Closed
Bug 1151958
Opened 9 years ago
Closed 9 years ago
Crash [@ js::CompartmentChecker::fail] with shell-only findPath function
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
WORKSFORME
Tracking | Status | |
---|---|---|
firefox40 | --- | affected |
People
(Reporter: decoder, Unassigned)
Details
(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update,ignore])
Crash Data
The following testcase crashes on mozilla-central revision ab0490972e1e (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --target=i686-pc-linux-gnu --enable-arm-simulator --enable-debug, run with --fuzzing-safe): function foo() { e = newGlobal().findPath; e( arguments, "s" ); } foo(); Backtrace: Program received signal SIGSEGV, Segmentation fault. 0x081dc036 in js::CompartmentChecker::fail (c1=0xf7a48c00, c2=0xf7a3e800) at js/src/jscntxtinlines.h:49 #0 0x081dc036 in js::CompartmentChecker::fail (c1=0xf7a48c00, c2=0xf7a3e800) at js/src/jscntxtinlines.h:49 #1 0x081dc167 in check (c=<optimized out>, this=0xffffb4b0) at js/src/jscntxtinlines.h:70 #2 check (obj=<optimized out>, this=0xffffb4b0) at js/src/jscntxtinlines.h:81 #3 js::CompartmentChecker::check (this=0xffffb4b0, v=...) at js/src/jscntxtinlines.h:101 #4 0x086b4e16 in check<JS::Value> (handle=..., this=0xffffb4b0) at js/src/jscntxtinlines.h:91 #5 assertSameCompartment<JS::Handle<JSObject*>, JS::Handle<jsid>, JS::Handle<JS::Value>, JSObject*, JSObject*> (t5=<optimized out>, t4=<optimized out>, t3=<synthetic pointer>, t2=<synthetic pointer>, t1=<synthetic pointer>, cx=0xf7a6c040) at js/src/jscntxtinlines.h:217 #6 DefinePropertyById (cx=cx@entry=0xf7a6c040, obj=..., obj@entry=..., id=id@entry=..., value=value@entry=..., get=..., set=..., attrs=<optimized out>, attrs@entry=1, flags=0) at js/src/jsapi.cpp:2243 #7 0x086b5bd0 in DefineProperty (cx=cx@entry=0xf7a6c040, obj=..., obj@entry=..., name=name@entry=0x89ab7f2 "node", value=value@entry=..., getter=..., setter=..., attrs=attrs@entry=1, flags=0) at js/src/jsapi.cpp:2424 #8 0x086b5c7d in JS_DefineProperty (cx=cx@entry=0xf7a6c040, obj=obj@entry=..., name=name@entry=0x89ab7f2 "node", value=..., attrs=attrs@entry=1, getter=getter@entry=0x0, setter=setter@entry=0x0) at js/src/jsapi.cpp:2472 #9 0x081d2840 in FindPath (cx=0xf7a6c040, argc=2, vp=0xffffbc9c) at js/src/builtin/TestingFunctions.cpp:2284 #10 0x082990f6 in js::CallJSNative (cx=0xf7a6c040, native=0x81d2260 <FindPath(JSContext*, unsigned int, jsval*)>, args=...) at js/src/jscntxtinlines.h:235 #11 0x0828caa6 in js::Invoke (cx=cx@entry=0xf7a6c040, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:704 #12 0x0828db6c in js::Invoke (cx=cx@entry=0xf7a6c040, thisv=..., fval=..., argc=2, argv=0xf5bb90c8, rval=...) at js/src/vm/Interpreter.cpp:760 #13 0x08770b66 in js::DirectProxyHandler::call (this=this@entry=0x962c1c8 <js::CrossCompartmentWrapper::singleton>, cx=cx@entry=0xf7a6c040, proxy=..., proxy@entry=..., args=...) at js/src/proxy/DirectProxyHandler.cpp:77 #14 0x0877ad2d in js::CrossCompartmentWrapper::call (this=0x962c1c8 <js::CrossCompartmentWrapper::singleton>, cx=0xf7a6c040, wrapper=..., args=...) at js/src/proxy/CrossCompartmentWrapper.cpp:289 #15 0x0876f77a in js::Proxy::call (cx=cx@entry=0xf7a6c040, proxy=proxy@entry=..., args=...) at js/src/proxy/Proxy.cpp:391 #16 0x0876f80b in js::proxy_Call (cx=0xf7a6c040, argc=2, vp=0xf5bb90b8) at js/src/proxy/Proxy.cpp:697 #17 0x082990f6 in js::CallJSNative (cx=0xf7a6c040, native=0x876f7a0 <js::proxy_Call(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235 #18 0x0828caa6 in js::Invoke (cx=0xf7a6c040, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:704 #19 0x0827f682 in Interpret (cx=cx@entry=0xf7a6c040, state=...) at js/src/vm/Interpreter.cpp:2842 #20 0x0828c439 in js::RunScript (cx=cx@entry=0xf7a6c040, state=...) at js/src/vm/Interpreter.cpp:654 #21 0x082927c7 in js::ExecuteKernel (cx=cx@entry=0xf7a6c040, script=..., script@entry=..., scopeChainArg=..., thisv=..., type=type@entry=js::EXECUTE_GLOBAL, evalInFrame=evalInFrame@entry=..., result=result@entry=0x0) at js/src/vm/Interpreter.cpp:879 #22 0x08292b16 in js::Execute (cx=cx@entry=0xf7a6c040, script=..., scopeChainArg=..., rval=rval@entry=0x0) at js/src/vm/Interpreter.cpp:919 #23 0x086a4b31 in ExecuteScript (cx=cx@entry=0xf7a6c040, obj=..., scriptArg=scriptArg@entry=..., rval=rval@entry=0x0) at js/src/jsapi.cpp:4133 #24 0x086a4d56 in JS_ExecuteScript (cx=cx@entry=0xf7a6c040, scriptArg=scriptArg@entry=...) at js/src/jsapi.cpp:4155 #25 0x08068d21 in RunFile (compileOnly=false, file=0xf7af29e0, filename=0xffffcf7e "min.js", cx=0xf7a6c040) at js/src/shell/js.cpp:466 #26 Process (cx=cx@entry=0xf7a6c040, filename=0xffffcf7e "min.js", forceTTY=forceTTY@entry=false) at js/src/shell/js.cpp:597 #27 0x080c3461 in ProcessArgs (op=0xffffcc20, cx=0xf7a6c040) at js/src/shell/js.cpp:5764 #28 Shell (envp=<optimized out>, op=0xffffcc20, cx=0xf7a6c040) at js/src/shell/js.cpp:6030 #29 main (argc=3, argv=0xffffcd74, envp=0xffffcd84) at js/src/shell/js.cpp:6372 eax 0x0 0 ebx 0x95f8414 157254676 ecx 0xf7e3b88c -136071028 edx 0x0 0 esi 0xffffb4b0 -19280 edi 0xf7a6c040 -140066752 ebp 0xffffb418 4294947864 esp 0xffffb400 4294947840 eip 0x81dc036 <js::CompartmentChecker::fail(JSCompartment*, JSCompartment*)+70> => 0x81dc036 <js::CompartmentChecker::fail(JSCompartment*, JSCompartment*)+70>: movl $0x31,0x0 0x81dc040 <js::CompartmentChecker::fail(JSCompartment*, JSCompartment*)+80>: call 0x80666c0 <abort@plt> Likely shell-only.
Reporter | ||
Updated•9 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
Reporter | ||
Comment 1•9 years ago
|
||
JSBugMon: Bisection requested, failed due to error (try manually).
Reporter | ||
Updated•9 years ago
|
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
Reporter | ||
Comment 2•9 years ago
|
||
JSBugMon: The testcase found in this bug no longer reproduces (tried revision efe86609e776).
Comment 3•9 years ago
|
||
Does not repro and there's little to be gained from trying to bisect where it was fixed.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → WORKSFORME
You need to log in
before you can comment on or make changes to this bug.
Description
•