Closed
Bug 1142844
Opened 9 years ago
Closed 9 years ago
Crash [@ js::LazyScript::scriptSource]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla39
| Tracking | Status | |
|---|---|---|
| firefox39 | --- | fixed |
People
(Reporter: gkw, Assigned: bzbarsky)
References
Details
(Keywords: crash, regression, testcase)
Crash Data
Attachments
(2 files, 1 obsolete file)
|
7.59 KB,
text/plain
|
Details | |
|
3.68 KB,
patch
|
luke
:
review+
|
Details | Diff | Splinter Review |
// Randomly chosen test: js/src/jit-test/tests/basic/bug1057571.js (function() { code = cacheEntry("function f(){}f()") code.compileAndGo = true; evaluate(code, Object.create(code, { saveBytecode: { value: true } })) evaluate(code, { loadBytecode: true }) })() // jsfunfuzz-generated code relazifyFunctions() this instanceof this crashes js debug shell on m-c changeset 30916c9ca768 with --fuzzing-safe --no-threads --no-baseline --no-ion at js::LazyScript::scriptSource. Configure options: CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh ~/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests python -u ~/fuzzing/js/compileShell.py -b "--enable-debug --enable-more-deterministic --enable-nspr-build" -r 30916c9ca768 autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/eb6e90404b76 parent: 224399:b86864fd9d60 user: Jan de Mooij date: Sat Jan 17 12:54:03 2015 +0100 summary: Bug 1116760 - Add a shell function to test function relazification. r=till Jan, did bug 1116760 expose the issue?
Flags: needinfo?(jdemooij)
|
Reporter | |
Comment 1•9 years ago
|
||
(lldb) bt 5
* thread #1: tid = 0x5e5ca, 0x000000010084f693 js-dbg-64-dm-nsprBuild-darwin-30916c9ca768`js::LazyScript::scriptSource() const [inlined] JSObject::getClass() const at jsobj.h:130, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
* frame #0: 0x000000010084f693 js-dbg-64-dm-nsprBuild-darwin-30916c9ca768`js::LazyScript::scriptSource() const [inlined] JSObject::getClass() const at jsobj.h:130
frame #1: 0x000000010084f693 js-dbg-64-dm-nsprBuild-darwin-30916c9ca768`js::LazyScript::scriptSource() const [inlined] js::NativeObject::getReservedSlot(this=<unavailable>, index=<unavailable>) const at NativeObject.h:824
frame #2: 0x000000010084f693 js-dbg-64-dm-nsprBuild-darwin-30916c9ca768`js::LazyScript::scriptSource() const [inlined] js::LazyScript::sourceObject(this=<unavailable>, this=0x0000000000000000) const + 31 at jsscript.h:706
frame #3: 0x000000010084f674 js-dbg-64-dm-nsprBuild-darwin-30916c9ca768`js::LazyScript::scriptSource(this=<unavailable>) const + 4 at jsscript.h:1910
frame #4: 0x00000001007d2ca3 js-dbg-64-dm-nsprBuild-darwin-30916c9ca768`JSFunction::createScriptForLazilyInterpretedFunction(cx=0x0000000101e028a0, fun=<unavailable>) + 1539 at jsfun.cpp:1470
(lldb)
|
||
Comment 2•9 years ago
|
||
Here's a simpler test, does not require --enable-more-deterministic:
(function() {
var code = cacheEntry("function f(){}; f();");
code.compileAndGo = true;
evaluate(code, Object.create(code, {saveBytecode: {value: true}}));
evaluate(code, {loadBytecode: true});
})();
relazifyFunctions();
print(f.toSource());
And here's one without relazifyFunctions:
var g = newGlobal();
g.eval(`
(function() {
var code = cacheEntry("function f(){}; f();");
code.compileAndGo = true;
evaluate(code, Object.create(code, {saveBytecode: {value: true}}));
evaluate(code, {loadBytecode: true});
})();
`);
gc();
print(g.f.toString());
Gary, can you try autoBisect on this one? :)|
|
||
Updated•9 years ago
|
Flags: needinfo?(gary)
|
|
||
Comment 3•9 years ago
|
||
I just realized template strings are fairly new and that may confuse autoBisect. Try this one:
var g = newGlobal();
g.eval("(" + (function() {
var code = cacheEntry("function f(){}; f();");
code.compileAndGo = true;
evaluate(code, Object.create(code, {saveBytecode: {value: true}}));
evaluate(code, {loadBytecode: true});
}) + ")();");
gc();
print(g.f.toString());|
|
Reporter | |
Comment 4•9 years ago
|
||
Thanks Jan! With the testcase in comment 3: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/f317d2cb357b user: Nicolas B. Pierron date: Thu Feb 20 07:09:34 2014 -0800 summary: Bug 900789 - Instrument evaluate function to save/load the bytecode. r=luke Nicolas, is bug 900789 a likely regressor?
|
||
Comment 5•9 years ago
|
||
(In reply to Gary Kwong [:gkw] [:nth10sd] from comment #4) > summary: Bug 900789 - Instrument evaluate function to save/load the > bytecode. r=luke > > Nicolas, is bug 900789 a likely regressor? Yes, it is. And now that I modified the test case, I realized that this is an issue that I thought about for a long time for Gecko but I never thought about making a JS test case about it :/ A simple test case which highlight better what is the issue is the following, and it does not require any JS shell argument any more: var g1 = newGlobal(); var g2 = newGlobal(); var res = "function f(){}"; var code = cacheEntry(res + "; f();"); evaluate(code, {global:g1, compileAndGo: true, saveBytecode: {value: true}}); evaluate(code, {global:g2, loadBytecode: true}); gc(); assertEq(g2.f.toString(), res);
Flags: needinfo?(nicolas.b.pierron)
|
|
Assignee | |
Comment 6•9 years ago
|
||
Attachment #8583894 -
Flags: review?(luke)
Attachment #8583894 -
Flags: feedback?(nicolas.b.pierron)
|
|
Assignee | |
Updated•9 years ago
|
Assignee: nobody → bzbarsky
Status: NEW → ASSIGNED
|
|
||
Comment 7•9 years ago
|
||
Comment on attachment 8583894 [details] [diff] [review] When xdr-decoding a non-lazy but relazifiable function, don't forget to set up the source object on the LazyScript we create for it Review of attachment 8583894 [details] [diff] [review]: ----------------------------------------------------------------- Sounds good to me, maybe move it inside XDRRelazificationInfo to keep the symetry in XDRScript.
Attachment #8583894 -
Flags: feedback?(nicolas.b.pierron) → feedback+
|
|
||
Comment 8•9 years ago
|
||
Comment on attachment 8583894 [details] [diff] [review] When xdr-decoding a non-lazy but relazifiable function, don't forget to set up the source object on the LazyScript we create for it Review of attachment 8583894 [details] [diff] [review]: ----------------------------------------------------------------- Nice job tracking this down!
Attachment #8583894 -
Flags: review?(luke) → review+
|
|
Assignee | |
Comment 9•9 years ago
|
||
Attachment #8583950 -
Flags: review?(luke)
|
|
Assignee | |
Updated•9 years ago
|
Attachment #8583894 -
Attachment is obsolete: true
|
|
||
Updated•9 years ago
|
Attachment #8583950 -
Flags: review?(luke) → review+
|
|
Assignee | |
Comment 10•9 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/a88de895edc8
|
||
Comment 11•9 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/a88de895edc8
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla39
|
||
Comment 12•8 years ago
|
||
An crash on RelazifyFunctions has occured that may be related to this? (unsure, please confirm) see https://crash-stats.mozilla.com/report/index/11808ec6-947e-410c-acb1-674222160203
Flags: needinfo?(bzbarsky)
|
|
Assignee | |
Comment 13•8 years ago
|
||
Unless this crash started happening 10 months ago, unlikely...
Flags: needinfo?(bzbarsky)
You need to log in
before you can comment on or make changes to this bug.
Description
•