Closed Bug 1177898 Opened 10 years ago Closed 10 years ago

Crash [@ js::CloneFunctionObjectIfNotSingleton]

Categories

(Core :: JavaScript Engine, defect)

x86_64
Linux
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla42
Tracking Status
firefox41 --- fixed
firefox42 --- fixed

People

(Reporter: decoder, Assigned: shu)

References

Details

(Keywords: crash, regression, testcase, Whiteboard: [jsbugmon:update])

Crash Data

Attachments

(1 file)

The following testcase crashes on mozilla-central revision 0b2f5e8b7be5 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe): test(); function test() { try { var Class = { create: function() { return function() { this.initialize.apply(this, arguments); } } } test(); Class.create(); } catch(ex) {} } Backtrace: Program received signal SIGSEGV, Segmentation fault. js::CloneFunctionObjectIfNotSingleton (cx=0x7ffff691b4e0, fun=..., parent=..., proto=..., newKind=<optimized out>) at js/src/jsfuninlines.h:92 #0 js::CloneFunctionObjectIfNotSingleton (cx=0x7ffff691b4e0, fun=..., parent=..., proto=..., newKind=<optimized out>) at js/src/jsfuninlines.h:92 #1 0x000000000065e515 in js::Lambda (cx=cx@entry=0x7ffff691b4e0, fun=fun@entry=..., parent=...) at js/src/vm/Interpreter.cpp:4166 #2 0x000000000067bcc0 in Interpret (cx=cx@entry=0x7ffff691b4e0, state=...) at js/src/vm/Interpreter.cpp:3414 #3 0x0000000000687943 in js::RunScript (cx=cx@entry=0x7ffff691b4e0, state=...) at js/src/vm/Interpreter.cpp:653 #4 0x00000000006880fb in js::Invoke (cx=cx@entry=0x7ffff691b4e0, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:729 #5 0x0000000000689cc9 in js::Invoke (cx=cx@entry=0x7ffff691b4e0, thisv=..., fval=..., argc=argc@entry=0, argv=argv@entry=0x7fffffe005d8, rval=..., rval@entry=...) at js/src/vm/Interpreter.cpp:766 #6 0x00000000008b65aa in js::jit::DoCallFallback (cx=0x7ffff691b4e0, frame=0x7fffffe00618, stub_=<optimized out>, argc=<optimized out>, vp=0x7fffffe005c8, res=...) at js/src/jit/BaselineIC.cpp:9859 #7 0x00007ffff7feebdf in ?? () #8 0x0000000000000008 in ?? () #9 0x00007fffffe00580 in ?? () #10 0xfff9000000000000 in ?? () #11 0x0000000001a69d00 in js::jit::DoSpreadCallFallbackInfo () #12 0x00007ffff7e51a90 in ?? () #13 0x00007ffff7ff23c3 in ?? () #14 0x0000000000000402 in ?? () #15 0x00007fffffe00618 in ?? () #16 0x00007ffff6997790 in ?? () #17 0x0000000000000000 in ?? () rax 0x0 0 rbx 0x7ffff691b4e0 140737330132192 rcx 0x7fffffdff460 140737486255200 rdx 0x7ffff691b4f8 140737330132216 rsi 0x1 1 rdi 0x7fffffdfef98 140737486253976 rbp 0x7fffffdff0f0 140737486254320 rsp 0x7fffffdff080 140737486254208 r8 0x1 1 r9 0x7ffff6a00288 140737331069576 r10 0x7ffff6991058 140737330614360 r11 0x1a52b00 27601664 r12 0x0 0 r13 0x7fffffdff0a0 140737486254240 r14 0x19f3280 27210368 r15 0x7fffffdff470 140737486255216 rip 0x6c158b <js::CloneFunctionObjectIfNotSingleton(JSContext*, JS::Handle<JSFunction*>, JS::Handle<JSObject*>, JS::Handle<JSObject*>, js::NewObjectKind)+507> => 0x6c158b <js::CloneFunctionObjectIfNotSingleton(JSContext*, JS::Handle<JSFunction*>, JS::Handle<JSObject*>, JS::Handle<JSObject*>, js::NewObjectKind)+507>: mov 0x60(%rax),%rax 0x6c158f <js::CloneFunctionObjectIfNotSingleton(JSContext*, JS::Handle<JSFunction*>, JS::Handle<JSObject*>, JS::Handle<JSObject*>, js::NewObjectKind)+511>: lea -0x60(%rbp),%rdi
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result: === Treeherder Build Bisection Results by autoBisect === The "good" changeset has the timestamp "20150621092643" and the hash "7959ffacd30f". The "bad" changeset has the timestamp "20150621122442" and the hash "cc5d4eaf1a5e". Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=7959ffacd30f&tochange=cc5d4eaf1a5e
Flags: needinfo?(shu)
Oops, stupid mistake from bug 1165486.
Attachment #8627262 - Flags: review?(efaustbmo)
Assignee: nobody → shu
Status: NEW → ASSIGNED
Flags: needinfo?(shu)
Comment on attachment 8627262 [details] [diff] [review] Fix error checking in CloneFunctionObjectIfNotSingleton. Review of attachment 8627262 [details] [diff] [review]: ----------------------------------------------------------------- Oops. Yup. Nice find.
Attachment #8627262 - Flags: review?(efaustbmo) → review+
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla42
Can we get this uplifted to 41? It's somewhat high on the crash charts there.
Flags: needinfo?(shu)
Crash Signature: [@ js::CloneFunctionObjectIfNotSingleton] → [@ js::CloneFunctionObjectIfNotSingleton] [@ js::CloneFunctionObjectIfNotSingleton(JSContext*, JS::Handle<T>, JS::Handle<T>, JS::Handle<T>, js::NewObjectKind)]
Eric, maybe you could fill out the uplift form for Shu? For a patch this trivial, I am half tempted to do it myself, but I probably shouldn't.
Flags: needinfo?(efaustbmo)
Comment on attachment 8627262 [details] [diff] [review] Fix error checking in CloneFunctionObjectIfNotSingleton. Approval Request Comment [Feature/regressing bug #]: 1165486 [User impact if declined]: crashes? [Describe test coverage new/current, TreeHerder]: central on TH [Risks and why]: low, bugfix only [String/UUID change made/needed]: none
Flags: needinfo?(shu)
Flags: needinfo?(efaustbmo)
Attachment #8627262 - Flags: approval-mozilla-beta?
Attachment #8627262 - Flags: approval-mozilla-aurora?
Comment on attachment 8627262 [details] [diff] [review] Fix error checking in CloneFunctionObjectIfNotSingleton. This patch has been in Nightly for two months so seems safe to uplift to Aurora42 and Beta41. Also, the second crash signature has hits as recent as 41.0b5 so it makes sense to uplift.
Attachment #8627262 - Flags: approval-mozilla-beta?
Attachment #8627262 - Flags: approval-mozilla-beta+
Attachment #8627262 - Flags: approval-mozilla-aurora?
Attachment #8627262 - Flags: approval-mozilla-aurora+
Comment on attachment 8627262 [details] [diff] [review] Fix error checking in CloneFunctionObjectIfNotSingleton. Clearing the Aurora flag because I am pretty sure this is already in 42, it was checked in when 42 was in Nightly.
Attachment #8627262 - Flags: approval-mozilla-aurora+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: