Closed
Bug 1118878
Opened 9 years ago
Closed 9 years ago
Assertion failure: *thingp, at js/src/gc/Marking.cpp:161 or Crash [@ AutoCompartment] with Debugger
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1029963
| Tracking | Status | |
|---|---|---|
| firefox37 | --- | affected |
People
(Reporter: decoder, Assigned: shu)
Details
(4 keywords, Whiteboard: [jsbugmon:update])
Crash Data
The following testcase crashes on mozilla-central revision 33781a3a5201 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --target=i686-pc-linux-gnu --disable-debug, run with --fuzzing-safe --ion-offthread-compile=off --ion-eager):
var evalInFrame = (function (global) {
var dbgGlobal = newGlobal();
var dbg = new dbgGlobal.Debugger();
return function evalInFrame(upCount, code) {
dbg.addDebuggee(global);
var frame = dbg.getNewestFrame().older;
var completion = frame.eval(code);
};
})(this);
evaluate("for (var k in 'xxx') (function g() { evalInFrame((0), (''), true); })();", { noScriptRval : true, compileAndGo : true });
Backtrace:
Program received signal SIGSEGV, Segmentation fault.
AutoCompartment (target=0x0, cx=0x9371a98, this=0xffffae24) at js/src/jscompartmentinlines.h:41
41 cx_->enterCompartment(target->compartment());
#0 AutoCompartment (target=0x0, cx=0x9371a98, this=0xffffae24) at js/src/jscompartmentinlines.h:41
#1 emplace<JSContext*&, JSObject*> (this=0xffffae20, t1=<optimized out>, t2=<optimized out>) at ../../dist/include/mozilla/Maybe.h:447
#2 DebuggerGenericEval (cx=0x9371a98, fullMethodName=<optimized out>, code=..., evalWithBindings=EvalWithDefaultBindings, bindings=..., options=..., vp=..., dbg=0x9422a50, scope=..., iter=0xffffaea4) at js/src/vm/Debugger.cpp:6010
#3 0x085245a3 in DebuggerFrame_eval (cx=0x9371a98, argc=1, vp=0xffffb3ac) at js/src/vm/Debugger.cpp:6079
#4 0x085157ae in CallJSNative (args=..., native=0x8524270 <DebuggerFrame_eval(JSContext*, unsigned int, JS::Value*)>, cx=0x9371a98) at js/src/jscntxtinlines.h:231
#5 js::Invoke (cx=0x9371a98, args=..., construct=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:502
#6 0x085165d1 in js::Invoke (cx=0x9371a98, thisv=..., fval=..., argc=1, argv=0xffffb84c, rval=...) at js/src/vm/Interpreter.cpp:558
#7 0x084af543 in js::DirectProxyHandler::call (this=0x932ab38 <js::CrossCompartmentWrapper::singleton>, cx=0x9371a98, proxy=..., args=...) at js/src/proxy/DirectProxyHandler.cpp:79
#8 0x084befc4 in js::CrossCompartmentWrapper::call (this=0x932ab38 <js::CrossCompartmentWrapper::singleton>, cx=0x9371a98, wrapper=..., args=...) at js/src/proxy/CrossCompartmentWrapper.cpp:286
#9 0x084bc712 in call (args=..., proxy=..., cx=0x9371a98) at js/src/proxy/Proxy.cpp:401
#10 js::proxy_Call (cx=0x9371a98, argc=1, vp=0xffffb83c) at js/src/proxy/Proxy.cpp:792
#11 0x08515931 in CallJSNative (args=..., native=0x84bc660 <js::proxy_Call(JSContext*, unsigned int, JS::Value*)>, cx=0x9371a98) at js/src/jscntxtinlines.h:231
#12 js::Invoke (cx=0x9371a98, args=..., construct=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:495
#13 0x085165d1 in js::Invoke (cx=0x9371a98, thisv=..., fval=..., argc=1, argv=0xffffba5c, rval=...) at js/src/vm/Interpreter.cpp:558
#14 0x0823c3d0 in js::jit::DoCallFallback (cx=0x9371a98, frame=0xffffba9c, stub_=0x942e070, argc=1, vp=0xffffba4c, res=...) at js/src/jit/BaselineIC.cpp:9497
#15 0xf6737e3f in ?? ()
#16 0x0942e070 in ?? ()
#17 0xf673bb1c in ?? ()
#18 0x0942d5c8 in ?? ()
#19 0xf673bb1c in ?? ()
#20 0x09422db8 in ?? ()
#21 0xf673386c in ?? ()
eax 0x0 0
ebx 0x9329ff4 154312692
ecx 0x9371acc 154606284
edx 0x941d8e8 155310312
esi 0xffffaea4 -20828
edi 0x9371a98 154606232
ebp 0x9422a50 155331152
esp 0xffffac80 4294945920
eip 0x85231cb <DebuggerGenericEval(JSContext*, char const*, JS::Value const&, EvalBindings, JS::HandleValue, JS::HandleValue, JS::MutableHandleValue, js::Debugger*, JS::HandleObject, js::ScriptFrameIter*)+427>
=> 0x85231cb <DebuggerGenericEval(JSContext*, char const*, JS::Value const&, EvalBindings, JS::HandleValue, JS::HandleValue, JS::MutableHandleValue, js::Debugger*, JS::HandleObject, js::ScriptFrameIter*)+427>: mov (%eax),%eax
0x85231cd <DebuggerGenericEval(JSContext*, char const*, JS::Value const&, EvalBindings, JS::HandleValue, JS::HandleValue, JS::MutableHandleValue, js::Debugger*, JS::HandleObject, js::ScriptFrameIter*)+429>: mov (%eax),%eax
|
Reporter | |
Updated•9 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
|
|
Reporter | |
Comment 1•9 years ago
|
||
JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/a50d660f09da user: Nicolas B. Pierron date: Fri Dec 19 15:28:30 2014 +0100 summary: Bug 1073033 part 3 - Recover MLambda on bailouts. r=shu This iteration took 554.496 seconds to run.
|
Assignee | |
Comment 2•9 years ago
|
||
This is due to not being able to recover slots in RematerializedFrame. Patches coming up.
|
|
Assignee | |
Updated•9 years ago
|
Assignee: nobody → shu
|
|
Assignee | |
Comment 3•9 years ago
|
||
On second thought, gonna dup this.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•