Closed
Bug 1188342
Opened 10 years ago
Closed 10 years ago
Assertion failure: getSlotRef(EVAL).isUndefined(), at js/src/vm/GlobalObject.h:147
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1192401
| Tracking | Status | |
|---|---|---|
| firefox42 | --- | affected |
People
(Reporter: decoder, Unassigned)
Details
(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update])
The following testcase crashes on mozilla-central revision f34a7120f46b (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --thread-count=2 --ion-check-range-analysis):
const dbg = new Debugger();
const root3 = evalcx('lazy');
dbg.addDebuggee(root3);
dbg.memory.trackingAllocationSites = true;
root3.eval("this.alloc = {}");
Backtrace:
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x0000000000597185 in setOriginalEval (evalobj=0x7f510c994480,
this=0x7f510c983060)
at js/src/vm/GlobalObject.h:147
To enable execution of this file add
add-auto-load-safe-path /home/ubuntu/mozilla-central/js/src/debug64/dist/bin/js-gdb.py
line to your configuration file "/home/ubuntu/.gdbinit".
To completely disable this security protection add
set auto-load safe-path /
line to your configuration file "/home/ubuntu/.gdbinit".
For more information about this security protection see the
"Auto-loading safe path" section in the GDB manual. E.g., run from the shell:
info "(gdb)Auto-loading safe path"
#0 0x0000000000597185 in setOriginalEval (evalobj=0x7f510c994480, this=0x7f510c983060) at js/src/vm/GlobalObject.h:147
#1 FinishObjectClassInit (cx=0x7f510ef1b330, ctor=..., proto=...) at js/src/builtin/Object.cpp:1139
#2 0x0000000000688e0d in js::GlobalObject::resolveConstructor (cx=cx@entry=0x7f510ef1b330, global=..., key=JSProto_Object) at js/src/vm/GlobalObject.cpp:204
#3 0x000000000068905c in js::GlobalObject::ensureConstructor (cx=cx@entry=0x7f510ef1b330, global=..., global@entry=..., key=<optimized out>) at js/src/vm/GlobalObject.cpp:99
#4 0x0000000000ab674b in JS_ResolveStandardClass (cx=cx@entry=0x7f510ef1b330, obj=..., obj@entry=..., id=..., id@entry=..., resolved=resolved@entry=0x7fffd52281b0) at js/src/jsapi.cpp:1276
#5 0x00000000004811e4 in sandbox_resolve (cx=0x7f510ef1b330, obj=..., id=..., resolvedp=0x7fffd52281b0) at js/src/shell/js.cpp:2524
#6 0x00000000006ef275 in CallResolveOp (recursedp=<synthetic pointer>, propp=..., id=..., obj=..., cx=0x7f510ef1b330) at js/src/vm/NativeObject-inl.h:388
#7 js::LookupOwnPropertyInline<(js::AllowGC)1> (cx=cx@entry=0x7f510ef1b330, obj=..., id=id@entry=..., propp=propp@entry=..., donep=donep@entry=0x7fffd52282a0) at js/src/vm/NativeObject-inl.h:481
#8 0x000000000071a6cc in NativeGetPropertyInline<(js::AllowGC)1> (cx=cx@entry=0x7f510ef1b330, obj=..., receiver=..., id=..., nameLookup=nameLookup@entry=NotNameLookup, vp=...) at js/src/vm/NativeObject.cpp:1909
#9 0x000000000071ac80 in js::NativeGetProperty (cx=cx@entry=0x7f510ef1b330, obj=..., receiver=..., receiver@entry=..., id=..., id@entry=..., vp=..., vp@entry=...) at js/src/vm/NativeObject.cpp:1953
#10 0x0000000000bbc46f in GetProperty (vp=..., id=..., receiver=..., obj=..., cx=0x7f510ef1b330) at js/src/vm/NativeObject.h:1417
#11 js::DirectProxyHandler::get (this=this@entry=0x1b0fee0 <js::CrossCompartmentWrapper::singleton>, cx=cx@entry=0x7f510ef1b330, proxy=..., proxy@entry=..., receiver=receiver@entry=..., id=id@entry=..., vp=vp@entry=...) at js/src/proxy/DirectProxyHandler.cpp:215
#12 0x0000000000bc58b3 in js::CrossCompartmentWrapper::get (this=0x1b0fee0 <js::CrossCompartmentWrapper::singleton>, cx=0x7f510ef1b330, wrapper=..., receiver=..., id=..., vp=...) at js/src/proxy/CrossCompartmentWrapper.cpp:165
#13 0x0000000000bd1fe7 in js::Proxy::get (cx=0x7f510ef1b330, proxy=..., receiver=..., id=..., vp=...) at js/src/proxy/Proxy.cpp:286
#14 0x00000000005ba56d in GetProperty (vp=..., id=..., receiver=..., obj=..., cx=0x7f510ef1b330) at js/src/vm/NativeObject.h:1416
#15 js::GetProperty (cx=0x7f510ef1b330, obj=..., receiver=..., name=<optimized out>, vp=...) at js/src/jsobj.h:828
#16 0x000000000068ba0b in js::GetProperty (cx=cx@entry=0x7f510ef1b330, v=..., v@entry=..., name=name@entry=..., vp=vp@entry=...) at js/src/vm/Interpreter.cpp:4097
#17 0x000000000068bbc7 in js::CallProperty (cx=cx@entry=0x7f510ef1b330, v=..., v@entry=..., name=..., name@entry=..., vp=..., vp@entry=...) at js/src/vm/Interpreter.cpp:4106
#18 0x000000000069b94f in GetPropertyOperation (vp=..., lval=..., pc=<optimized out>, script=..., fp=0x7f510d0ee0e0, cx=0x7f510ef1b330) at js/src/vm/Interpreter.cpp:257
#19 Interpret (cx=cx@entry=0x7f510ef1b330, state=...) at js/src/vm/Interpreter.cpp:2685
#20 0x00000000006a2343 in js::RunScript (cx=cx@entry=0x7f510ef1b330, state=...) at js/src/vm/Interpreter.cpp:655
#21 0x00000000006a2afb in js::Invoke (cx=cx@entry=0x7f510ef1b330, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:731
#22 0x00000000006a47d6 in js::Invoke (cx=cx@entry=0x7f510ef1b330, thisv=..., fval=..., argc=argc@entry=0, argv=argv@entry=0x7fffd5229b88, rval=..., rval@entry=...) at js/src/vm/Interpreter.cpp:768
#23 0x00000000008d022a in js::jit::DoCallFallback (cx=0x7f510ef1b330, frame=0x7fffd5229bb8, stub_=<optimized out>, argc=<optimized out>, vp=0x7fffd5229b78, res=...) at js/src/jit/BaselineIC.cpp:9859
#24 0x00007f51103a0bdf in ?? ()
#25 0x00007f510c93bb80 in ?? ()
#26 0x00007fffd5229b30 in ?? ()
#27 0xfff9000000000000 in ?? ()
#28 0x0000000001b26ee0 in js::jit::DoSpreadCallFallbackInfo ()
#29 0x00007f510d153a90 in ?? ()
#30 0x00007f51103a4283 in ?? ()
#31 0x0000000000000402 in ?? ()
#32 0x00007fffd5229bb8 in ?? ()
#33 0x00007f510d03f020 in ?? ()
#34 0x0000000000000000 in ?? ()
rax 0x0 0
rbx 0x7fffd5227f40 140736769195840
rcx 0x7f510f1ef88d 139986122766477
rdx 0x0 0
rsi 0x7f510f4c49d0 139986125736400
rdi 0x7f510f4c31c0 139986125730240
rbp 0x7fffd5227f90 140736769195920
rsp 0x7fffd5227e70 140736769195632
r8 0x7f5110534780 139986142971776
r9 0x6372732f736a2f6c 7165916604736876396
r10 0x7f510f4c0be0 139986125720544
r11 0x0 0
r12 0x7f510ef1b330 139986119799600
r13 0x7fffd5227ee0 140736769195744
r14 0x7f510c983060 139986080378976
r15 0x7f510c994480 139986080449664
rip 0x597185 <FinishObjectClassInit(JSContext*, JS::HandleObject, JS::HandleObject)+1141>
=> 0x597185 <FinishObjectClassInit(JSContext*, JS::HandleObject, JS::HandleObject)+1141>: movl $0x93,0x0
0x597190 <FinishObjectClassInit(JSContext*, JS::HandleObject, JS::HandleObject)+1152>: callq 0x499110 <abort()>
|
Reporter | |
Updated•10 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
|
|
Reporter | |
Comment 1•10 years ago
|
||
JSBugMon: Bisection requested, result:
Due to skipped revisions, the first bad revision could be any of:
changeset: https://hg.mozilla.org/mozilla-central/rev/a0dd5a83ba36
user: Jan de Mooij
date: Thu Jul 24 11:56:43 2014 +0200
summary: Bug 1031529 part 2 - Remove JS_THREADSAFE #ifdefs everywhere. r=bhackett
changeset: https://hg.mozilla.org/mozilla-central/rev/6426fef52f51
user: Jan de Mooij
date: Thu Jul 24 11:56:45 2014 +0200
summary: Bug 1031529 part 3 - Step defining JS_THREADSAFE, remove --disable-threadsafe. r=glandium
This iteration took 0.320 seconds to run.
|
||
Comment 2•10 years ago
|
||
This bisect is incorrect - it goes back way before that, but the build harness (all of fuzzing, m-c and OS) since then has changed so much that it might just be faster to get some eyes on this testcase instead of trying to make bisect work.
Needinfo? from :fitzgen and :jimb since this seems to involve Debugger.
Flags: needinfo?(nfitzgerald)
Flags: needinfo?(jimb)
|
|
||
Comment 3•10 years ago
|
||
Seems to be the exact same as bug 1192401.
Status: NEW → RESOLVED
Closed: 10 years ago
Flags: needinfo?(nfitzgerald)
Flags: needinfo?(jimb)
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•