Closed Bug 1126518 Opened 9 years ago Closed 8 years ago

Crash [@ js::HeapPtr] or [@ js::frontend::CGObjectList::finish] or Assertion failure: !*cursor, at frontend/BytecodeEmitter.cpp

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1140196
Tracking Flags:
Tracking Status
firefox38 --- affected

People

(Reporter: gkw, Unassigned)

References

Details

(5 keywords, Whiteboard: [jsbugmon:update])

Crash Data

Attachments

(2 files)

stack
5.65 KB, text/plain
Details
stack of opt crash
8.45 KB, text/plain
Details 
(function() {
    for (var [x = /z/] = [] in yield x);
})()

asserts js debug shell on m-c changeset 08e41ea36f6d with --fuzzing-safe --no-threads --ion-eager at Assertion failure: !*cursor, at frontend/BytecodeEmitter.cpp.

Debug configure options:

CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --enable-optimize --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests

=== Tinderbox Build Bisection Results by autoBisect ===

The "good" changeset has the timestamp "20150121013236" and the hash "26d8f946a53b".
The "bad" changeset has the timestamp "20150121021935" and the hash "8832848bf234".

Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=26d8f946a53b&tochange=8832848bf234

Jason, is bug 932080 a likely regressor?
Flags: needinfo?(jorendorff)
Attached file stack 
(lldb) bt 5
* thread #1: tid = 0x38a01, 0x0000000100186a10 js-dbg-opt-64-dm-nsprBuild-darwin-08e41ea36f6d`js::frontend::CGObjectList::finish(this=<unavailable>, array=<unavailable>) + 336 at BytecodeEmitter.cpp:7648, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
  * frame #0: 0x0000000100186a10 js-dbg-opt-64-dm-nsprBuild-darwin-08e41ea36f6d`js::frontend::CGObjectList::finish(this=<unavailable>, array=<unavailable>) + 336 at BytecodeEmitter.cpp:7648
    frame #1: 0x000000010064dac4 js-dbg-opt-64-dm-nsprBuild-darwin-08e41ea36f6d`JSScript::fullyInitFromEmitter(cx=0x0000000101d025e0, bce=0x00007fff5fbfca88, script=<unavailable>) + 1124 at jsscript.cpp:2606
    frame #2: 0x0000000100175cfb js-dbg-opt-64-dm-nsprBuild-darwin-08e41ea36f6d`js::frontend::EmitFunctionScript(cx=0x0000000101d025e0, bce=0x00007fff5fbfca88, body=<unavailable>) + 1131 at BytecodeEmitter.cpp:3174
    frame #3: 0x000000010017d9c5 js-dbg-opt-64-dm-nsprBuild-darwin-08e41ea36f6d`EmitFunc(cx=0x0000000101d025e0, bce=0x00007fff5fbfdab0, pn=0x000000010281ce20) + 2005 at BytecodeEmitter.cpp:5438
    frame #4: 0x000000010016c345 js-dbg-opt-64-dm-nsprBuild-darwin-08e41ea36f6d`js::frontend::EmitTree(cx=0x0000000101d025e0, bce=0x00007fff5fbfdab0, pn=0x000000010281ce20) + 5829 at BytecodeEmitter.cpp:6898
(lldb)
Attached file stack of opt crash 
(lldb) bt 5
* thread #1: tid = 0x2feb8, 0x00000001003914c2 js-dbgDisabled-opt-64-dm-nsprBuild-darwin-1daa622bbe42`js::HeapPtr<js::NativeObject*>::operator=(js::NativeObject*) [inlined] js::gc::Cell::shadowRuntimeFromAnyThread() const + 7 at jspubtd.h:153, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
  * frame #0: 0x00000001003914c2 js-dbgDisabled-opt-64-dm-nsprBuild-darwin-1daa622bbe42`js::HeapPtr<js::NativeObject*>::operator=(js::NativeObject*) [inlined] js::gc::Cell::shadowRuntimeFromAnyThread() const + 7 at jspubtd.h:153
    frame #1: 0x00000001003914bb js-dbgDisabled-opt-64-dm-nsprBuild-darwin-1daa622bbe42`js::HeapPtr<js::NativeObject*>::operator=(js::NativeObject*) [inlined] js::gc::TenuredCell::writeBarrierPre(js::gc::TenuredCell*) at Heap.h:1369
    frame #2: 0x00000001003914bb js-dbgDisabled-opt-64-dm-nsprBuild-darwin-1daa622bbe42`js::HeapPtr<js::NativeObject*>::operator=(js::NativeObject*) [inlined] JSObject::writeBarrierPre(obj=0x00000001038261f0) + 30 at jsobj.h:674
    frame #3: 0x000000010039149d js-dbgDisabled-opt-64-dm-nsprBuild-darwin-1daa622bbe42`js::HeapPtr<js::NativeObject*>::operator=(js::NativeObject*) [inlined] js::InternalGCMethods<js::NativeObject*>::preBarrier(v=0x00000001038261f0) at Barrier.h:300
    frame #4: 0x000000010039149d js-dbgDisabled-opt-64-dm-nsprBuild-darwin-1daa622bbe42`js::HeapPtr<js::NativeObject*>::operator=(js::NativeObject*) [inlined] js::BarrieredBase<js::NativeObject*>::pre() + 3 at Barrier.h:452
(lldb)
GC stuff seems to be on the opt stack, setting s-s until triaged.
Group: core-security
Opt configure options:

CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --disable-debug --enable-optimize --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests
Crash Signature: [@ js::HeapPtr] [@ js::frontend::CGObjectList::finish]
Summary: Assertion failure: !*cursor, at frontend/BytecodeEmitter.cpp → Crash [@ js::HeapPtr] or [@ js::frontend::CGObjectList::finish] or Assertion failure: !*cursor, at frontend/BytecodeEmitter.cpp
Keywords: sec-high
Group: javascript-core-security
Jeff, is this related to the parser work you've been doing?  It looks sort of similar.
Flags: needinfo?(jwalden+bmo)
Status: NEW → RESOLVED
Closed: 8 years ago
Flags: needinfo?(jwalden+bmo)
Flags: needinfo?(jorendorff)
Resolution: --- → DUPLICATE
Group: core-security → core-security-release
Group: javascript-core-security, core-security-release
You need to log in before you can comment on or make changes to this bug.