Closed
Bug 1139264
Opened 9 years ago
Closed 9 years ago
Crash [@ js::ReshapeForParentAndAllocKind]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
WORKSFORME
Tracking | Status | |
---|---|---|
firefox39 | --- | affected |
People
(Reporter: gkw, Unassigned)
References
Details
(Keywords: crash, regression, testcase)
Crash Data
Attachments
(1 file)
4.10 KB,
text/plain
|
Details |
function hashStr() {} dumpln = print function testMathyFunction(f) { f() } function fillShellSandbox(sandbox) { var safeFuns = ["dumpln", "fillShellSandbox", "testMathyFunction", "hashStr"] for (var i = 0; i < safeFuns.length; ++i) { fn = safeFuns[i] sandbox[fn] = this[fn].bind(this) } } primarySandbox = newGlobal(); fillShellSandbox(primarySandbox); function ff(code) { try { evalcx(code, primarySandbox) } catch (e) { +e } } ff("(function(){});var s;var r") ff("y = function () {y}(); ") ff("mathy5=function(){} ") ff("y=(function(){}) ") ff("[]=( 0 );([{t}({})]);") ff("mathy5=(function(){Math.d(Math.d(Math.t))});testMathyFunction(mathy5,[,Number.E,,,,Number.MIN_VALUE,Number.MAX_VALUE])") ff("v=4;load("62a.js");load("62b.js")") and 62a.js is: function f() {} (the contents of 62b.js is coming up) crashes js debug shell on m-c changeset 0b3c520002ad with --fuzzing-safe --no-threads --ion-eager at js::ReshapeForParentAndAllocKind. Configure options: CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh ~/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --enable-profiling --disable-threadsafe --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests python -u ~/fuzzing/js/compileShell.py -b "--enable-debug --enable-profiling --enable-more-deterministic -R ~/trees/mozilla-central" -r 0b3c520002ad autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/48ef078126bf user: Jan de Mooij date: Fri Oct 10 11:32:14 2014 +0200 summary: Bug 1073700 - Move getter/setter data out of BaseShape into a new AccessorShape type. r=bhackett Jan, is bug 1073700 a likely regressor?
Flags: needinfo?(jdemooij)
Reporter | ||
Comment 1•9 years ago
|
||
62b.js is: var STATUS = "STATUS: "; var callStack = new Array(); function startTest() {} function TestCase(n, d, e, a) { this.name = n; } TestCase.prototype.dump = function() {}; TestCase.prototype.testPassed = (function TestCase_testPassed() {}); TestCase.prototype.testFailed = (function TestCase_testFailed() { return !this.passed; }); function printStatus(msg) { var lines = msg.split("\n"); } function printBugNumber(num) {} function toPrinted(value) function escapeString(str) {} function reportCompare(expected, actual, description) { var actual_t = typeof actual; var output = ""; var testcase = new TestCase("unknown-test-name", description, expected, actual); testcase.reason = output; if (typeof document != "object" || !document.location.href.match(/jsreftest.html/)) {} } function reportMatch(expectedRegExp, actual, description) {} function enterFunc(funcName) function BigO(data) {} function compareSource(expect, actual, summary) {} function optionsInit() { var optionNames = options().split(','); } function optionsClear() {} function optionsPush() {} function test() { for (gTc = 0; gTc < gTestcases.length; gTc++) {} } var lfcode = new Array(); lfcode.push("4"); lfcode.push("gcparam(\"maxBytes\", gcparam(\"gcBytes\") + 1);"); lfcode.push("\ var UBound = 0;\n\ var BUGNUMBER = 74474;\n\ var actual = '';\n\ var actualvalues = [ ];\n\ var expectedvalues = [ ];\n\ tryThis(1);\n\ function tryThis(x)\n\ addThis();\n\ test();\n\ function addThis() {\n\ actualvalues[UBound] = actual;\n\ UBound++;\n\ }\n\ function test() {\n\ printBugNumber(BUGNUMBER);\n\ for (var i = 0; i < UBound; i++)\n\ reportCompare(expectedvalues[i], actualvalues[i], getStatus(i));\n\ }\n\ function getStatus(i) {}\n\ "); while (true) { var file = lfcode.shift(); if (file == "evaluate") {} else { loadFile(file) } } function loadFile(lfVarx) { try { if (lfVarx.substr(-3) != ".js" && lfVarx.length != 1) { switch (lfRunTypeId) { case 4: eval("(function() { " + lfVarx + " })();"); } } else if (!isNaN(lfVarx)) { lfRunTypeId = parseInt(lfVarx); switch (lfRunTypeId) { case 3: newFunc(lfVarx); } } } catch (lfVare) {} }
Reporter | ||
Comment 2•9 years ago
|
||
(lldb) bt 5 * thread #1: tid = 0x2f62bc, 0x00000001002dcaeb js-dbg-64-prof-dm-darwin-0b3c520002ad`js::ReshapeForParentAndAllocKind(JSContext*, js::Shape*, js::TaggedProto, JSObject*, js::gc::AllocKind) [inlined] JS::Rooted<js::UnownedBaseShape*>::Rooted(this=0x0000000101e01b70, this=0x00007fff5fbf7640, this=0x0000000000000000, this=<unavailable>) at Shape.h:965, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0) * frame #0: 0x00000001002dcaeb js-dbg-64-prof-dm-darwin-0b3c520002ad`js::ReshapeForParentAndAllocKind(JSContext*, js::Shape*, js::TaggedProto, JSObject*, js::gc::AllocKind) [inlined] JS::Rooted<js::UnownedBaseShape*>::Rooted(this=0x0000000101e01b70, this=0x00007fff5fbf7640, this=0x0000000000000000, this=<unavailable>) at Shape.h:965 frame #1: 0x00000001002dcaeb js-dbg-64-prof-dm-darwin-0b3c520002ad`js::ReshapeForParentAndAllocKind(cx=0x0000000101e01b50, shape=<unavailable>, parent=<unavailable>, allocKind=<unavailable>, proto=<unavailable>) + 843 at Shape.cpp:636 frame #2: 0x0000000100374dde js-dbg-64-prof-dm-darwin-0b3c520002ad`js::TypeNewScript::maybeAnalyze(JSContext*, js::ObjectGroup*, bool*, bool) [inlined] ChangeObjectFixedSlotCount(cx=0x0000000101e01b50) + 122 at TypeInference.cpp:3449 frame #3: 0x0000000100374d64 js-dbg-64-prof-dm-darwin-0b3c520002ad`js::TypeNewScript::maybeAnalyze(this=0x0000000104b00cc0, cx=0x0000000101e01b50, group=0x000000010499f250, regenerate=0x0000000000000000, force=<unavailable>) + 1012 at TypeInference.cpp:3563 frame #4: 0x0000000100524b4d js-dbg-64-prof-dm-darwin-0b3c520002ad`js::jit::Compile(JSContext*, JS::Handle<JSScript*>, js::jit::BaselineFrame*, unsigned char*, bool, bool) [inlined] js::jit::IonCompile(cx=0x0000000101e01b50, script=<unavailable>, baselineFrame=<unavailable>) + 929 at Ion.cpp:1922 (lldb)
Reporter | ||
Comment 3•9 years ago
|
||
(note that the last line of the testcase in comment 0 should be): ff("v=4;load(\"62a.js\");load(\"62b.js\")")
Reporter | ||
Comment 4•9 years ago
|
||
autoBisect shows this is probably related to the following changeset: The first good revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/fa16d24d530f user: Nicolas B. Pierron date: Mon Mar 02 14:33:14 2015 -0800 summary: Bug 1010556 - Bump ASAN kTrustedScriptBuffer constant, to account for the new frame size. r=bholley Nicolas, is bug 1010556 a likely fix? (even if it's not, I still think we should resolve this WFM, because the testcase is quite complex)
Flags: needinfo?(jdemooij) → needinfo?(nicolas.b.pierron)
Comment 5•9 years ago
|
||
(In reply to Gary Kwong [:gkw] [:nth10sd] from comment #4) > autoBisect shows this is probably related to the following changeset: > > The first good revision is: > changeset: https://hg.mozilla.org/mozilla-central/rev/fa16d24d530f > user: Nicolas B. Pierron > date: Mon Mar 02 14:33:14 2015 -0800 > summary: Bug 1010556 - Bump ASAN kTrustedScriptBuffer constant, to > account for the new frame size. r=bholley > > Nicolas, is bug 1010556 a likely fix? > > (even if it's not, I still think we should resolve this WFM, because the > testcase is quite complex) The above patch is just a hacky solution to reserve additional stack space for privileged execution function, such as JIT / DOM internals. So, if the previous problem was a stack overflow, then this might have ""fixed"" this issue because it increased the stack space, otherwise no.
Flags: needinfo?(nicolas.b.pierron)
Reporter | ||
Comment 6•9 years ago
|
||
-> WFM as per comment 4 and comment 5.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → WORKSFORME
You need to log in
before you can comment on or make changes to this bug.
Description
•