Closed
Bug 1123699
Opened 9 years ago
Closed 9 years ago
Crash [@ js::LazyScript::source]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
| Tracking | Status | |
|---|---|---|
| firefox38 | --- | affected |
People
(Reporter: decoder, Assigned: jimb)
Details
(Keywords: crash, regression, testcase, Whiteboard: [jsbugmon:update,ignore])
Crash Data
The following testcase crashes on mozilla-central revision c1c6840d9255 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --enable-debug, run with --fuzzing-safe --thread-count=2 --baseline-eager):
function foo() {
function f(a) { var p = function() { ++a; }}
assertEq(findReferences(Object.getPrototypeOf(Array)), true);
} foo();
Backtrace:
Program received signal SIGSEGV, Segmentation fault.
js::LazyScript::source (this=<optimized out>) at js/src/jsscript.h:2055
2055 return sourceObject()->source();
#0 js::LazyScript::source (this=<optimized out>) at js/src/jsscript.h:2055
#1 0x00000000008f5c20 in JSFunction::createScriptForLazilyInterpretedFunction (cx=0x19ea680, fun=...) at js/src/jsfun.cpp:1484
#2 0x000000000041dcde in JSFunction::getOrCreateScript (this=<optimized out>, cx=<optimized out>) at js/src/shell/../jsfun.h:291
#3 0x00000000008f6440 in js::FunctionToString (cx=0x19ea680, fun=..., bodyOnly=false, lambdaParen=false) at js/src/jsfun.cpp:1016
#4 0x00000000008f6ec6 in fun_toStringHelper (cx=<optimized out>, obj=..., indent=<optimized out>) at js/src/jsfun.cpp:1200
#5 0x00000000008f701b in fun_toSource (cx=0x19ea680, argc=<optimized out>, vp=0x7fffffff97a8) at js/src/jsfun.cpp:1239
#6 0x0000000000a8562a in js::CallJSNative (cx=0x19ea680, native=0x8f6f00 <fun_toSource(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:226
#7 0x0000000000a73c33 in js::Invoke (cx=0x19ea680, args=..., construct=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:498
#8 0x0000000000a75166 in js::Invoke (cx=<optimized out>, thisv=..., fval=..., argc=<optimized out>, argv=0x0, rval=JSVAL_VOID) at js/src/vm/Interpreter.cpp:554
#9 0x000000000095e9f2 in js::ValueToSource (cx=0x19ea680, v=...) at js/src/jsstr.cpp:4269
#10 0x0000000000465dfb in array_toSource (cx=0x19ea680, vp=0x7fffffffa2c8, argc=<optimized out>) at js/src/jsarray.cpp:912
#11 0x0000000000a8562a in js::CallJSNative (cx=0x19ea680, native=0x465e80 <array_toSource(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:226
#12 0x0000000000a73c33 in js::Invoke (cx=0x19ea680, args=..., construct=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:498
#13 0x0000000000a75166 in js::Invoke (cx=<optimized out>, thisv=..., fval=..., argc=<optimized out>, argv=0x0, rval=JSVAL_VOID) at js/src/vm/Interpreter.cpp:554
#14 0x000000000095e9f2 in js::ValueToSource (cx=0x19ea680, v=...) at js/src/jsstr.cpp:4269
#15 0x00000000004bb9a9 in js::ObjectToSource (cx=0x19ea680, obj=...) at js/src/builtin/Object.cpp:264
#16 0x00000000004bc626 in obj_toSource (cx=0x19ea680, argc=<optimized out>, vp=0x7fffffffb148) at js/src/builtin/Object.cpp:117
#17 0x0000000000a8562a in js::CallJSNative (cx=0x19ea680, native=0x4bc590 <obj_toSource(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:226
#18 0x0000000000a73c33 in js::Invoke (cx=0x19ea680, args=..., construct=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:498
#19 0x0000000000a75166 in js::Invoke (cx=<optimized out>, thisv=..., fval=..., argc=<optimized out>, argv=0x0, rval=JSVAL_VOID) at js/src/vm/Interpreter.cpp:554
#20 0x000000000095e9f2 in js::ValueToSource (cx=0x19ea680, v=...) at js/src/jsstr.cpp:4269
#21 0x00000000008a4939 in JS_ValueToSource (cx=0x19ea680, value=$jsval((JSObject *) 0x7ffff565c080 [object Object])) at js/src/jsapi.cpp:446
#22 0x0000000000407892 in ToSource (cx=0x19ea680, vp=..., bytes=0x7fffffffb420) at js/src/shell/js.cpp:1844
#23 0x000000000040a005 in AssertEq (cx=0x19ea680, argc=2, vp=0x7fffffffbbb8) at js/src/shell/js.cpp:1874
#24 0x0000000000a8562a in js::CallJSNative (cx=0x19ea680, native=0x409f20 <AssertEq(JSContext*, unsigned int, jsval*)>, args=...) at js/src/jscntxtinlines.h:226
#25 0x0000000000a73c33 in js::Invoke (cx=0x19ea680, args=..., construct=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:498
#26 0x0000000000a75166 in js::Invoke (cx=<optimized out>, thisv=..., fval=..., argc=<optimized out>, argv=0x7fffffffbff0, rval=JSVAL_VOID) at js/src/vm/Interpreter.cpp:554
#27 0x00000000006b4782 in js::jit::DoCallFallback (cx=0x7fffffffbfa0, frame=0x7fffffffc048, stub_=<optimized out>, argc=2, vp=0x7fffffffbfe0, res=JSVAL_VOID) at js/src/jit/BaselineIC.cpp:9294
[...]
#54 0x0000000000000000 in ?? ()
rax 0x0 0
rbx 0x19ea680 27174528
rcx 0xaa71da0d 2859588109
rdx 0x7ffff5673040 140737310568512
rsi 0x1b5 437
rdi 0x7ffff5673040 140737310568512
rbp 0x7fffffff8c70 140737488325744
rsp 0x7fffffff8c70 140737488325744
r8 0x1 1
r9 0x19ea6d0 27174608
r10 0x0 0
r11 0x0 0
r12 0x7fffffff8ca0 140737488325792
r13 0x19c5350 27022160
r14 0x7fffffff8e10 140737488326160
r15 0x7fffffff8cc0 140737488325824
rip 0x90d3d9 <js::LazyScript::source() const+9>
=> 0x90d3d9 <js::LazyScript::source() const+9>: mov 0x8(%rax),%rdx
0x90d3dd <js::LazyScript::source() const+13>: mov (%rdx),%rdx
|
Reporter | |
Updated•9 years ago
|
status-firefox37:
affected → ---
status-firefox38:
--- → affected
|
|
Reporter | |
Updated•9 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
|
|
Reporter | |
Comment 1•9 years ago
|
||
JSBugMon: Bisection requested, result: Due to skipped revisions, the first bad revision could be any of: changeset: https://hg.mozilla.org/mozilla-central/rev/a0dd5a83ba36 user: Jan de Mooij date: Thu Jul 24 11:56:43 2014 +0200 summary: Bug 1031529 part 2 - Remove JS_THREADSAFE #ifdefs everywhere. r=bhackett changeset: https://hg.mozilla.org/mozilla-central/rev/6426fef52f51 user: Jan de Mooij date: Thu Jul 24 11:56:45 2014 +0200 summary: Bug 1031529 part 3 - Step defining JS_THREADSAFE, remove --disable-threadsafe. r=glandium This iteration took 2.369 seconds to run.
This goes back earlier than end-2013 ( https://hg.mozilla.org/mozilla-central/rev/df3c2a1e86d3 ), so setting needinfo? from :jimb and :jorendorff who have fixed previous findReferences bugs (e.g. bug 708261).
Flags: needinfo?(jorendorff)
Flags: needinfo?(jimb)
|
Assignee | |
Comment 3•9 years ago
|
||
As far as security is concerned: findReferences isn't available in the browser. I can reproduce this crash.
Assignee: nobody → jimb
Flags: needinfo?(jimb)
|
|
Reporter | |
Updated•9 years ago
|
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
|
|
Reporter | |
Comment 4•9 years ago
|
||
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 9dbb2d41bb2c).
|
|
Reporter | |
Comment 5•9 years ago
|
||
Bug 1128603 removed findReferences.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
|
||
Updated•9 years ago
|
Flags: needinfo?(jorendorff)
You need to log in
before you can comment on or make changes to this bug.
Description
•