Closed
Bug 1123699
Opened 9 years ago
Closed 9 years ago
Crash [@ js::LazyScript::source]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
Tracking | Status | |
---|---|---|
firefox38 | --- | affected |
People
(Reporter: decoder, Assigned: jimb)
Details
(Keywords: crash, regression, testcase, Whiteboard: [jsbugmon:update,ignore])
Crash Data
The following testcase crashes on mozilla-central revision c1c6840d9255 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --enable-debug, run with --fuzzing-safe --thread-count=2 --baseline-eager): function foo() { function f(a) { var p = function() { ++a; }} assertEq(findReferences(Object.getPrototypeOf(Array)), true); } foo(); Backtrace: Program received signal SIGSEGV, Segmentation fault. js::LazyScript::source (this=<optimized out>) at js/src/jsscript.h:2055 2055 return sourceObject()->source(); #0 js::LazyScript::source (this=<optimized out>) at js/src/jsscript.h:2055 #1 0x00000000008f5c20 in JSFunction::createScriptForLazilyInterpretedFunction (cx=0x19ea680, fun=...) at js/src/jsfun.cpp:1484 #2 0x000000000041dcde in JSFunction::getOrCreateScript (this=<optimized out>, cx=<optimized out>) at js/src/shell/../jsfun.h:291 #3 0x00000000008f6440 in js::FunctionToString (cx=0x19ea680, fun=..., bodyOnly=false, lambdaParen=false) at js/src/jsfun.cpp:1016 #4 0x00000000008f6ec6 in fun_toStringHelper (cx=<optimized out>, obj=..., indent=<optimized out>) at js/src/jsfun.cpp:1200 #5 0x00000000008f701b in fun_toSource (cx=0x19ea680, argc=<optimized out>, vp=0x7fffffff97a8) at js/src/jsfun.cpp:1239 #6 0x0000000000a8562a in js::CallJSNative (cx=0x19ea680, native=0x8f6f00 <fun_toSource(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:226 #7 0x0000000000a73c33 in js::Invoke (cx=0x19ea680, args=..., construct=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:498 #8 0x0000000000a75166 in js::Invoke (cx=<optimized out>, thisv=..., fval=..., argc=<optimized out>, argv=0x0, rval=JSVAL_VOID) at js/src/vm/Interpreter.cpp:554 #9 0x000000000095e9f2 in js::ValueToSource (cx=0x19ea680, v=...) at js/src/jsstr.cpp:4269 #10 0x0000000000465dfb in array_toSource (cx=0x19ea680, vp=0x7fffffffa2c8, argc=<optimized out>) at js/src/jsarray.cpp:912 #11 0x0000000000a8562a in js::CallJSNative (cx=0x19ea680, native=0x465e80 <array_toSource(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:226 #12 0x0000000000a73c33 in js::Invoke (cx=0x19ea680, args=..., construct=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:498 #13 0x0000000000a75166 in js::Invoke (cx=<optimized out>, thisv=..., fval=..., argc=<optimized out>, argv=0x0, rval=JSVAL_VOID) at js/src/vm/Interpreter.cpp:554 #14 0x000000000095e9f2 in js::ValueToSource (cx=0x19ea680, v=...) at js/src/jsstr.cpp:4269 #15 0x00000000004bb9a9 in js::ObjectToSource (cx=0x19ea680, obj=...) at js/src/builtin/Object.cpp:264 #16 0x00000000004bc626 in obj_toSource (cx=0x19ea680, argc=<optimized out>, vp=0x7fffffffb148) at js/src/builtin/Object.cpp:117 #17 0x0000000000a8562a in js::CallJSNative (cx=0x19ea680, native=0x4bc590 <obj_toSource(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:226 #18 0x0000000000a73c33 in js::Invoke (cx=0x19ea680, args=..., construct=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:498 #19 0x0000000000a75166 in js::Invoke (cx=<optimized out>, thisv=..., fval=..., argc=<optimized out>, argv=0x0, rval=JSVAL_VOID) at js/src/vm/Interpreter.cpp:554 #20 0x000000000095e9f2 in js::ValueToSource (cx=0x19ea680, v=...) at js/src/jsstr.cpp:4269 #21 0x00000000008a4939 in JS_ValueToSource (cx=0x19ea680, value=$jsval((JSObject *) 0x7ffff565c080 [object Object])) at js/src/jsapi.cpp:446 #22 0x0000000000407892 in ToSource (cx=0x19ea680, vp=..., bytes=0x7fffffffb420) at js/src/shell/js.cpp:1844 #23 0x000000000040a005 in AssertEq (cx=0x19ea680, argc=2, vp=0x7fffffffbbb8) at js/src/shell/js.cpp:1874 #24 0x0000000000a8562a in js::CallJSNative (cx=0x19ea680, native=0x409f20 <AssertEq(JSContext*, unsigned int, jsval*)>, args=...) at js/src/jscntxtinlines.h:226 #25 0x0000000000a73c33 in js::Invoke (cx=0x19ea680, args=..., construct=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:498 #26 0x0000000000a75166 in js::Invoke (cx=<optimized out>, thisv=..., fval=..., argc=<optimized out>, argv=0x7fffffffbff0, rval=JSVAL_VOID) at js/src/vm/Interpreter.cpp:554 #27 0x00000000006b4782 in js::jit::DoCallFallback (cx=0x7fffffffbfa0, frame=0x7fffffffc048, stub_=<optimized out>, argc=2, vp=0x7fffffffbfe0, res=JSVAL_VOID) at js/src/jit/BaselineIC.cpp:9294 [...] #54 0x0000000000000000 in ?? () rax 0x0 0 rbx 0x19ea680 27174528 rcx 0xaa71da0d 2859588109 rdx 0x7ffff5673040 140737310568512 rsi 0x1b5 437 rdi 0x7ffff5673040 140737310568512 rbp 0x7fffffff8c70 140737488325744 rsp 0x7fffffff8c70 140737488325744 r8 0x1 1 r9 0x19ea6d0 27174608 r10 0x0 0 r11 0x0 0 r12 0x7fffffff8ca0 140737488325792 r13 0x19c5350 27022160 r14 0x7fffffff8e10 140737488326160 r15 0x7fffffff8cc0 140737488325824 rip 0x90d3d9 <js::LazyScript::source() const+9> => 0x90d3d9 <js::LazyScript::source() const+9>: mov 0x8(%rax),%rdx 0x90d3dd <js::LazyScript::source() const+13>: mov (%rdx),%rdx
Reporter | ||
Updated•9 years ago
|
status-firefox37:
affected → ---
status-firefox38:
--- → affected
Reporter | ||
Updated•9 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
Reporter | ||
Comment 1•9 years ago
|
||
JSBugMon: Bisection requested, result: Due to skipped revisions, the first bad revision could be any of: changeset: https://hg.mozilla.org/mozilla-central/rev/a0dd5a83ba36 user: Jan de Mooij date: Thu Jul 24 11:56:43 2014 +0200 summary: Bug 1031529 part 2 - Remove JS_THREADSAFE #ifdefs everywhere. r=bhackett changeset: https://hg.mozilla.org/mozilla-central/rev/6426fef52f51 user: Jan de Mooij date: Thu Jul 24 11:56:45 2014 +0200 summary: Bug 1031529 part 3 - Step defining JS_THREADSAFE, remove --disable-threadsafe. r=glandium This iteration took 2.369 seconds to run.
This goes back earlier than end-2013 ( https://hg.mozilla.org/mozilla-central/rev/df3c2a1e86d3 ), so setting needinfo? from :jimb and :jorendorff who have fixed previous findReferences bugs (e.g. bug 708261).
Flags: needinfo?(jorendorff)
Flags: needinfo?(jimb)
Assignee | ||
Comment 3•9 years ago
|
||
As far as security is concerned: findReferences isn't available in the browser. I can reproduce this crash.
Assignee: nobody → jimb
Flags: needinfo?(jimb)
Reporter | ||
Updated•9 years ago
|
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
Reporter | ||
Comment 4•9 years ago
|
||
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 9dbb2d41bb2c).
Reporter | ||
Comment 5•9 years ago
|
||
Bug 1128603 removed findReferences.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Updated•9 years ago
|
Flags: needinfo?(jorendorff)
You need to log in
before you can comment on or make changes to this bug.
Description
•