Closed Bug 1161762 Opened 10 years ago Closed 10 years ago

Crash [@ FinalizeArenas] or Crash [@ as<js::UnboxedPlainObject>] with --unboxed-objects

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla40
Tracking Flags:
Tracking Status
firefox40 --- fixed

People

(Reporter: decoder, Assigned: bhackett1024)

Details

(Keywords: crash, regression, testcase, Whiteboard: [jsbugmon:update,bisect])

Crash Data

Attachments

(1 file)

patch
1.59 KB, patch
jandem
: review+
Details | Diff | Splinter Review
The following testcase crashes on mozilla-central revision dc5f85980a82 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-debug, run with --fuzzing-safe --thread-count=2 --unboxed-objects --ion-eager --ion-check-range-analysis): function y(actual) { var test2 = { test4: actual + 6, test2: actual + 9, printStatus: actual + 10, isPrototypeOf: actual + 12, expect: actual + 14, printErr: actual + 17, ret2: actual + 19, printBugNumber: actual + 32, test3: actual + 33, String: actual + 34, summary: actual + 40, test1: actual + 42, Array: actual + 43, BUGNUMBER: actual + 44, assertEq: actual + 45, __call__: actual + 47, x: actual + 48, test0: actual + 49, res: actual + 50 }; y(); } y(); Backtrace: Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 0x7ffff7edc700 (LWP 37845)] 0x00000000008bba73 in FinalizeArenas (fop=fop@entry=0x7ffff7edbd50, src=src@entry=0x7ffff7edac98, dest=..., thingKind=thingKind@entry=js::gc::OBJECT16_BACKGROUND, budget=..., keepArenas=js::gc::ArenaLists::KEEP_ARENAS) at js/src/jsobj.h:121 #0 0x00000000008bba73 in FinalizeArenas (fop=fop@entry=0x7ffff7edbd50, src=src@entry=0x7ffff7edac98, dest=..., thingKind=thingKind@entry=js::gc::OBJECT16_BACKGROUND, budget=..., keepArenas=js::gc::ArenaLists::KEEP_ARENAS) at js/src/jsobj.h:121 #1 0x00000000008bd090 in js::gc::ArenaLists::backgroundFinalize (fop=fop@entry=0x7ffff7edbd50, listHead=0x0, empty=empty@entry=0x7ffff7edbd30) at js/src/jsgc.cpp:2809 #2 0x00000000008bd2a4 in js::gc::GCRuntime::sweepBackgroundThings (this=this@entry=0x7ffff693c330, zones=..., threadType=threadType@entry=js::BackgroundThread, freeBlocks=...) at js/src/jsgc.cpp:3242 #3 0x00000000008bd501 in sweepBackgroundThings (threadType=js::BackgroundThread, freeBlocks=..., zones=..., this=0x7ffff693c330) at js/src/jsgc.cpp:3485 #4 js::GCHelperState::doSweep (this=this@entry=0x7ffff6944410, lock=...) at js/src/jsgc.cpp:3485 #5 0x00000000008bd5f8 in js::GCHelperState::work (this=0x7ffff6944410) at js/src/jsgc.cpp:3368 #6 0x0000000000556ef8 in js::HelperThread::handleGCHelperWorkload (this=this@entry=0x7ffff694c200) at js/src/vm/HelperThreads.cpp:1370 #7 0x0000000000562ffb in js::HelperThread::threadLoop (this=0x7ffff694c200) at js/src/vm/HelperThreads.cpp:1428 #8 0x00000000005b2379 in nspr::Thread::ThreadRoutine (arg=0x7ffff69301c0) at js/src/vm/PosixNSPR.cpp:45 #9 0x00007ffff7bc4182 in start_thread (arg=0x7ffff7edc700) at pthread_create.c:312 #10 0x00007ffff6cb3fbd in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:111 rax 0x7ff8000000000000 9221120237041090560 rbx 0x7ffff525a240 140737306272320 rcx 0xb448 46152 rdx 0x100 256 rsi 0x2d1 721 rdi 0x7ffff525a1a0 140737306272160 rbp 0x7ffff525b000 140737306275840 rsp 0x7ffff7edabc0 140737352936384 r8 0x7ffff7edac40 140737352936512 r9 0x5d3fffff 1564475391 r10 0x2000 8192 r11 0x7ffff6a00121 140737331069217 r12 0x7ffff525a060 140737306271840 r13 0x7ffff525a000 140737306271744 r14 0xa0 160 r15 0x0 0 rip 0x8bba73 <FinalizeArenas(js::FreeOp*, js::gc::ArenaHeader**, js::gc::SortedArenaList&, js::gc::AllocKind, js::SliceBudget&, js::gc::ArenaLists::KeepArenasEnum)+1187> => 0x8bba73 <FinalizeArenas(js::FreeOp*, js::gc::ArenaHeader**, js::gc::SortedArenaList&, js::gc::AllocKind, js::SliceBudget&, js::gc::ArenaLists::KeepArenasEnum)+1187>: mov (%rax),%rax 0x8bba76 <FinalizeArenas(js::FreeOp*, js::gc::ArenaHeader**, js::gc::SortedArenaList&, js::gc::AllocKind, js::SliceBudget&, js::gc::ArenaLists::KeepArenasEnum)+1190>: mov 0x50(%rax),%rdx
Attached patch patchSplinter Review
Yikes, good catch.
Assignee: nobody → bhackett1024
Attachment #8602269 - Flags: review?(jdemooij)
Attachment #8602269 - Flags: review?(jdemooij) → review+
https://hg.mozilla.org/mozilla-central/rev/04a41a3d6a20
Status: NEW → RESOLVED
Closed: 10 years ago
status-firefox40: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla40
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: