Closed Bug 1177898 Opened 6 years ago Closed 6 years ago

Crash [@ js::CloneFunctionObjectIfNotSingleton]

Categories

(Core :: JavaScript Engine, defect)

x86_64
Linux
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla42
Tracking Status
firefox41 --- fixed
firefox42 --- fixed

People

(Reporter: decoder, Assigned: shu)

References

Details

(Keywords: crash, regression, testcase, Whiteboard: [jsbugmon:update])

Crash Data

Attachments

(1 file)

The following testcase crashes on mozilla-central revision 0b2f5e8b7be5 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe):

test();
function test() {
  try {
    var Class = {
      create: function() {
        return function() {
          this.initialize.apply(this, arguments);
        }
      }
    }
    test();
    Class.create();
  } catch(ex) {}
}



Backtrace:

Program received signal SIGSEGV, Segmentation fault.
js::CloneFunctionObjectIfNotSingleton (cx=0x7ffff691b4e0, fun=..., parent=..., proto=..., newKind=<optimized out>) at js/src/jsfuninlines.h:92
#0  js::CloneFunctionObjectIfNotSingleton (cx=0x7ffff691b4e0, fun=..., parent=..., proto=..., newKind=<optimized out>) at js/src/jsfuninlines.h:92
#1  0x000000000065e515 in js::Lambda (cx=cx@entry=0x7ffff691b4e0, fun=fun@entry=..., parent=...) at js/src/vm/Interpreter.cpp:4166
#2  0x000000000067bcc0 in Interpret (cx=cx@entry=0x7ffff691b4e0, state=...) at js/src/vm/Interpreter.cpp:3414
#3  0x0000000000687943 in js::RunScript (cx=cx@entry=0x7ffff691b4e0, state=...) at js/src/vm/Interpreter.cpp:653
#4  0x00000000006880fb in js::Invoke (cx=cx@entry=0x7ffff691b4e0, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:729
#5  0x0000000000689cc9 in js::Invoke (cx=cx@entry=0x7ffff691b4e0, thisv=..., fval=..., argc=argc@entry=0, argv=argv@entry=0x7fffffe005d8, rval=..., rval@entry=...) at js/src/vm/Interpreter.cpp:766
#6  0x00000000008b65aa in js::jit::DoCallFallback (cx=0x7ffff691b4e0, frame=0x7fffffe00618, stub_=<optimized out>, argc=<optimized out>, vp=0x7fffffe005c8, res=...) at js/src/jit/BaselineIC.cpp:9859
#7  0x00007ffff7feebdf in ?? ()
#8  0x0000000000000008 in ?? ()
#9  0x00007fffffe00580 in ?? ()
#10 0xfff9000000000000 in ?? ()
#11 0x0000000001a69d00 in js::jit::DoSpreadCallFallbackInfo ()
#12 0x00007ffff7e51a90 in ?? ()
#13 0x00007ffff7ff23c3 in ?? ()
#14 0x0000000000000402 in ?? ()
#15 0x00007fffffe00618 in ?? ()
#16 0x00007ffff6997790 in ?? ()
#17 0x0000000000000000 in ?? ()
rax	0x0	0
rbx	0x7ffff691b4e0	140737330132192
rcx	0x7fffffdff460	140737486255200
rdx	0x7ffff691b4f8	140737330132216
rsi	0x1	1
rdi	0x7fffffdfef98	140737486253976
rbp	0x7fffffdff0f0	140737486254320
rsp	0x7fffffdff080	140737486254208
r8	0x1	1
r9	0x7ffff6a00288	140737331069576
r10	0x7ffff6991058	140737330614360
r11	0x1a52b00	27601664
r12	0x0	0
r13	0x7fffffdff0a0	140737486254240
r14	0x19f3280	27210368
r15	0x7fffffdff470	140737486255216
rip	0x6c158b <js::CloneFunctionObjectIfNotSingleton(JSContext*, JS::Handle<JSFunction*>, JS::Handle<JSObject*>, JS::Handle<JSObject*>, js::NewObjectKind)+507>
=> 0x6c158b <js::CloneFunctionObjectIfNotSingleton(JSContext*, JS::Handle<JSFunction*>, JS::Handle<JSObject*>, JS::Handle<JSObject*>, js::NewObjectKind)+507>:	mov    0x60(%rax),%rax
   0x6c158f <js::CloneFunctionObjectIfNotSingleton(JSContext*, JS::Handle<JSFunction*>, JS::Handle<JSObject*>, JS::Handle<JSObject*>, js::NewObjectKind)+511>:	lea    -0x60(%rbp),%rdi
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result:
=== Treeherder Build Bisection Results by autoBisect ===

The "good" changeset has the timestamp "20150621092643" and the hash "7959ffacd30f".
The "bad" changeset has the timestamp "20150621122442" and the hash "cc5d4eaf1a5e".

Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=7959ffacd30f&tochange=cc5d4eaf1a5e
Flags: needinfo?(shu)
Oops, stupid mistake from bug 1165486.
Attachment #8627262 - Flags: review?(efaustbmo)
Assignee: nobody → shu
Status: NEW → ASSIGNED
Flags: needinfo?(shu)
Comment on attachment 8627262 [details] [diff] [review]
Fix error checking in CloneFunctionObjectIfNotSingleton.

Review of attachment 8627262 [details] [diff] [review]:
-----------------------------------------------------------------

Oops. Yup. Nice find.
Attachment #8627262 - Flags: review?(efaustbmo) → review+
https://hg.mozilla.org/mozilla-central/rev/cc68ce01105f
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla42
Duplicate of this bug: 1199764
Can we get this uplifted to 41? It's somewhat high on the crash charts there.
Flags: needinfo?(shu)
Crash Signature: [@ js::CloneFunctionObjectIfNotSingleton] → [@ js::CloneFunctionObjectIfNotSingleton] [@ js::CloneFunctionObjectIfNotSingleton(JSContext*, JS::Handle<T>, JS::Handle<T>, JS::Handle<T>, js::NewObjectKind)]
Eric, maybe you could fill out the uplift form for Shu? For a patch this trivial, I am half tempted to do it myself, but I probably shouldn't.
Flags: needinfo?(efaustbmo)
Comment on attachment 8627262 [details] [diff] [review]
Fix error checking in CloneFunctionObjectIfNotSingleton.

Approval Request Comment
[Feature/regressing bug #]: 1165486
[User impact if declined]: crashes?
[Describe test coverage new/current, TreeHerder]: central on TH
[Risks and why]: low, bugfix only
[String/UUID change made/needed]: none
Flags: needinfo?(shu)
Flags: needinfo?(efaustbmo)
Attachment #8627262 - Flags: approval-mozilla-beta?
Attachment #8627262 - Flags: approval-mozilla-aurora?
Comment on attachment 8627262 [details] [diff] [review]
Fix error checking in CloneFunctionObjectIfNotSingleton.

This patch has been in Nightly for two months so seems safe to uplift to Aurora42 and Beta41. Also, the second crash signature has hits as recent as 41.0b5 so it makes sense to uplift.
Attachment #8627262 - Flags: approval-mozilla-beta?
Attachment #8627262 - Flags: approval-mozilla-beta+
Attachment #8627262 - Flags: approval-mozilla-aurora?
Attachment #8627262 - Flags: approval-mozilla-aurora+
Comment on attachment 8627262 [details] [diff] [review]
Fix error checking in CloneFunctionObjectIfNotSingleton.

Clearing the Aurora flag because I am pretty sure this is already in 42, it was checked in when 42 was in Nightly.
Attachment #8627262 - Flags: approval-mozilla-aurora+
Duplicate of this bug: 1202008
You need to log in before you can comment on or make changes to this bug.