1130698 - Crash [@ js::PutEscapedStringImpl]

Status: RESOLVED FIXED

(Core :: JavaScript Engine: JIT, defect)

Description

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

enableSPSProfiling()
evaluate("new(function() {\
    this.f\
})", {
    compileAndGo: true
})

crashes js debug shell on m-c changeset aa5f8d47a0ba with --fuzzing-safe --no-threads --ion-eager at js::PutEscapedStringImpl.

Debug configure options:

CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --enable-optimize --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/39422c6d5efc
user:        Shu-yu Guo
date:        Wed Feb 04 13:40:02 2015 -0800
summary:     Bug 1127156 - Rework optimization tracking JSAPI to be more usable from the profiler. (r=djvj)

Shu-yu, is bug 1127156 a likely regressor? (Profiler-related, so s-s as per bug 1124036 comment 4)

Comment 1

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Attachment: stack

(lldb) bt 5
* thread #1: tid = 0x167be0, 0x000000010081e9d3 js-dbg-64-dm-nsprBuild-darwin-aa5f8d47a0ba`js::PutEscapedStringImpl(char*, unsigned long, __sFILE*, JSLinearString*, unsigned int) [inlined] JSString::length() const at String.h:322, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x4)
  * frame #0: 0x000000010081e9d3 js-dbg-64-dm-nsprBuild-darwin-aa5f8d47a0ba`js::PutEscapedStringImpl(char*, unsigned long, __sFILE*, JSLinearString*, unsigned int) [inlined] JSString::length() const at String.h:322
    frame #1: 0x000000010081e9d3 js-dbg-64-dm-nsprBuild-darwin-aa5f8d47a0ba`js::PutEscapedStringImpl(buffer=0x00007fff5fbfc750, bufferSize=512, fp=0x0000000000000000, str=0x0000000000000000, quote=0) + 35 at jsstr.cpp:4961
    frame #2: 0x0000000100627b65 js-dbg-64-dm-nsprBuild-darwin-aa5f8d47a0ba`js::jit::WriteIonTrackedOptimizationsTable(JSContext*, js::jit::CompactBufferWriter&, js::jit::NativeToTrackedOptimizations const*, js::jit::NativeToTrackedOptimizations const*, js::jit::UniqueTrackedOptimizations const&, unsigned int*, unsigned int*, unsigned int*, unsigned int*, js::Vector<js::jit::IonTrackedTypeWithAddendum, 1ul, js::SystemAllocPolicy>*) [inlined] js::PutEscapedString(size=<unavailable>, str=<unavailable>, quote=<unavailable>) + 5 at jsstr.h:374
    frame #3: 0x0000000100627b60 js-dbg-64-dm-nsprBuild-darwin-aa5f8d47a0ba`js::jit::WriteIonTrackedOptimizationsTable(JSContext*, js::jit::CompactBufferWriter&, js::jit::NativeToTrackedOptimizations const*, js::jit::NativeToTrackedOptimizations const*, js::jit::UniqueTrackedOptimizations const&, unsigned int*, unsigned int*, unsigned int*, unsigned int*, js::Vector<js::jit::IonTrackedTypeWithAddendum, 1ul, js::SystemAllocPolicy>*) [inlined] SpewConstructor(constructor=<unavailable>) + 21 at OptimizationTracking.cpp:833
    frame #4: 0x0000000100627b4b js-dbg-64-dm-nsprBuild-darwin-aa5f8d47a0ba`js::jit::WriteIonTrackedOptimizationsTable(cx=0x0000000101f00300, writer=0x00007fff5fbfc9d0, start=<unavailable>, end=<unavailable>, unique=0x00007fff5fbfca20, numRegions=<unavailable>, regionTableOffsetp=<unavailable>, typesTableOffsetp=<unavailable>, optimizationTableOffsetp=<unavailable>, allTypes=<unavailable>) + 1723 at OptimizationTracking.cpp:953
(lldb)

Comment 2

[Shu-yu Guo [:shu]]

Attachment: Fix spewing constructors for optimization tracking.

Comment 3

[Shu-yu Guo [:shu]]

DEBUG-only spewing code wasn't handling JSFunctions with nullptr displayAtoms correctly. Not s-s.

Comment 4

[Ryan VanderMeulen [:RyanVM]]

https://hg.mozilla.org/mozilla-central/rev/c3d9696f856f