Closed
Bug 1142844
Opened 9 years ago
Closed 9 years ago
Crash [@ js::LazyScript::scriptSource]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla39
Tracking | Status | |
---|---|---|
firefox39 | --- | fixed |
People
(Reporter: gkw, Assigned: bzbarsky)
References
Details
(Keywords: crash, regression, testcase)
Crash Data
Attachments
(2 files, 1 obsolete file)
7.59 KB,
text/plain
|
Details | |
3.68 KB,
patch
|
luke
:
review+
|
Details | Diff | Splinter Review |
// Randomly chosen test: js/src/jit-test/tests/basic/bug1057571.js (function() { code = cacheEntry("function f(){}f()") code.compileAndGo = true; evaluate(code, Object.create(code, { saveBytecode: { value: true } })) evaluate(code, { loadBytecode: true }) })() // jsfunfuzz-generated code relazifyFunctions() this instanceof this crashes js debug shell on m-c changeset 30916c9ca768 with --fuzzing-safe --no-threads --no-baseline --no-ion at js::LazyScript::scriptSource. Configure options: CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh ~/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests python -u ~/fuzzing/js/compileShell.py -b "--enable-debug --enable-more-deterministic --enable-nspr-build" -r 30916c9ca768 autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/eb6e90404b76 parent: 224399:b86864fd9d60 user: Jan de Mooij date: Sat Jan 17 12:54:03 2015 +0100 summary: Bug 1116760 - Add a shell function to test function relazification. r=till Jan, did bug 1116760 expose the issue?
Flags: needinfo?(jdemooij)
Reporter | ||
Comment 1•9 years ago
|
||
(lldb) bt 5 * thread #1: tid = 0x5e5ca, 0x000000010084f693 js-dbg-64-dm-nsprBuild-darwin-30916c9ca768`js::LazyScript::scriptSource() const [inlined] JSObject::getClass() const at jsobj.h:130, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0) * frame #0: 0x000000010084f693 js-dbg-64-dm-nsprBuild-darwin-30916c9ca768`js::LazyScript::scriptSource() const [inlined] JSObject::getClass() const at jsobj.h:130 frame #1: 0x000000010084f693 js-dbg-64-dm-nsprBuild-darwin-30916c9ca768`js::LazyScript::scriptSource() const [inlined] js::NativeObject::getReservedSlot(this=<unavailable>, index=<unavailable>) const at NativeObject.h:824 frame #2: 0x000000010084f693 js-dbg-64-dm-nsprBuild-darwin-30916c9ca768`js::LazyScript::scriptSource() const [inlined] js::LazyScript::sourceObject(this=<unavailable>, this=0x0000000000000000) const + 31 at jsscript.h:706 frame #3: 0x000000010084f674 js-dbg-64-dm-nsprBuild-darwin-30916c9ca768`js::LazyScript::scriptSource(this=<unavailable>) const + 4 at jsscript.h:1910 frame #4: 0x00000001007d2ca3 js-dbg-64-dm-nsprBuild-darwin-30916c9ca768`JSFunction::createScriptForLazilyInterpretedFunction(cx=0x0000000101e028a0, fun=<unavailable>) + 1539 at jsfun.cpp:1470 (lldb)
Comment 2•9 years ago
|
||
Here's a simpler test, does not require --enable-more-deterministic: (function() { var code = cacheEntry("function f(){}; f();"); code.compileAndGo = true; evaluate(code, Object.create(code, {saveBytecode: {value: true}})); evaluate(code, {loadBytecode: true}); })(); relazifyFunctions(); print(f.toSource()); And here's one without relazifyFunctions: var g = newGlobal(); g.eval(` (function() { var code = cacheEntry("function f(){}; f();"); code.compileAndGo = true; evaluate(code, Object.create(code, {saveBytecode: {value: true}})); evaluate(code, {loadBytecode: true}); })(); `); gc(); print(g.f.toString()); Gary, can you try autoBisect on this one? :)
Updated•9 years ago
|
Flags: needinfo?(gary)
Comment 3•9 years ago
|
||
I just realized template strings are fairly new and that may confuse autoBisect. Try this one: var g = newGlobal(); g.eval("(" + (function() { var code = cacheEntry("function f(){}; f();"); code.compileAndGo = true; evaluate(code, Object.create(code, {saveBytecode: {value: true}})); evaluate(code, {loadBytecode: true}); }) + ")();"); gc(); print(g.f.toString());
Reporter | ||
Comment 4•9 years ago
|
||
Thanks Jan! With the testcase in comment 3: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/f317d2cb357b user: Nicolas B. Pierron date: Thu Feb 20 07:09:34 2014 -0800 summary: Bug 900789 - Instrument evaluate function to save/load the bytecode. r=luke Nicolas, is bug 900789 a likely regressor?
Comment 5•9 years ago
|
||
(In reply to Gary Kwong [:gkw] [:nth10sd] from comment #4) > summary: Bug 900789 - Instrument evaluate function to save/load the > bytecode. r=luke > > Nicolas, is bug 900789 a likely regressor? Yes, it is. And now that I modified the test case, I realized that this is an issue that I thought about for a long time for Gecko but I never thought about making a JS test case about it :/ A simple test case which highlight better what is the issue is the following, and it does not require any JS shell argument any more: var g1 = newGlobal(); var g2 = newGlobal(); var res = "function f(){}"; var code = cacheEntry(res + "; f();"); evaluate(code, {global:g1, compileAndGo: true, saveBytecode: {value: true}}); evaluate(code, {global:g2, loadBytecode: true}); gc(); assertEq(g2.f.toString(), res);
Flags: needinfo?(nicolas.b.pierron)
Assignee | ||
Comment 6•9 years ago
|
||
Attachment #8583894 -
Flags: review?(luke)
Attachment #8583894 -
Flags: feedback?(nicolas.b.pierron)
Assignee | ||
Updated•9 years ago
|
Assignee: nobody → bzbarsky
Status: NEW → ASSIGNED
Comment 7•9 years ago
|
||
Comment on attachment 8583894 [details] [diff] [review] When xdr-decoding a non-lazy but relazifiable function, don't forget to set up the source object on the LazyScript we create for it Review of attachment 8583894 [details] [diff] [review]: ----------------------------------------------------------------- Sounds good to me, maybe move it inside XDRRelazificationInfo to keep the symetry in XDRScript.
Attachment #8583894 -
Flags: feedback?(nicolas.b.pierron) → feedback+
Comment 8•9 years ago
|
||
Comment on attachment 8583894 [details] [diff] [review] When xdr-decoding a non-lazy but relazifiable function, don't forget to set up the source object on the LazyScript we create for it Review of attachment 8583894 [details] [diff] [review]: ----------------------------------------------------------------- Nice job tracking this down!
Attachment #8583894 -
Flags: review?(luke) → review+
Assignee | ||
Comment 9•9 years ago
|
||
Attachment #8583950 -
Flags: review?(luke)
Assignee | ||
Updated•9 years ago
|
Attachment #8583894 -
Attachment is obsolete: true
Updated•9 years ago
|
Attachment #8583950 -
Flags: review?(luke) → review+
Assignee | ||
Comment 10•9 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/a88de895edc8
Comment 11•9 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/a88de895edc8
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla39
Comment 12•8 years ago
|
||
An crash on RelazifyFunctions has occured that may be related to this? (unsure, please confirm) see https://crash-stats.mozilla.com/report/index/11808ec6-947e-410c-acb1-674222160203
Flags: needinfo?(bzbarsky)
Assignee | ||
Comment 13•8 years ago
|
||
Unless this crash started happening 10 months ago, unlikely...
Flags: needinfo?(bzbarsky)
You need to log in
before you can comment on or make changes to this bug.
Description
•