Closed Bug 1139264 Opened 9 years ago Closed 9 years ago

Crash [@ js::ReshapeForParentAndAllocKind]

Categories

(Core :: JavaScript Engine, defect)

x86_64
macOS
defect
Not set
critical

Tracking

()

RESOLVED WORKSFORME
Tracking Status
firefox39 --- affected

People

(Reporter: gkw, Unassigned)

References

Details

(Keywords: crash, regression, testcase)

Crash Data

Attachments

(1 file)

function hashStr() {}
dumpln = print
function testMathyFunction(f) {
    f()
}
function fillShellSandbox(sandbox) {
    var safeFuns = ["dumpln", "fillShellSandbox", "testMathyFunction", "hashStr"]
    for (var i = 0; i < safeFuns.length; ++i) {
        fn = safeFuns[i]
        sandbox[fn] = this[fn].bind(this)
    }
}
primarySandbox = newGlobal();
fillShellSandbox(primarySandbox);
function ff(code) {
    try {
        evalcx(code, primarySandbox)
    } catch (e) {
        +e
    }
}
ff("(function(){});var s;var r")
ff("y = function () {y}();  ")
ff("mathy5=function(){}     ")
ff("y=(function(){})        ")
ff("[]=( 0    );([{t}({})]);")
ff("mathy5=(function(){Math.d(Math.d(Math.t))});testMathyFunction(mathy5,[,Number.E,,,,Number.MIN_VALUE,Number.MAX_VALUE])")
ff("v=4;load("62a.js");load("62b.js")")

and 62a.js is:

function f() {}

(the contents of 62b.js is coming up)

crashes js debug shell on m-c changeset 0b3c520002ad with --fuzzing-safe --no-threads --ion-eager at js::ReshapeForParentAndAllocKind.

Configure options:

CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh ~/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --enable-profiling --disable-threadsafe --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests

python -u ~/fuzzing/js/compileShell.py -b "--enable-debug --enable-profiling --enable-more-deterministic -R ~/trees/mozilla-central" -r 0b3c520002ad

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/48ef078126bf
user:        Jan de Mooij
date:        Fri Oct 10 11:32:14 2014 +0200
summary:     Bug 1073700 - Move getter/setter data out of BaseShape into a new AccessorShape type. r=bhackett

Jan, is bug 1073700 a likely regressor?
Flags: needinfo?(jdemooij)
62b.js is:

var STATUS = "STATUS: ";
var callStack = new Array();
function startTest() {}
function TestCase(n, d, e, a) {
    this.name = n;
}
TestCase.prototype.dump = function() {};
TestCase.prototype.testPassed = (function TestCase_testPassed() {});
TestCase.prototype.testFailed = (function TestCase_testFailed() {
    return !this.passed;
});
function printStatus(msg) {
    var lines = msg.split("\n");
}
function printBugNumber(num) {}
function toPrinted(value)
function escapeString(str) {}
function reportCompare(expected, actual, description) {
    var actual_t = typeof actual;
    var output = "";
    var testcase = new TestCase("unknown-test-name", description, expected, actual);
    testcase.reason = output;
    if (typeof document != "object" || !document.location.href.match(/jsreftest.html/)) {}
}
function reportMatch(expectedRegExp, actual, description) {}
function enterFunc(funcName)
function BigO(data) {}
function compareSource(expect, actual, summary) {}
function optionsInit() {
    var optionNames = options().split(',');
}
function optionsClear() {}
function optionsPush() {}
function test() {
    for (gTc = 0; gTc < gTestcases.length; gTc++) {}
}
var lfcode = new Array();
lfcode.push("4");
lfcode.push("gcparam(\"maxBytes\", gcparam(\"gcBytes\") + 1);");
lfcode.push("\
var UBound = 0;\n\
var BUGNUMBER = 74474;\n\
var actual = '';\n\
var actualvalues = [ ];\n\
var expectedvalues = [ ];\n\
tryThis(1);\n\
function tryThis(x)\n\
addThis();\n\
test();\n\
function addThis() {\n\
actualvalues[UBound] = actual;\n\
UBound++;\n\
}\n\
function test() {\n\
printBugNumber(BUGNUMBER);\n\
for (var i = 0; i < UBound; i++)\n\
reportCompare(expectedvalues[i], actualvalues[i], getStatus(i));\n\
}\n\
function getStatus(i) {}\n\
");
while (true) {
    var file = lfcode.shift();
    if (file == "evaluate") {} else {
        loadFile(file)
    }
}
function loadFile(lfVarx) {
    try {
        if (lfVarx.substr(-3) != ".js" && lfVarx.length != 1) {
            switch (lfRunTypeId) {
                case 4:
                    eval("(function() { " + lfVarx + " })();");
            }
        } else if (!isNaN(lfVarx)) {
            lfRunTypeId = parseInt(lfVarx);
            switch (lfRunTypeId) {
                case 3:
                    newFunc(lfVarx);
            }
        }
    } catch (lfVare) {}
}
Attached file stack
(lldb) bt 5
* thread #1: tid = 0x2f62bc, 0x00000001002dcaeb js-dbg-64-prof-dm-darwin-0b3c520002ad`js::ReshapeForParentAndAllocKind(JSContext*, js::Shape*, js::TaggedProto, JSObject*, js::gc::AllocKind) [inlined] JS::Rooted<js::UnownedBaseShape*>::Rooted(this=0x0000000101e01b70, this=0x00007fff5fbf7640, this=0x0000000000000000, this=<unavailable>) at Shape.h:965, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
  * frame #0: 0x00000001002dcaeb js-dbg-64-prof-dm-darwin-0b3c520002ad`js::ReshapeForParentAndAllocKind(JSContext*, js::Shape*, js::TaggedProto, JSObject*, js::gc::AllocKind) [inlined] JS::Rooted<js::UnownedBaseShape*>::Rooted(this=0x0000000101e01b70, this=0x00007fff5fbf7640, this=0x0000000000000000, this=<unavailable>) at Shape.h:965
    frame #1: 0x00000001002dcaeb js-dbg-64-prof-dm-darwin-0b3c520002ad`js::ReshapeForParentAndAllocKind(cx=0x0000000101e01b50, shape=<unavailable>, parent=<unavailable>, allocKind=<unavailable>, proto=<unavailable>) + 843 at Shape.cpp:636
    frame #2: 0x0000000100374dde js-dbg-64-prof-dm-darwin-0b3c520002ad`js::TypeNewScript::maybeAnalyze(JSContext*, js::ObjectGroup*, bool*, bool) [inlined] ChangeObjectFixedSlotCount(cx=0x0000000101e01b50) + 122 at TypeInference.cpp:3449
    frame #3: 0x0000000100374d64 js-dbg-64-prof-dm-darwin-0b3c520002ad`js::TypeNewScript::maybeAnalyze(this=0x0000000104b00cc0, cx=0x0000000101e01b50, group=0x000000010499f250, regenerate=0x0000000000000000, force=<unavailable>) + 1012 at TypeInference.cpp:3563
    frame #4: 0x0000000100524b4d js-dbg-64-prof-dm-darwin-0b3c520002ad`js::jit::Compile(JSContext*, JS::Handle<JSScript*>, js::jit::BaselineFrame*, unsigned char*, bool, bool) [inlined] js::jit::IonCompile(cx=0x0000000101e01b50, script=<unavailable>, baselineFrame=<unavailable>) + 929 at Ion.cpp:1922
(lldb)
(note that the last line of the testcase in comment 0 should be):

ff("v=4;load(\"62a.js\");load(\"62b.js\")")
autoBisect shows this is probably related to the following changeset:

The first good revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/fa16d24d530f
user:        Nicolas B. Pierron
date:        Mon Mar 02 14:33:14 2015 -0800
summary:     Bug 1010556 - Bump ASAN kTrustedScriptBuffer constant, to account for the new frame size. r=bholley

Nicolas, is bug 1010556 a likely fix?

(even if it's not, I still think we should resolve this WFM, because the testcase is quite complex)
Flags: needinfo?(jdemooij) → needinfo?(nicolas.b.pierron)
(In reply to Gary Kwong [:gkw] [:nth10sd] from comment #4)
> autoBisect shows this is probably related to the following changeset:
> 
> The first good revision is:
> changeset:   https://hg.mozilla.org/mozilla-central/rev/fa16d24d530f
> user:        Nicolas B. Pierron
> date:        Mon Mar 02 14:33:14 2015 -0800
> summary:     Bug 1010556 - Bump ASAN kTrustedScriptBuffer constant, to
> account for the new frame size. r=bholley
> 
> Nicolas, is bug 1010556 a likely fix?
> 
> (even if it's not, I still think we should resolve this WFM, because the
> testcase is quite complex)

The above patch is just a hacky solution to reserve additional stack space for privileged execution function, such as JIT / DOM internals.  So, if the previous problem was a stack overflow, then this might have ""fixed"" this issue because it increased the stack space, otherwise no.
Flags: needinfo?(nicolas.b.pierron)
-> WFM as per comment 4 and comment 5.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: