Closed
Bug 1130367
Opened 9 years ago
Closed 9 years ago
Crash [@ ScriptFromCalleeToken] or Crash [@ method] or Assertion failure: hasScript(), at jsfun.h:322
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
mozilla39
| Tracking | Status | |
|---|---|---|
| firefox37 | --- | unaffected |
| firefox38 | --- | fixed |
| firefox39 | --- | verified |
| firefox-esr31 | --- | unaffected |
People
(Reporter: decoder, Assigned: djvj)
References
Details
(4 keywords, Whiteboard: [jsbugmon:update])
Crash Data
Attachments
(1 file, 1 obsolete file)
|
5.55 KB,
patch
|
shu
:
review+
lsblakk
:
approval-mozilla-aurora+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision 7c5f187b65bf (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-debug, run with --fuzzing-safe --thread-count=2):
var lfcode = new Array();
for (var idx = 0; idx < 12; ++idx)
lfcode.push("");
lfcode.push("enableSPSProfilingWithSlowAssertions(); disableSPSProfiling();");
while (lfcode.length > 0) {
loadFile(lfcode.shift());
}
evaluate('eval("for (var j = 0; j < 50; j++) readSPSProfilingStack();");');
function loadFile(lfVarx) {
function newFunc(x) { new Function(x)(); }; newFunc(lfVarx);
}
Backtrace:
Program received signal SIGSEGV, Segmentation fault.
ScriptFromCalleeToken (token=0x7fff00000005) at js/src/jit/Lowering.cpp:4243
4243 }
#0 ScriptFromCalleeToken (token=0x7fff00000005) at js/src/jit/Lowering.cpp:4243
#1 frameScript (this=0x7fffffff9b78) at js/src/jit/JitFrameIterator-inl.h:29
#2 js::jit::JitProfilingFrameIterator::tryInitWithPC (this=this@entry=0x7fffffff9b78, pc=0x0) at js/src/jit/JitFrames.cpp:2860
#3 0x00000000006f75d5 in js::jit::JitProfilingFrameIterator::JitProfilingFrameIterator (this=0x7fffffff9b78, rt=0x169b1c0, state=...) at js/src/jit/JitFrames.cpp:2783
#4 0x000000000057b9d0 in JS::ProfilingFrameIterator::ProfilingFrameIterator (this=0x7fffffff9b60, rt=<optimized out>, state=...) at js/src/vm/Stack.cpp:1737
#5 0x00000000004502e9 in ReadSPSProfilingStack (cx=0x16bd2f0, argc=<optimized out>, vp=0x1731610) at js/src/builtin/TestingFunctions.cpp:1244
#6 0x000000000053fe13 in CallJSNative (args=..., native=0x450150 <ReadSPSProfilingStack(JSContext*, unsigned int, jsval*)>, cx=0x16bd2f0) at js/src/jscntxtinlines.h:226
#7 js::Invoke (cx=0x16bd2f0, args=..., construct=<optimized out>) at js/src/vm/Interpreter.cpp:498
#8 0x0000000000536e4c in Interpret (cx=0x16bd2f0, state=...) at js/src/vm/Interpreter.cpp:2557
#9 0x000000000053f8cd in js::RunScript (cx=cx@entry=0x16bd2f0, state=...) at js/src/vm/Interpreter.cpp:448
#10 0x000000000053fa45 in js::ExecuteKernel (cx=0x16bd2f0, script=0x7ffff565de70, scopeChainArg=, thisv=..., type=<optimized out>, evalInFrame=..., result=0x1731578) at js/src/vm/Interpreter.cpp:657
#11 0x000000000049c4bc in EvalKernel (cx=cx@entry=0x16bd2f0, args=..., evalType=evalType@entry=DIRECT_EVAL, caller=..., scopeobj=scopeobj@entry=, pc=<optimized out>) at js/src/builtin/Eval.cpp:348
#12 0x000000000049cae5 in js::DirectEval (cx=0x16bd2f0, args=...) at js/src/builtin/Eval.cpp:489
#13 0x000000000053617a in Interpret (cx=0x16bd2f0, state=...) at js/src/vm/Interpreter.cpp:2477
#14 0x000000000053f8cd in js::RunScript (cx=cx@entry=0x16bd2f0, state=...) at js/src/vm/Interpreter.cpp:448
#15 0x000000000053fa45 in js::ExecuteKernel (cx=cx@entry=0x16bd2f0, script=script@entry=0x7ffff565dda8, scopeChainArg=, thisv=..., type=type@entry=js::EXECUTE_GLOBAL, evalInFrame=..., evalInFrame@entry=..., result=result@entry=0x7fffffffc6c8) at js/src/vm/Interpreter.cpp:657
#16 0x000000000053fbc8 in js::Execute (cx=0x16bd2f0, script=0x7ffff565dda8, scopeChainArg=..., rval=0x7fffffffc6c8) at js/src/vm/Interpreter.cpp:694
#17 0x00000000008156a9 in ExecuteScript (cx=0x16bd2f0, obj=..., scriptArg=..., rval=<optimized out>) at js/src/jsapi.cpp:4051
#18 0x000000000040d3b5 in Evaluate (cx=0x16bd2f0, argc=<optimized out>, vp=0x7fffffffc6c8) at js/src/shell/js.cpp:1319
#19 0x000000000053fe13 in CallJSNative (args=..., native=0x40cf10 <Evaluate(JSContext*, unsigned int, jsval*)>, cx=0x16bd2f0) at js/src/jscntxtinlines.h:226
#20 js::Invoke (cx=cx@entry=0x16bd2f0, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:498
#21 0x000000000054098b in js::Invoke (cx=0x16bd2f0, thisv=..., fval=..., argc=1, argv=<optimized out>, rval=...) at js/src/vm/Interpreter.cpp:554
#22 0x000000000069e5bd in js::jit::DoCallFallback (cx=0x16bd2f0, frame=0x7fffffffcaa8, stub_=<optimized out>, argc=1, vp=0x7fffffffca58, res=JSVAL_VOID) at js/src/jit/BaselineIC.cpp:9514
[...]
#45 0x0000000000000000 in ?? ()
rax 0x7fff00000004 140733193388036
rbx 0x7fffffff9b78 140737488329592
rcx 0x7fffffffa510 140737488332048
rdx 0x1 1
rsi 0x0 0
rdi 0x7fffffff9b78 140737488329592
rbp 0x169b1c0 23704000
rsp 0x7fffffff96f8 140737488328440
r8 0x16a48a8 23742632
r9 0x7ffff6d0d4a5 140737334269093
r10 0x2b2b2b2b2b2b2b2b 3110627432037296939
r11 0x2b2b2b2b2b2b2b2b 3110627432037296939
r12 0x7fffffff9840 140737488328768
r13 0x0 0
r14 0x1792170 24715632
r15 0x7fffffffaa70 140737488333424
rip 0x6e6dda <js::jit::JitProfilingFrameIterator::tryInitWithPC(void*)+26>
=> 0x6e6dda <js::jit::JitProfilingFrameIterator::tryInitWithPC(void*)+26>: mov 0x28(%rax),%rax
0x6e6dde <js::jit::JitProfilingFrameIterator::tryInitWithPC(void*)+30>: mov 0x68(%rax),%rdx
Marking s-s because this crashes in various places. Previously, SPS failures have been problematic in some cases.
|
Reporter | |
Updated•9 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
|
|
Reporter | |
Comment 1•9 years ago
|
||
JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/26bb4ca5d855 user: Kannan Vijayan date: Fri Jan 30 11:27:39 2015 -0500 summary: Bug 1124070 - Add test for regression. r=jandem This iteration took 275.483 seconds to run.
|
||
Comment 2•9 years ago
|
||
If bug 1124070 added tests does that mean the underlying bug goes back further?
Flags: needinfo?(kvijayan)
|
Assignee | |
Comment 3•9 years ago
|
||
This fixes a bug in the readSPSProfilignStack() testing function. When profiling is not enabled, it should just return false. Forgot to add the shortcut return. Also, the patch adds an extra assert in ProfilingFrameIterator to make sure that it never gets instantiated when the profiler is disabled. Try run: https://treeherder.mozilla.org/#/jobs?repo=try&revision=2c52c658e068
Flags: needinfo?(kvijayan)
Attachment #8567193 -
Flags: review?(shu)
|
|
Assignee | |
Updated•9 years ago
|
Assignee: nobody → kvijayan
|
||
Updated•9 years ago
|
Attachment #8567193 -
Flags: review?(shu) → review+
|
|
Assignee | |
Comment 4•9 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/26d55e902ada
|
|
Assignee | |
Comment 5•9 years ago
|
||
decoder: this bug is not security sensitive. Setting needinfo as a note.
Flags: needinfo?(choller)
Backed out in https://hg.mozilla.org/integration/mozilla-inbound/rev/36a51f808aa5 for apparently causing some xpcshell failures: https://treeherder.mozilla.org/logviewer.html#?job_id=6903544&repo=mozilla-inbound https://treeherder.mozilla.org/logviewer.html#?job_id=6902784&repo=mozilla-inbound
Flags: needinfo?(kvijayan)
|
|
Assignee | |
Comment 8•9 years ago
|
||
Test failure was because it turns out that the profiler sampler _can_ be invoked when the spsProfiler.enable() for the given runtime is false. Fixed sampler so that this cannot happen. Latest try run. https://treeherder.mozilla.org/#/jobs?repo=try&revision=b50e126eb51a
Flags: needinfo?(kvijayan)
|
|
Assignee | |
Comment 9•9 years ago
|
||
New patch. Clearing needinfo.
Attachment #8567193 -
Attachment is obsolete: true
Flags: needinfo?(choller)
|
|
Assignee | |
Updated•9 years ago
|
Attachment #8571451 -
Flags: review?(shu)
|
|
||
Comment 10•9 years ago
|
||
Comment on attachment 8571451 [details] [diff] [review] fix-bug-1130367.patch Review of attachment 8571451 [details] [diff] [review]: ----------------------------------------------------------------- ::: js/src/builtin/TestingFunctions.cpp @@ +1253,5 @@ > { > CallArgs args = CallArgsFromVp(argc, vp); > args.rval().setUndefined(); > > + // Return boolean 'false' if profiler is not enabled. This comment is a bit confusing as is. Maybe "Return false to script if profiler is not enabled"?
Attachment #8571451 -
Flags: review?(shu) → review+
|
||
Comment 11•9 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/44efa0956b53
Status: NEW → RESOLVED
Closed: 9 years ago
status-firefox39:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla39
|
|
Reporter | |
Updated•9 years ago
|
Status: RESOLVED → VERIFIED
|
|
Reporter | |
Comment 12•9 years ago
|
||
JSBugMon: This bug has been automatically verified fixed.
|
||
Comment 13•9 years ago
|
||
Looks like this needs an Aurora approval nomination?
Flags: needinfo?(kvijayan)
|
|
Assignee | |
Comment 14•9 years ago
|
||
Comment on attachment 8571451 [details] [diff] [review] fix-bug-1130367.patch Approval Request Comment [Feature/regressing bug #]: Bug 1057082 [User impact if declined]: Potential for race-based crashes when enabling profiling. [Describe test coverage new/current, TreeHerder]: No specific test coverage. Finnicky reproduction conditions in browser. Revealed by fuzzbug. [Risks and why]: Low risk. [String/UUID change made/needed]: N/A
Flags: needinfo?(kvijayan)
Attachment #8571451 -
Flags: approval-mozilla-aurora?
|
||
Updated•9 years ago
|
Attachment #8571451 -
Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
|
|
||
Comment 15•9 years ago
|
||
https://hg.mozilla.org/releases/mozilla-aurora/rev/441dc7e17651
status-firefox37:
--- → unaffected
status-firefox-esr31:
--- → unaffected
|
||
Updated•9 years ago
|
Group: core-security → core-security-release
|
|
||
Updated•8 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•