Crash [@ ??] or Crash [@ InitFromBailout]

RESOLVED DUPLICATE of bug 1113240

Status

()

Core
JavaScript Engine
--
critical
RESOLVED DUPLICATE of bug 1113240
3 years ago
2 years ago

People

(Reporter: decoder, Unassigned)

Tracking

(Blocks: 1 bug, {crash, regression, testcase})

Trunk
x86_64
Linux
crash, regression, testcase
Points:
---

Firefox Tracking Flags

(firefox38 affected)

Details

(Whiteboard: [jsbugmon:], crash signature)

(Reporter)

Description

3 years ago
The following testcase crashes on mozilla-central revision 940118b1adcd (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-debug, run with --fuzzing-safe --thread-count=2):

function Foo(a, b) {
    this.a = a;
}
function invalidate_foo() {
    var a = [];
    var counter = 0;
    Object.defineProperty(Foo.prototype, "a", { 
	set: function() { counter++; }
    });
    for (var i = 0; i < 5000; ++i)
        a.push(new Foo(i, i + 1));
}
invalidate_foo();



Backtrace:

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7e54829 in ?? ()
#0  0x00007ffff7e54829 in ?? ()
#1  0x00007ffff7e1cfb9 in ?? ()
#2  0xfff880000000076d in ?? ()
#3  0xfffc7fffe70000a0 in ?? ()
#4  0x0000000000000000 in ?? ()
rax	0x7fffe70000a0	140737068925088
rbx	0x1	1
rcx	0x76d	1901
rdx	0xfff9000000000000	-1970324836974592
rsi	0x76d	1901
rdi	0x17af450	24835152
rbp	0x7fffe70000a0	140737068925088
rsp	0x7fffffffc900	140737488341248
r8	0x16bdfe0	23846880
r9	0x7ffff6d054a5	140737334236325
r10	0x7fffffffc8c8	140737488341192
r11	0x1fff1	131057
r12	0x8	8
r13	0x1731498	24319128
r14	0x76d	1901
r15	0x7fffffffd4c0	140737488344256
rip	0x7ffff7e54829	140737352386601
=> 0x7ffff7e54829:	mov    0x30(%rbx),%rbp
   0x7ffff7e5482d:	mov    %rbp,0x50(%rsp)


S-s because this is a heap crash and the crash address in debug builds is also different from the opt-crash. It could be a null-deref of some sort, or something else.
(Reporter)

Updated

3 years ago
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update,ignore]
(Reporter)

Comment 1

3 years ago
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 3bf7ed413e87).
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/cb01144424b5
user:        Jan de Mooij
date:        Sat Jan 31 14:52:04 2015 +0100
summary:     Bug 1113240 - Allow optimizing nursery-allocated getters/setters in Ion. r=bhackett

This iteration took 321.727 seconds to run.
(Reporter)

Updated

3 years ago
Whiteboard: [jsbugmon:update,ignore] → [jsbugmon:bisectfix]
I can reproduce it, the second patch in bug 1113240 should fix this.
(Reporter)

Updated

3 years ago
Whiteboard: [jsbugmon:bisectfix] → [jsbugmon:]
(Reporter)

Comment 3

3 years ago
JSBugMon: Fix Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first good revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/3bf7ed413e87
tag:         tip
parent:      226972:b955d50b6ec3
parent:      226988:dc9aad9b9ce1
user:        Carsten "Tomcat" Book
date:        Mon Feb 02 13:19:59 2015 +0100
summary:     merge mozilla-inbound to mozilla-central a=merge

This iteration took 329.533 seconds to run.

The bug was introduced by a merge (it was not present on either parent).
I don't know which patches from each side of the merge contributed to the bug. Sorry.
Comment 3 is one of the rare cases where bisection got confused.
(Reporter)

Comment 5

3 years ago
This probably got fixed by the merge of bug 1113240.
Status: NEW → RESOLVED
Crash Signature: [@ ??] → [@ ??] [@ InitFromBailout]
Last Resolved: 3 years ago
Resolution: --- → DUPLICATE
Summary: Crash [@ ??] → Crash [@ ??] or Crash [@ InitFromBailout]
Duplicate of bug: 1113240

Updated

3 years ago
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.