Closed
Bug 1156992
Opened 9 years ago
Closed 9 years ago
Crash [@ js::GCMarker::restoreValueArray] involving --unboxed-objects
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1149498
| Tracking | Status | |
|---|---|---|
| firefox40 | --- | affected |
People
(Reporter: gkw, Unassigned)
Details
(Keywords: crash, regression, testcase, Whiteboard: [jsbugmon:update])
Crash Data
Attachments
(1 file)
|
7.22 KB,
text/plain
|
Details |
pct = {}
e = {}
try {
[]
} catch (e) {}
try {
a(function()function() {})
} catch (e) {}
try {
rhe = 0
hhe
} catch (e) {}
try {
[]
} catch (e) {}
try {
(function()({})([]))()
} catch (e) {}
try {
a, {}
} catch (e) {}
try {
(function() {
for (let y in []);
})({})
} catch (e) {}
try {
(function() functionhul)()
} catch (e) {}
try {
fvh == {}
} catch (e) {}
try {
(function()[])()
} catch (ee) {}
try {
({
y
})
} catch (e) {}
try {
(function() y = {})()
} catch (e) {}
try {
o
} catch (e) {}
try {
(function()(g, function() {
try {} catch (e0) {}
}))()
} catch (e) {}
try {
with(x);
} catch (e) {}
try {
[]
} catch (e) {}
try {
n
} catch (e) {}
try {
(function() hy5 = function() {
hnh
}([]))()
} catch (e) {}
try {
x
} catch (e) {}
try {
a
} catch (e) {}
try {
g
} catch (e) {}
try {
owz
} catch (e) {}
try {
[](function()[{
f() {}
}({
ffn() {}
})({
g() {}
})(function() {})])
} catch (e) {}
try {
gcslice(6220)
ewt
} catch (e) {}
try {
s = new String
} catch (e) {}
try {
a
} catch (e) {}
try {
(function()function() {}[{
gon() {}
}({
f: {}
})])(function()function() {})
} catch (e) {}
try {
x(function()function() {})
} catch (e) {}
try {
vrs
} catch (e) {}
try {
y()
} catch (e) {}
try {
are = new SharedArrayBuffer
ar0 = new Uint8Array
DataView.e[0]
} catch (e) {}
try {
es
} catch (e) {}
try {
(function() {
y = function() {}
n
})()
} catch (e) {}
try {
s0
} catch (e) {}
try {
(function()function() Math([]))(function() hy0 = function() {})()
} catch (e) {}
try {
g
} catch (e) {}
try {
(function() hy3 = function() {
hnd
}([]))()
} catch (e) {}
try {
for each(let a in [
true,
1,
Number,
1,
new Number,
true,
Boolean,
true,
true,
true,
true,
true,
true,
Boolean,
true,
Boolean,
true,
true,
true,
1,
1,
true,
new Boolean
])
for each(let e in [{
x: 3
}, {
x: 3
}, {
x: 3
} - 0, {
x: 3
}, {
x: 3
}, {
x: 3
}, {
x: 3
} - {
x: 3
}, {
x: 3
}, {
x: 3
}, {
x: 3
}, {
x: 3
}, {
x: 3
} - 0, {
x: 3
}, {
x: 3
} - 0, {
x: 3
}, {
x: 3
}, {
x: 3
}, {
x: 3
}, {
x: 3
}, {}, {
x: 3
}, {
x: 3
}, {
x: 3
}, {
x: 3
}])({})
} catch (e) {}
try {} catch (e) {}
try {
(function()function()function() hy4 = function() {}([0]))(function()function() {})
} catch (e) {}
try {
(function() hy2 = (function() hot)())()
} catch (e) {}
try {
[](function()function() /x/ , {})
} catch (e) {}
crashes js opt shell on m-c changeset 50b95032152c with --fuzzing-safe --unboxed-objects --gc-zeal=10 --no-threads --no-baseline --ion-eager at js::GCMarker::restoreValueArray.
Configure options:
CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --disable-debug --enable-profiling --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests
python -u ~/fuzzing/js/compileShell.py -b "--disable-debug --enable-more-deterministic --enable-nspr-build --enable-profiling" -r 50b95032152c
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/6c8f5f47766c
user: Terrence Cole
date: Tue Apr 14 13:28:39 2015 -0700
summary: Bug 1154086 - Move DoTracing to Tracer.cpp; r=sfink
Not sure if this is related to --unboxed-objects or to bug 1154086, setting needinfo? from Brian as a start.Flags: needinfo?(bhackett1024)
|
Reporter | |
Comment 1•9 years ago
|
||
(lldb) bt 5
* thread #1: tid = 0x5b929c, 0x0000000100110099 js-64-prof-dm-nsprBuild-darwin-50b95032152c`js::GCMarker::restoreValueArray(js::NativeObject*, void**, void**) [inlined] js::shadow::Object::numFixedSlots() const + 4 at jsfriendapi.h:578, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x10)
* frame #0: 0x0000000100110099 js-64-prof-dm-nsprBuild-darwin-50b95032152c`js::GCMarker::restoreValueArray(js::NativeObject*, void**, void**) [inlined] js::shadow::Object::numFixedSlots() const + 4 at jsfriendapi.h:578
frame #1: 0x0000000100110095 js-64-prof-dm-nsprBuild-darwin-50b95032152c`js::GCMarker::restoreValueArray(js::NativeObject*, void**, void**) [inlined] js::NativeObject::numFixedSlots(this=0x000000010329e400) const at NativeObject.h:574
frame #2: 0x0000000100110095 js-64-prof-dm-nsprBuild-darwin-50b95032152c`js::GCMarker::restoreValueArray(this=<unavailable>, obj=0x000000010329e400, vpp=0x00007fff5fbfe750, endp=0x00007fff5fbfe748) + 53 at Marking.cpp:1398
frame #3: 0x0000000100110176 js-64-prof-dm-nsprBuild-darwin-50b95032152c`js::GCMarker::processMarkStackOther(this=0x000000010216efb8, tag=<unavailable>, addr=4348044288) + 54 at Marking.cpp:1428
frame #4: 0x0000000100110845 js-64-prof-dm-nsprBuild-darwin-50b95032152c`js::GCMarker::drainMarkStack(this=0x000000010216efb8, budget=0x00007fff5fbfe8e8) + 53 at Marking.cpp:1670
(lldb)|
|
Reporter | |
Updated•9 years ago
|
Summary: Crash [@ js::GCMarker::restoreValueArray] → Crash [@ js::GCMarker::restoreValueArray] involving --unboxed-objects
|
||
Comment 2•9 years ago
|
||
I can't reproduce this but it's probably a dupe of bug 1149498.
Flags: needinfo?(bhackett1024)
|
|
Reporter | |
Comment 3•9 years ago
|
||
Can no longer reproduce using m-c rev 22a157f7feb7, assuming dupe to bug 1149498.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•