Closed
Bug 1161362
Opened 9 years ago
Closed 9 years ago
Crash [@ js::CallObject::createTemplateObject] or Crash [@ numFixedSlots] with Debugger
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla40
Tracking | Status | |
---|---|---|
firefox40 | --- | fixed |
People
(Reporter: decoder, Unassigned)
References
Details
(Keywords: crash, regression, testcase, Whiteboard: [jsbugmon:update,bisect])
Crash Data
Attachments
(1 file)
The following testcase crashes on mozilla-central revision dc5f85980a82 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-debug, run with --fuzzing-safe --thread-count=2 --unboxed-objects --ion-eager --ion-check-range-analysis): var lfcode = new Array(); function t() {} lfcode.push("var dbg = Debugger(t); dbg.onEnterFrame = function (frame) { env = frame.environment; };"); lfcode.push("Function.prototype(1,true,false,'string', new Boolean(),null)"); while (true) { var file = lfcode.shift(); if (file == undefined) { break; } loadFile(file) } function loadFile(lfVarx) { try { var lfGlobal = newGlobal(); for (lfLocal in this) { if (!(lfLocal in lfGlobal)) lfGlobal[lfLocal] = this[lfLocal]; } lfGlobal.offThreadCompileScript(lfVarx); lfGlobal.runOffThreadScript(); evaluate(lfVarx, { noScriptRval : true, compileAndGo : true }); } catch (lfVare) {} } Backtrace: Program received signal SIGSEGV, Segmentation fault. js::CallObject::createTemplateObject (cx=cx@entry=0x7ffff69820f0, script=script@entry=..., heap=js::gc::DefaultHeap) at js/src/vm/ScopeObject.cpp:186 #0 js::CallObject::createTemplateObject (cx=cx@entry=0x7ffff69820f0, script=script@entry=..., heap=js::gc::DefaultHeap) at js/src/vm/ScopeObject.cpp:186 #1 0x00000000005e352f in js::CallObject::create (cx=cx@entry=0x7ffff69820f0, script=script@entry=..., enclosing=..., enclosing@entry=..., callee=...) at js/src/vm/ScopeObject.cpp:211 #2 0x00000000005e3d3f in js::CallObject::createForFunction (cx=cx@entry=0x7ffff69820f0, enclosing=..., enclosing@entry=..., callee=..., callee@entry=...) at js/src/vm/ScopeObject.cpp:245 #3 0x00000000005e3e0e in js::CallObject::createForFunction (cx=cx@entry=0x7ffff69820f0, frame=...) at js/src/vm/ScopeObject.cpp:257 #4 0x00000000005ebe7b in GetDebugScopeForMissing (si=..., cx=0x7ffff69820f0) at js/src/vm/ScopeObject.cpp:2397 #5 GetDebugScope (cx=0x7ffff69820f0, si=...) at js/src/vm/ScopeObject.cpp:2469 #6 0x00000000005ec6e7 in js::GetDebugScopeForFrame (cx=cx@entry=0x7ffff69820f0, frame=..., pc=pc@entry=0x7ffff6904169 "\231") at js/src/vm/ScopeObject.cpp:2497 #7 0x0000000000579085 in DebuggerFrame_getEnvironment (cx=cx@entry=0x7ffff69820f0, argc=argc@entry=0, vp=vp@entry=0x7fffffff94d0) at js/src/vm/Debugger.cpp:5833 #8 0x00000000006adba8 in js::jit::DoCallNativeGetter (cx=0x7ffff69820f0, callee=..., obj=..., result=...) at js/src/jit/BaselineIC.cpp:1661 #9 0x00007ffff7feefec in ?? () [...] #46 0x00007ffff69820f0 in ?? () #47 0x00000000006ab1bb in EnterBaseline (cx=0x7fffffff9570, cx@entry=0x7ffff69820f0, data=...) at js/src/jit/BaselineJIT.cpp:125 #48 0x00000000006b5a5b in js::jit::EnterBaselineMethod (cx=cx@entry=0x7ffff69820f0, state=...) at js/src/jit/BaselineJIT.cpp:156 #49 0x000000000058bb64 in js::RunScript (cx=cx@entry=0x7ffff69820f0, state=...) at js/src/vm/Interpreter.cpp:667 #50 0x000000000058be6d in js::Invoke (cx=cx@entry=0x7ffff69820f0, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:746 #51 0x000000000058d2ea in js::Invoke (cx=cx@entry=0x7ffff69820f0, thisv=..., fval=..., argc=argc@entry=1, argv=argv@entry=0x7fffffffa320, rval=..., rval@entry=...) at js/src/vm/Interpreter.cpp:783 #52 0x000000000058eb2c in js::Debugger::fireEnterFrame (this=this@entry=0x7ffff69a0400, cx=cx@entry=0x7ffff69820f0, frame=..., vp=..., vp@entry=...) at js/src/vm/Debugger.cpp:1242 #53 0x000000000058eef4 in js::Debugger::slowPathOnEnterFrame (cx=cx@entry=0x7ffff69820f0, frame=...) at js/src/vm/Debugger.cpp:564 #54 0x00000000008267ed in onEnterFrame (frame=..., cx=0x7ffff69820f0) at js/src/vm/Debugger-inl.h:42 #55 js::jit::DebugPrologue (cx=0x7ffff69820f0, frame=0x7fffffffa558, pc=0x7ffff6904169 "\231", mustReturn=0x7fffffffa51c) at js/src/jit/VMFunctions.cpp:662 #56 0x00007ffff7ff0e64 in ?? () #57 0x000000000000023d in ?? () #58 0x00007fffffffa51c in ?? () #59 0x00007fffffffa528 in ?? () #60 0x0000000000000001 in ?? () #61 0x0000000001726f00 in StrictEvalPrologueInfo () #62 0x00007ffff52527f0 in ?? () [...] #95 0x00007ffff69820f0 in ?? () #96 0x00000000006ab1bb in EnterBaseline (cx=0x7fffffffa598, cx@entry=0x7ffff69820f0, data=...) at js/src/jit/BaselineJIT.cpp:125 #97 0x00000000006b5a5b in js::jit::EnterBaselineMethod (cx=cx@entry=0x7ffff69820f0, state=...) at js/src/jit/BaselineJIT.cpp:156 #98 0x000000000058bb64 in js::RunScript (cx=cx@entry=0x7ffff69820f0, state=...) at js/src/vm/Interpreter.cpp:667 #99 0x000000000058be6d in js::Invoke (cx=cx@entry=0x7ffff69820f0, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:746 #100 0x000000000058d2ea in js::Invoke (cx=cx@entry=0x7ffff69820f0, thisv=..., fval=..., argc=argc@entry=6, argv=argv@entry=0x7fffffffb5c8, rval=..., rval@entry=...) at js/src/vm/Interpreter.cpp:783 #101 0x000000000071b7ee in js::jit::DoCallFallback (cx=0x7ffff69820f0, frame=0x7fffffffb658, stub_=0x7ffff50fd358, argc=6, vp=0x7fffffffb5b8, res=...) at js/src/jit/BaselineIC.cpp:10212 #102 0x00007ffff7fedf84 in ?? () [...] #127 0xfffc7ffff5300030 in ?? () rax 0x0 0 rbx 0x7ffff69820f0 140737330553072 rcx 0x152ab 86699 rdx 0x7fffffff8a10 140737488325136 rsi 0xb 11 rdi 0x7ffff6982120 140737330553120 rbp 0x7fffffff8af0 140737488325360 rsp 0x7fffffff89f0 140737488325104 r8 0x0 0 r9 0xf942b288 4181897864 r10 0x7ffff69820f0 140737330553072 r11 0x7ffff5021540 140737303942464 r12 0x0 0 r13 0x7fffffff89f0 140737488325104 r14 0x7fffffff8ad0 140737488325328 r15 0x578f20 5738272 rip 0x5e3409 <js::CallObject::createTemplateObject(JSContext*, JS::Handle<JSScript*>, js::gc::InitialHeap)+121> => 0x5e3409 <js::CallObject::createTemplateObject(JSContext*, JS::Handle<JSScript*>, js::gc::InitialHeap)+121>: mov 0x10(%rax),%eax 0x5e340c <js::CallObject::createTemplateObject(JSContext*, JS::Handle<JSScript*>, js::gc::InitialHeap)+124>: shr $0x1b,%eax
Comment 1•9 years ago
|
||
This fuzz test is trying to get the frame.environment of a frame inside Function.prototype, which has a nullptr callObjShape. I'm trying to reduce the test but I don't have the enthusiasm to try very hard.
Attachment #8601337 -
Flags: review?(jimb)
Comment 2•9 years ago
|
||
The following crashes for me, same stack. var g = newGlobal(); var dbg = new Debugger(g); dbg.onEnterFrame = function (frame) { frame.environment; }; g.Function.prototype();
Comment 3•9 years ago
|
||
Comment on attachment 8601337 [details] [diff] [review] When initializing a trivial script, also initialize its call object shape to the empty shape. Review of attachment 8601337 [details] [diff] [review]: ----------------------------------------------------------------- Thanks for the fix. r=me with some test case added, either mine, the original, or something you came up with. But it must have a test.
Attachment #8601337 -
Flags: review?(jimb) → review+
Comment 5•9 years ago
|
||
Backed out in https://hg.mozilla.org/integration/mozilla-inbound/rev/27bd818ba469 for Linux64 debug cgc failures like https://treeherder.mozilla.org/logviewer.html#?job_id=9620747&repo=mozilla-inbound
Updated•9 years ago
|
Flags: needinfo?(shu)
Comment 6•9 years ago
|
||
This patch perturbed GC state enough to surface an independent bug. Filed bug 1161362.
Flags: needinfo?(shu)
Updated•9 years ago
|
https://hg.mozilla.org/mozilla-central/rev/4923c566a7f2
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla40
You need to log in
before you can comment on or make changes to this bug.
Description
•