1177898 - Crash [@ js::CloneFunctionObjectIfNotSingleton]

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

The following testcase crashes on mozilla-central revision 0b2f5e8b7be5 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe):

test();
function test() {
  try {
    var Class = {
      create: function() {
        return function() {
          this.initialize.apply(this, arguments);
        }
      }
    }
    test();
    Class.create();
  } catch(ex) {}
}



Backtrace:

Program received signal SIGSEGV, Segmentation fault.
js::CloneFunctionObjectIfNotSingleton (cx=0x7ffff691b4e0, fun=..., parent=..., proto=..., newKind=<optimized out>) at js/src/jsfuninlines.h:92
#0  js::CloneFunctionObjectIfNotSingleton (cx=0x7ffff691b4e0, fun=..., parent=..., proto=..., newKind=<optimized out>) at js/src/jsfuninlines.h:92
#1  0x000000000065e515 in js::Lambda (cx=cx@entry=0x7ffff691b4e0, fun=fun@entry=..., parent=...) at js/src/vm/Interpreter.cpp:4166
#2  0x000000000067bcc0 in Interpret (cx=cx@entry=0x7ffff691b4e0, state=...) at js/src/vm/Interpreter.cpp:3414
#3  0x0000000000687943 in js::RunScript (cx=cx@entry=0x7ffff691b4e0, state=...) at js/src/vm/Interpreter.cpp:653
#4  0x00000000006880fb in js::Invoke (cx=cx@entry=0x7ffff691b4e0, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:729
#5  0x0000000000689cc9 in js::Invoke (cx=cx@entry=0x7ffff691b4e0, thisv=..., fval=..., argc=argc@entry=0, argv=argv@entry=0x7fffffe005d8, rval=..., rval@entry=...) at js/src/vm/Interpreter.cpp:766
#6  0x00000000008b65aa in js::jit::DoCallFallback (cx=0x7ffff691b4e0, frame=0x7fffffe00618, stub_=<optimized out>, argc=<optimized out>, vp=0x7fffffe005c8, res=...) at js/src/jit/BaselineIC.cpp:9859
#7  0x00007ffff7feebdf in ?? ()
#8  0x0000000000000008 in ?? ()
#9  0x00007fffffe00580 in ?? ()
#10 0xfff9000000000000 in ?? ()
#11 0x0000000001a69d00 in js::jit::DoSpreadCallFallbackInfo ()
#12 0x00007ffff7e51a90 in ?? ()
#13 0x00007ffff7ff23c3 in ?? ()
#14 0x0000000000000402 in ?? ()
#15 0x00007fffffe00618 in ?? ()
#16 0x00007ffff6997790 in ?? ()
#17 0x0000000000000000 in ?? ()
rax	0x0	0
rbx	0x7ffff691b4e0	140737330132192
rcx	0x7fffffdff460	140737486255200
rdx	0x7ffff691b4f8	140737330132216
rsi	0x1	1
rdi	0x7fffffdfef98	140737486253976
rbp	0x7fffffdff0f0	140737486254320
rsp	0x7fffffdff080	140737486254208
r8	0x1	1
r9	0x7ffff6a00288	140737331069576
r10	0x7ffff6991058	140737330614360
r11	0x1a52b00	27601664
r12	0x0	0
r13	0x7fffffdff0a0	140737486254240
r14	0x19f3280	27210368
r15	0x7fffffdff470	140737486255216
rip	0x6c158b <js::CloneFunctionObjectIfNotSingleton(JSContext*, JS::Handle<JSFunction*>, JS::Handle<JSObject*>, JS::Handle<JSObject*>, js::NewObjectKind)+507>
=> 0x6c158b <js::CloneFunctionObjectIfNotSingleton(JSContext*, JS::Handle<JSFunction*>, JS::Handle<JSObject*>, JS::Handle<JSObject*>, js::NewObjectKind)+507>:	mov    0x60(%rax),%rax
   0x6c158f <js::CloneFunctionObjectIfNotSingleton(JSContext*, JS::Handle<JSFunction*>, JS::Handle<JSObject*>, JS::Handle<JSObject*>, js::NewObjectKind)+511>:	lea    -0x60(%rbp),%rdi

Comment 1

[Christian Holler (:decoder)]

JSBugMon: Bisection requested, result:
=== Treeherder Build Bisection Results by autoBisect ===

The "good" changeset has the timestamp "20150621092643" and the hash "7959ffacd30f".
The "bad" changeset has the timestamp "20150621122442" and the hash "cc5d4eaf1a5e".

Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=7959ffacd30f&tochange=cc5d4eaf1a5e

Comment 2

[Shu-yu Guo [:shu]]

Attachment: Fix error checking in CloneFunctionObjectIfNotSingleton.

Oops, stupid mistake from bug 1165486.

Comment 3

[Eric Faust [:efaust]]

Comment on attachment 8627262 [details] [diff] [review]
Fix error checking in CloneFunctionObjectIfNotSingleton.

Review of attachment 8627262 [details] [diff] [review]:
-----------------------------------------------------------------

Oops. Yup. Nice find.

Comment 4

[Pulsebot]

https://hg.mozilla.org/integration/mozilla-inbound/rev/cc68ce01105f

Comment 5

[Carsten Book [:Tomcat]]

https://hg.mozilla.org/mozilla-central/rev/cc68ce01105f

Comment 7

[(Away)]

Can we get this uplifted to 41? It's somewhat high on the crash charts there.

Comment 8

[(Away)]

Eric, maybe you could fill out the uplift form for Shu? For a patch this trivial, I am half tempted to do it myself, but I probably shouldn't.

Comment 9

[Shu-yu Guo [:shu]]

Comment on attachment 8627262 [details] [diff] [review]
Fix error checking in CloneFunctionObjectIfNotSingleton.

Approval Request Comment
[Feature/regressing bug #]: 1165486
[User impact if declined]: crashes?
[Describe test coverage new/current, TreeHerder]: central on TH
[Risks and why]: low, bugfix only
[String/UUID change made/needed]: none

Comment 10

[Ritu Kothari (:ritu) (Inactive, please n-i to RyanVM, jcristau, or pascal)]

Comment on attachment 8627262 [details] [diff] [review]
Fix error checking in CloneFunctionObjectIfNotSingleton.

This patch has been in Nightly for two months so seems safe to uplift to Aurora42 and Beta41. Also, the second crash signature has hits as recent as 41.0b5 so it makes sense to uplift.

Comment 11

[Ritu Kothari (:ritu) (Inactive, please n-i to RyanVM, jcristau, or pascal)]

Comment on attachment 8627262 [details] [diff] [review]
Fix error checking in CloneFunctionObjectIfNotSingleton.

Clearing the Aurora flag because I am pretty sure this is already in 42, it was checked in when 42 was in Nightly.

Comment 12

[Ryan VanderMeulen [:RyanVM]]

https://hg.mozilla.org/releases/mozilla-beta/rev/4a90fe9e4d39