Closed
Bug 1203695
Opened 9 years ago
Closed 9 years ago
Crash [@ GenerateLcovInfo] with shell-only function
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla43
| Tracking | Status | |
|---|---|---|
| firefox43 | --- | fixed |
People
(Reporter: decoder, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: crash, regression, testcase, Whiteboard: [jsbugmon:update])
Crash Data
Attachments
(1 file)
|
1.88 KB,
patch
|
bhackett1024
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision dd2a1d737a64 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --thread-count=2 --ion-offthread-compile=off --ion-eager --baseline-eager):
var lfcode = new Array();
lfcode.push = loadFile;
lfcode.push(")");
lfcode.push(`
assertThrowsInstanceOf(function () {}, TypeError);
var g = newGlobal();
`);
getLcovInfo(g);
function loadFile(lfVarx) {
try {
evaluate(lfVarx, { noScriptRval : true, compileAndGo : true });
} catch (lfVare) {}
}
Backtrace:
Program received signal SIGSEGV, Segmentation fault.
GenerateLcovInfo (cx=cx@entry=0x7ffff6907000, comp=<optimized out>, out=...) at js/src/jsopcode.cpp:2015
#0 GenerateLcovInfo (cx=cx@entry=0x7ffff6907000, comp=<optimized out>, out=...) at js/src/jsopcode.cpp:2015
#1 0x0000000000bc1ed5 in js::GetCodeCoverageSummary (cx=cx@entry=0x7ffff6907000, length=length@entry=0x7fffffffc6a0) at js/src/jsopcode.cpp:2247
#2 0x000000000060db61 in GetLcovInfo (cx=0x7ffff6907000, argc=<optimized out>, vp=0x7fffffffc928) at js/src/builtin/TestingFunctions.cpp:2748
#3 0x00000000006cf452 in js::CallJSNative (cx=0x7ffff6907000, native=0x60d9d0 <GetLcovInfo(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235
#4 0x00000000006bfcd0 in js::Invoke (cx=cx@entry=0x7ffff6907000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:763
#5 0x00000000006c1c5d in js::Invoke (cx=cx@entry=0x7ffff6907000, thisv=..., fval=..., argc=argc@entry=1, argv=argv@entry=0x7fffffffcdd8, rval=..., rval@entry=...) at js/src/vm/Interpreter.cpp:818
#6 0x000000000090e54a in js::jit::DoCallFallback (cx=0x7ffff6907000, frame=0x7fffffffce18, stub_=<optimized out>, argc=<optimized out>, vp=0x7fffffffcdc8, res=...) at js/src/jit/BaselineIC.cpp:9363
#7 0x00007ffff7feeedf in ?? ()
#8 0x0000000000000000 in ?? ()
rax 0x0 0
rbx 0x7ffff7e62300 140737352442624
rcx 0x2 2
rdx 0x1 1
rsi 0xe30a6c 14879340
rdi 0x7ffff461303e 140737293398078
rbp 0x7fffffffc5f0 140737488340464
rsp 0x7fffffffbf10 140737488338704
r8 0x0 0
r9 0x7ffff6a00218 140737331069464
r10 0x7ffff6a00120 140737331069216
r11 0x7ffff46001f8 140737293320696
r12 0x7fffffffc010 140737488338960
r13 0x0 0
r14 0x0 0
r15 0x7ffff6907000 140737330049024
rip 0xbc1449 <GenerateLcovInfo(JSContext*, JSCompartment*, js::GenericPrinter&)+2265>
=> 0xbc1449 <GenerateLcovInfo(JSContext*, JSCompartment*, js::GenericPrinter&)+2265>: movzbl (%rax),%eax
0xbc144c <GenerateLcovInfo(JSContext*, JSCompartment*, js::GenericPrinter&)+2268>: test %al,%al
|
||
Updated•9 years ago
|
Flags: needinfo?(nicolas.b.pierron)
|
|
||
Updated•9 years ago
|
Blocks: js-code-coverage
Flags: needinfo?(nicolas.b.pierron)
|
||
Updated•9 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
|
|
||
Comment 1•9 years ago
|
||
JSBugMon: Bisection requested, result: === Treeherder Build Bisection Results by autoBisect === The "good" changeset has the timestamp "20150828162149" and the hash "dc527a84746753b31b862f748f8f4c977a35db3d". The "bad" changeset has the timestamp "20150828163447" and the hash "70a4840a6680e14e9bbbaa8d84e06bf9c6da4650". Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=dc527a84746753b31b862f748f8f4c977a35db3d&tochange=70a4840a6680e14e9bbbaa8d84e06bf9c6da4650
|
|
||
Comment 2•9 years ago
|
||
The problem comes from the fact that we do alllocate the JSScript before throwing because of a Syntax error, which happens when we evaluate ")" as some code. Thus when we iterate over the zone to find the top-level JSScript, these scripts are also matching and we end up serializing the source notes associated with these invalid scripts. This patch fix this issue by checking that we do have some bytecode associated with the JSScript. Is there a proper way to do that?
Attachment #8660790 -
Flags: review?(bhackett1024)
|
||
Comment 3•9 years ago
|
||
Comment on attachment 8660790 [details] [diff] [review] GenerateLcovInfo: Check if the JSScript have associated bytecode before spewing their content. Review of attachment 8660790 [details] [diff] [review]: ----------------------------------------------------------------- ::: js/src/jsopcode.cpp @@ +2112,5 @@ > continue; > > + // If we evaluate some code which contains a syntax error, then we > + // might produce a JSScript which has no associated bytecode. This > + // line filter out these kind of scripts. filters out this kind
Attachment #8660790 -
Flags: review?(bhackett1024) → review+
|
||
Comment 5•9 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/cdbdb471f9c7
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla43
You need to log in
before you can comment on or make changes to this bug.
Description
•