Closed Bug 1131270 Opened 9 years ago Closed 9 years ago

Crash [@ MarkDescriptor] or Assertion failure: *thingp, at gc/Marking.cpp:163 with --unboxed-objects

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1127167
Tracking Flags:
Tracking Status
firefox38 --- disabled

People

(Reporter: decoder, Unassigned)

Details

(4 keywords, Whiteboard: [jsbugmon:])

Crash Data

The following testcase crashes on mozilla-central revision 3436787a82d0 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-debug, run with --fuzzing-safe --thread-count=2 --unboxed-objects):

function TestCase(n, d, e, a)
  this.name = n;
for ( i = 0x0021; i < 0x007e; i++ ) {
  new TestCase("");
}
dumpHeapComplete();



Backtrace:

Program received signal SIGSEGV, Segmentation fault.
MarkDescriptor (thing=0x0) at js/src/jsfriendapi.cpp:883
883	    if (cell->isMarked(gc::BLACK))
#0  MarkDescriptor (thing=0x0) at js/src/jsfriendapi.cpp:883
#1  DumpHeapVisitChild (trc=0x7fffffffc000, thingp=0x7ffff5664140, kind=<optimized out>) at js/src/jsfriendapi.cpp:937
#2  0x00000000004cdad6 in MarkInternal<JSString> (trc=0x7fffffffc000, thingp=<optimized out>) at js/src/gc/Marking.cpp:291
#3  0x00000000005c56b8 in js::UnboxedPlainObject::trace (trc=0x7fffffffc000, obj=(JSObject *) 0x7ffff5664130 [object Object]) at js/src/vm/UnboxedObject.cpp:144
#4  0x000000000084e7b9 in JSObject::markChildren (this=(JSObject * const) 0x7ffff5664130 [object Object], trc=0x7fffffffc000) at js/src/jsobj.cpp:4111
#5  0x00000000004e0463 in MarkChildren (obj=(JSObject *) 0x7ffff5664130 [object Object], trc=0x7fffffffc000) at js/src/gc/Marking.cpp:1324
#6  js::TraceChildren (trc=0x7fffffffc000, thing=0x7ffff5664130, kind=<optimized out>) at js/src/gc/Marking.cpp:1927
#7  0x0000000000839e82 in DumpHeapVisitCell (rt=<optimized out>, data=0x7fffffffc000, thing=0x7ffff5664130, traceKind=JSTRACE_OBJECT, thingSize=<optimized out>) at js/src/jsfriendapi.cpp:926
#8  0x00000000004cd981 in IterateCompartmentsArenasCells (rt=rt@entry=0x169d1c0, zone=0x16ce360, data=data@entry=0x7fffffffc000, compartmentCallback=compartmentCallback@entry=0x837680 <DumpHeapVisitCompartment(JSRuntime*, void*, JSCompartment*)>, arenaCallback=arenaCallback@entry=0x837340 <DumpHeapVisitArena(JSRuntime*, void*, js::gc::Arena*, JSGCTraceKind, size_t)>, cellCallback=cellCallback@entry=0x839db0 <DumpHeapVisitCell(JSRuntime*, void*, void*, JSGCTraceKind, size_t)>) at js/src/gc/Iteration.cpp:49
#9  0x00000000004d2373 in js::IterateZonesCompartmentsArenasCells (rt=0x169d1c0, data=0x7fffffffc000, zoneCallback=0x837320 <DumpHeapVisitZone(JSRuntime*, void*, JS::Zone*)>, compartmentCallback=0x837680 <DumpHeapVisitCompartment(JSRuntime*, void*, JSCompartment*)>, arenaCallback=0x837340 <DumpHeapVisitArena(JSRuntime*, void*, js::gc::Arena*, JSGCTraceKind, size_t)>, cellCallback=0x839db0 <DumpHeapVisitCell(JSRuntime*, void*, void*, JSGCTraceKind, size_t)>) at js/src/gc/Iteration.cpp:66
#10 0x0000000000847ae3 in js::DumpHeapComplete (rt=0x169d1c0, fp=0x7ffff6f85260, nurseryBehaviour=<optimized out>) at js/src/jsfriendapi.cpp:969
#11 0x0000000000451616 in DumpHeapComplete (cx=0x16bf2e0, argc=<optimized out>, vp=0x7fffffffc6a8) at js/src/builtin/TestingFunctions.cpp:1138
#12 0x0000000000544663 in CallJSNative (args=..., native=0x451570 <DumpHeapComplete(JSContext*, unsigned int, jsval*)>, cx=0x16bf2e0) at js/src/jscntxtinlines.h:226
#13 js::Invoke (cx=cx@entry=0x16bf2e0, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:492
#14 0x00000000005451db in js::Invoke (cx=0x16bf2e0, thisv=..., fval=..., argc=0, argv=<optimized out>, rval=...) at js/src/vm/Interpreter.cpp:548
#15 0x00000000006a6d2d in js::jit::DoCallFallback (cx=0x16bf2e0, frame=0x7fffffffca78, stub_=<optimized out>, argc=0, vp=0x7fffffffca38, res=JSVAL_VOID) at js/src/jit/BaselineIC.cpp:9572
#16 0x00007ffff55b58aa in ?? ()
#17 0xfffc7ffff5700d20 in ?? ()
#18 0x00007fffffffc9f0 in ?? ()
#19 0xfff9000000000000 in ?? ()
#20 0x0000000001692320 in js::jit::DoSpreadCallFallbackInfo ()
#21 0x00007ffff5650a00 in ?? ()
#22 0x00007ffff55b8644 in ?? ()
#23 0x0000000000000402 in ?? ()
#24 0x00007fffffffca78 in ?? ()
#25 0x00000000016e1078 in ?? ()
#26 0x0000000000000000 in ?? ()
rax	0x0	0
rbx	0x7fffffffc000	140737488338944
rcx	0x0	0
rdx	0xfc0a0	1032352
rsi	0x0	0
rdi	0x1	1
rbp	0x7ffff5664140	140737310507328
rsp	0x7fffffff39e0	140737488304608
r8	0x1	1
r9	0xa9cebf	11128511
r10	0x1	1
r11	0x7ffff6d4f4d0	140737334539472
r12	0x7ffff5664130	140737310507312
r13	0x7fffffffc000	140737488338944
r14	0x7ffff5664fd0	140737310511056
r15	0x7ffff5664160	140737310507360
rip	0x839f43 <DumpHeapVisitChild(JSTracer*, void**, JSGCTraceKind)+115>
=> 0x839f43 <DumpHeapVisitChild(JSTracer*, void**, JSGCTraceKind)+115>:	test   %r10,(%rdx,%rax,8)
   0x839f47 <DumpHeapVisitChild(JSTracer*, void**, JSGCTraceKind)+119>:	mov    %r8,%rax


Not s-s because --unboxed-objects is not enabled by default.
NI from bhackett due to --unboxed-objects.
Flags: needinfo?(bhackett1024)
Summary: Crash [@ MarkDescriptor] or Assertion failure: *thingp, at gc/Marking.cpp:163 → Crash [@ MarkDescriptor] or Assertion failure: *thingp, at gc/Marking.cpp:163 with --unboxed-objects
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:bisect]
JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.
Whiteboard: [jsbugmon:bisect] → [jsbugmon:]
Status: NEW → RESOLVED
Closed: 9 years ago
Flags: needinfo?(bhackett1024)
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.