiteboard: [jsbugmon:ignore])
Crash Data
The following testcase crashes on mozilla-central revision 490f124d7dea (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --target=i686-pc-linux-gnu --disable-debug --enable-gccompacting, run with --fuzzing-safe --thread-count=2 --baseline-eager --ion-eager --ion-offthread-compile=off): x = true; setObjectMetadataCallback(function([x, y, z], ... Debugger) {}); for (var i = 0; i < 10; ++i) { var f = function() { function g() { x++; } g(); } f(); } Backtrace: Program received signal SIGSEGV, Segmentation fault. storeBuffer (this=0xe) at js/src/gc/Heap.h:1241 1241 return chunk()->info.trailer.storeBuffer; #0 storeBuffer (this=0xe) at js/src/gc/Heap.h:1241 #1 post (target=..., slot=0, kind=js::HeapSlot::Slot, owner=0xf6600258, this=0xf66002e8) at js/src/gc/Barrier.h:904 #2 set (v=..., slot=0, kind=js::HeapSlot::Slot, owner=0xf6600258, this=0xf66002e8) at js/src/gc/Barrier.h:883 #3 js::NativeObject::setSlot (this=0xf6600258, slot=0, value=...) at js/src/vm/NativeObject.h:794 #4 0x08497ebd in setSlotWithType (overwriting=false, value=..., shape=0xf61568c8, cx=0x9346a40, this=0xf6600258) at js/src/vm/NativeObject-inl.h:364 #5 UpdateShapeTypeAndValue<(js::ExecutionMode)0> (cx=cx@entry=0x9346a40, obj=0xf6600258, shape=0xf61568c8, value=...) at js/src/vm/NativeObject.cpp:1154 #6 0x084b3eaf in DefinePropertyOrElement<(js::ExecutionMode)0> (cx=cx@entry=0x9346a40, obj=obj@entry=..., id=id@entry=..., getter=0x0, setter=0x0, attrs=0, value=value@entry=..., callSetterAfterwards=callSetterAfterwards@entry=false, setterIsStrict=setterIsStrict@entry=false) at js/src/vm/NativeObject.cpp:1270 #7 0x084b4784 in js::DefineNativeProperty (cx=0x9346a40, obj=..., id=..., value=..., getter=0x0, setter=0x0, attrs=<optimized out>) at js/src/vm/NativeObject.cpp:1559 #8 0x084b5815 in js::baseops::DefineGeneric (cx=cx@entry=0x9346a40, obj=obj@entry=..., id=id@entry=..., value=value@entry=..., getter=getter@entry=0x0, setter=setter@entry=0x0, attrs=attrs@entry=0) at js/src/vm/NativeObject.cpp:1625 #9 0x083c85dc in JSObject::defineGeneric (cx=0x9346a40, obj=obj@entry=..., id=id@entry=..., value=value@entry=..., getter=0x0, setter=setter@entry=0x0, attrs=attrs@entry=0) at js/src/jsobj.cpp:2902 #10 0x0837abb3 in DefinePropertyById (cx=cx@entry=0x9346a40, obj=obj@entry=..., id=id@entry=..., value=value@entry=..., get=..., set=..., attrs=attrs@entry=0, flags=0) at js/src/jsapi.cpp:2464 #11 0x0837af6e in JS_DefinePropertyById (cx=cx@entry=0x9346a40, obj=obj@entry=..., id=id@entry=..., valueArg=valueArg@entry=..., attrs=attrs@entry=0, getter=0x8366d60 <JS_PropertyStub(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>)>, setter=0x8366d70 <JS_StrictPropertyStub(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, bool, JS::MutableHandle<JS::Value>)>) at js/src/jsapi.cpp:2483 #12 0x080af6a2 in ShellObjectMetadataCallback (cx=0x9346a40, pmetadata=0xffffc9ac) at js/src/builtin/TestingFunctions.cpp:1227 #13 0x0841058a in callObjectMetadataCallback (this=<optimized out>, obj=0xffffc9ac, cx=0x9346a40) at js/src/jscompartment.h:421 #14 NewObjectMetadata (pmetadata=0xffffc9ac, cxArg=0x9346a40) at js/src/jsobjinlines.h:862 #15 NewObject (cx=cx@entry=0x9346a40, type_=<optimized out>, parent=0xf6146040, kind=kind@entry=js::gc::FINALIZE_OBJECT2_BACKGROUND, newKind=newKind@entry=js::GenericObject) at js/src/jsobj.cpp:1294 #16 0x084121db in js::NewObjectWithClassProtoCommon (cxArg=cxArg@entry=0x9346a40, clasp=clasp@entry=0x9313900 <JSFunction::class_>, protoArg=<optimized out>, protoArg@entry=0x0, parentArg=0xf6146040, allocKind=allocKind@entry=js::gc::FINALIZE_OBJECT2_BACKGROUND, newKind=newKind@entry=js::GenericObject) at js/src/jsobj.cpp:1504 #17 0x0841ebdc in NewObjectWithClassProto (newKind=js::GenericObject, allocKind=js::gc::FINALIZE_OBJECT2_BACKGROUND, parent=<optimized out>, proto=0x0, clasp=0x9313900 <JSFunction::class_>, cx=0x9346a40) at js/src/jsobjinlines.h:682 #18 js::CloneFunctionObject (cx=cx@entry=0x9346a40, fun=fun@entry=..., parent=parent@entry=..., allocKind=js::gc::FINALIZE_OBJECT2_BACKGROUND, newKindArg=newKindArg@entry=js::GenericObject) at js/src/jsfun.cpp:2030 #19 0x084a0897 in CloneFunctionObjectIfNotSingleton (newKind=js::GenericObject, parent=..., fun=..., cx=0x9346a40) at js/src/jsfuninlines.h:85 #20 js::Lambda (cx=cx@entry=0x9346a40, fun=fun@entry=..., parent=parent@entry=...) at js/src/vm/Interpreter.cpp:3626 #21 0x082f59dc in js::jit::RLambda::recover (this=0xffffcc30, cx=0x9346a40, iter=...) at js/src/jit/Recover.cpp:1239 #22 0x082b2fe2 in js::jit::SnapshotIterator::computeInstructionResults (this=this@entry=0xffffccfc, cx=cx@entry=0x9346a40, results=results@entry=0xffffd440) at js/src/jit/JitFrames.cpp:2133 #23 0x082b343e in js::jit::SnapshotIterator::initInstructionResults (this=this@entry=0xffffd044, fallback=...) at js/src/jit/JitFrames.cpp:2091 #24 0x081fde05 in init (cx=0x9346a40, this=0xffffd044) at js/src/jit/BaselineBailouts.cpp:414 #25 js::jit::BailoutIonToBaseline (cx=cx@entry=0x9346a40, activation=0xffffd404, iter=..., invalidate=invalidate@entry=false, bailoutInfo=bailoutInfo@entry=0xffffd260, excInfo=excInfo@entry=0x0, poppedLastSPSFrameOut=poppedLastSPSFrameOut@entry=0xffffd120) at js/src/jit/BaselineBailouts.cpp:1459 #26 0x081775a4 in js::jit::Bailout (sp=0xffffd264, bailoutInfo=0xffffd260) at js/src/jit/Bailouts.cpp:54 #27 0xf7fc8310 in ?? () eax 0x0 0 ebx 0x931cff4 154259444 ecx 0x9346a50 154430032 edx 0xffffff88 -120 esi 0xf66002e8 -161479960 edi 0xf6600258 -161480104 ebp 0xffffff82 4294967170 esp 0xffffc410 4294951952 eip 0x81147cf <js::NativeObject::setSlot(unsigned int, JS::Value const&)+239> => 0x81147cf <js::NativeObject::setSlot(unsigned int, JS::Value const&)+239>: mov 0xffff8(%eax),%esi 0x81147d5 <js::NativeObject::setSlot(unsigned int, JS::Value const&)+245>: test %esi,%esi Not s-s because compacting GC is not enabled yet in any builds.
Reporter | ||
Comment 1•9 years ago
|
||
This isn't actually a GGC bug, it's just that the signature is distinct on GGC builds. This is a duplicate to bug 1113940.
No longer blocks: 1101585
Group: core-security
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → DUPLICATE
Summary: GenerationalGC: Crash [@ storeBuffer] → Crash [@ storeBuffer]
Updated•9 years ago
|
Group: core-security → core-security-release
Updated•8 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•