Closed
Bug 1177898
Opened 10 years ago
Closed 10 years ago
Crash [@ js::CloneFunctionObjectIfNotSingleton]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla42
People
(Reporter: decoder, Assigned: shu)
References
Details
(Keywords: crash, regression, testcase, Whiteboard: [jsbugmon:update])
Crash Data
Attachments
(1 file)
1.10 KB,
patch
|
efaust
:
review+
ritu
:
approval-mozilla-beta+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision 0b2f5e8b7be5 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe):
test();
function test() {
try {
var Class = {
create: function() {
return function() {
this.initialize.apply(this, arguments);
}
}
}
test();
Class.create();
} catch(ex) {}
}
Backtrace:
Program received signal SIGSEGV, Segmentation fault.
js::CloneFunctionObjectIfNotSingleton (cx=0x7ffff691b4e0, fun=..., parent=..., proto=..., newKind=<optimized out>) at js/src/jsfuninlines.h:92
#0 js::CloneFunctionObjectIfNotSingleton (cx=0x7ffff691b4e0, fun=..., parent=..., proto=..., newKind=<optimized out>) at js/src/jsfuninlines.h:92
#1 0x000000000065e515 in js::Lambda (cx=cx@entry=0x7ffff691b4e0, fun=fun@entry=..., parent=...) at js/src/vm/Interpreter.cpp:4166
#2 0x000000000067bcc0 in Interpret (cx=cx@entry=0x7ffff691b4e0, state=...) at js/src/vm/Interpreter.cpp:3414
#3 0x0000000000687943 in js::RunScript (cx=cx@entry=0x7ffff691b4e0, state=...) at js/src/vm/Interpreter.cpp:653
#4 0x00000000006880fb in js::Invoke (cx=cx@entry=0x7ffff691b4e0, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:729
#5 0x0000000000689cc9 in js::Invoke (cx=cx@entry=0x7ffff691b4e0, thisv=..., fval=..., argc=argc@entry=0, argv=argv@entry=0x7fffffe005d8, rval=..., rval@entry=...) at js/src/vm/Interpreter.cpp:766
#6 0x00000000008b65aa in js::jit::DoCallFallback (cx=0x7ffff691b4e0, frame=0x7fffffe00618, stub_=<optimized out>, argc=<optimized out>, vp=0x7fffffe005c8, res=...) at js/src/jit/BaselineIC.cpp:9859
#7 0x00007ffff7feebdf in ?? ()
#8 0x0000000000000008 in ?? ()
#9 0x00007fffffe00580 in ?? ()
#10 0xfff9000000000000 in ?? ()
#11 0x0000000001a69d00 in js::jit::DoSpreadCallFallbackInfo ()
#12 0x00007ffff7e51a90 in ?? ()
#13 0x00007ffff7ff23c3 in ?? ()
#14 0x0000000000000402 in ?? ()
#15 0x00007fffffe00618 in ?? ()
#16 0x00007ffff6997790 in ?? ()
#17 0x0000000000000000 in ?? ()
rax 0x0 0
rbx 0x7ffff691b4e0 140737330132192
rcx 0x7fffffdff460 140737486255200
rdx 0x7ffff691b4f8 140737330132216
rsi 0x1 1
rdi 0x7fffffdfef98 140737486253976
rbp 0x7fffffdff0f0 140737486254320
rsp 0x7fffffdff080 140737486254208
r8 0x1 1
r9 0x7ffff6a00288 140737331069576
r10 0x7ffff6991058 140737330614360
r11 0x1a52b00 27601664
r12 0x0 0
r13 0x7fffffdff0a0 140737486254240
r14 0x19f3280 27210368
r15 0x7fffffdff470 140737486255216
rip 0x6c158b <js::CloneFunctionObjectIfNotSingleton(JSContext*, JS::Handle<JSFunction*>, JS::Handle<JSObject*>, JS::Handle<JSObject*>, js::NewObjectKind)+507>
=> 0x6c158b <js::CloneFunctionObjectIfNotSingleton(JSContext*, JS::Handle<JSFunction*>, JS::Handle<JSObject*>, JS::Handle<JSObject*>, js::NewObjectKind)+507>: mov 0x60(%rax),%rax
0x6c158f <js::CloneFunctionObjectIfNotSingleton(JSContext*, JS::Handle<JSFunction*>, JS::Handle<JSObject*>, JS::Handle<JSObject*>, js::NewObjectKind)+511>: lea -0x60(%rbp),%rdi
Reporter | ||
Updated•10 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
Reporter | ||
Comment 1•10 years ago
|
||
JSBugMon: Bisection requested, result:
=== Treeherder Build Bisection Results by autoBisect ===
The "good" changeset has the timestamp "20150621092643" and the hash "7959ffacd30f".
The "bad" changeset has the timestamp "20150621122442" and the hash "cc5d4eaf1a5e".
Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=7959ffacd30f&tochange=cc5d4eaf1a5e
Updated•10 years ago
|
Flags: needinfo?(shu)
Assignee | ||
Comment 2•10 years ago
|
||
Oops, stupid mistake from bug 1165486.
Attachment #8627262 -
Flags: review?(efaustbmo)
Assignee | ||
Updated•10 years ago
|
Assignee: nobody → shu
Status: NEW → ASSIGNED
Flags: needinfo?(shu)
Comment 3•10 years ago
|
||
Comment on attachment 8627262 [details] [diff] [review]
Fix error checking in CloneFunctionObjectIfNotSingleton.
Review of attachment 8627262 [details] [diff] [review]:
-----------------------------------------------------------------
Oops. Yup. Nice find.
Attachment #8627262 -
Flags: review?(efaustbmo) → review+
Comment 5•10 years ago
|
||
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
status-firefox42:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla42
Can we get this uplifted to 41? It's somewhat high on the crash charts there.
Flags: needinfo?(shu)
Crash Signature: [@ js::CloneFunctionObjectIfNotSingleton] → [@ js::CloneFunctionObjectIfNotSingleton]
[@ js::CloneFunctionObjectIfNotSingleton(JSContext*, JS::Handle<T>, JS::Handle<T>, JS::Handle<T>, js::NewObjectKind)]
Eric, maybe you could fill out the uplift form for Shu? For a patch this trivial, I am half tempted to do it myself, but I probably shouldn't.
Flags: needinfo?(efaustbmo)
Assignee | ||
Comment 9•9 years ago
|
||
Comment on attachment 8627262 [details] [diff] [review]
Fix error checking in CloneFunctionObjectIfNotSingleton.
Approval Request Comment
[Feature/regressing bug #]: 1165486
[User impact if declined]: crashes?
[Describe test coverage new/current, TreeHerder]: central on TH
[Risks and why]: low, bugfix only
[String/UUID change made/needed]: none
Flags: needinfo?(shu)
Flags: needinfo?(efaustbmo)
Attachment #8627262 -
Flags: approval-mozilla-beta?
Attachment #8627262 -
Flags: approval-mozilla-aurora?
Comment on attachment 8627262 [details] [diff] [review]
Fix error checking in CloneFunctionObjectIfNotSingleton.
This patch has been in Nightly for two months so seems safe to uplift to Aurora42 and Beta41. Also, the second crash signature has hits as recent as 41.0b5 so it makes sense to uplift.
Attachment #8627262 -
Flags: approval-mozilla-beta?
Attachment #8627262 -
Flags: approval-mozilla-beta+
Attachment #8627262 -
Flags: approval-mozilla-aurora?
Attachment #8627262 -
Flags: approval-mozilla-aurora+
Comment on attachment 8627262 [details] [diff] [review]
Fix error checking in CloneFunctionObjectIfNotSingleton.
Clearing the Aurora flag because I am pretty sure this is already in 42, it was checked in when 42 was in Nightly.
Attachment #8627262 -
Flags: approval-mozilla-aurora+
Comment 12•9 years ago
|
||
You need to log in
before you can comment on or make changes to this bug.
Description
•