Closed Bug 1203695 Opened 4 years ago Closed 4 years ago

Crash [@ GenerateLcovInfo] with shell-only function

Categories

(Core :: JavaScript Engine, defect, critical)

x86_64
Linux
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla43
Tracking Status
firefox43 --- fixed

People

(Reporter: decoder, Unassigned)

References

(Blocks 2 open bugs)

Details

(Keywords: crash, regression, testcase, Whiteboard: [jsbugmon:update])

Crash Data

Attachments

(1 file)

The following testcase crashes on mozilla-central revision dd2a1d737a64 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --thread-count=2 --ion-offthread-compile=off --ion-eager --baseline-eager):

var lfcode = new Array();
lfcode.push = loadFile;
lfcode.push(")");
lfcode.push(`
assertThrowsInstanceOf(function () {}, TypeError);
var g = newGlobal();
`);
getLcovInfo(g);
function loadFile(lfVarx) {
    try {
        evaluate(lfVarx, { noScriptRval : true, compileAndGo : true });
    } catch (lfVare) {}
}



Backtrace:

Program received signal SIGSEGV, Segmentation fault.
GenerateLcovInfo (cx=cx@entry=0x7ffff6907000, comp=<optimized out>, out=...) at js/src/jsopcode.cpp:2015
#0  GenerateLcovInfo (cx=cx@entry=0x7ffff6907000, comp=<optimized out>, out=...) at js/src/jsopcode.cpp:2015
#1  0x0000000000bc1ed5 in js::GetCodeCoverageSummary (cx=cx@entry=0x7ffff6907000, length=length@entry=0x7fffffffc6a0) at js/src/jsopcode.cpp:2247
#2  0x000000000060db61 in GetLcovInfo (cx=0x7ffff6907000, argc=<optimized out>, vp=0x7fffffffc928) at js/src/builtin/TestingFunctions.cpp:2748
#3  0x00000000006cf452 in js::CallJSNative (cx=0x7ffff6907000, native=0x60d9d0 <GetLcovInfo(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235
#4  0x00000000006bfcd0 in js::Invoke (cx=cx@entry=0x7ffff6907000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:763
#5  0x00000000006c1c5d in js::Invoke (cx=cx@entry=0x7ffff6907000, thisv=..., fval=..., argc=argc@entry=1, argv=argv@entry=0x7fffffffcdd8, rval=..., rval@entry=...) at js/src/vm/Interpreter.cpp:818
#6  0x000000000090e54a in js::jit::DoCallFallback (cx=0x7ffff6907000, frame=0x7fffffffce18, stub_=<optimized out>, argc=<optimized out>, vp=0x7fffffffcdc8, res=...) at js/src/jit/BaselineIC.cpp:9363
#7  0x00007ffff7feeedf in ?? ()
#8  0x0000000000000000 in ?? ()
rax	0x0	0
rbx	0x7ffff7e62300	140737352442624
rcx	0x2	2
rdx	0x1	1
rsi	0xe30a6c	14879340
rdi	0x7ffff461303e	140737293398078
rbp	0x7fffffffc5f0	140737488340464
rsp	0x7fffffffbf10	140737488338704
r8	0x0	0
r9	0x7ffff6a00218	140737331069464
r10	0x7ffff6a00120	140737331069216
r11	0x7ffff46001f8	140737293320696
r12	0x7fffffffc010	140737488338960
r13	0x0	0
r14	0x0	0
r15	0x7ffff6907000	140737330049024
rip	0xbc1449 <GenerateLcovInfo(JSContext*, JSCompartment*, js::GenericPrinter&)+2265>
=> 0xbc1449 <GenerateLcovInfo(JSContext*, JSCompartment*, js::GenericPrinter&)+2265>:	movzbl (%rax),%eax
   0xbc144c <GenerateLcovInfo(JSContext*, JSCompartment*, js::GenericPrinter&)+2268>:	test   %al,%al
Flags: needinfo?(nicolas.b.pierron)
Flags: needinfo?(nicolas.b.pierron)
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result:
=== Treeherder Build Bisection Results by autoBisect ===

The "good" changeset has the timestamp "20150828162149" and the hash "dc527a84746753b31b862f748f8f4c977a35db3d".
The "bad" changeset has the timestamp "20150828163447" and the hash "70a4840a6680e14e9bbbaa8d84e06bf9c6da4650".

Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=dc527a84746753b31b862f748f8f4c977a35db3d&tochange=70a4840a6680e14e9bbbaa8d84e06bf9c6da4650
The problem comes from the fact that we do alllocate the JSScript before
throwing because of a Syntax error, which happens when we evaluate ")" as
some code.  Thus when we iterate over the zone to find the top-level
JSScript, these scripts are also matching and we end up serializing the
source notes associated with these invalid scripts.

This patch fix this issue by checking that we do have some bytecode
associated with the JSScript.  Is there a proper way to do that?
Attachment #8660790 - Flags: review?(bhackett1024)
Comment on attachment 8660790 [details] [diff] [review]
GenerateLcovInfo: Check if the JSScript have associated bytecode before spewing their content.

Review of attachment 8660790 [details] [diff] [review]:
-----------------------------------------------------------------

::: js/src/jsopcode.cpp
@@ +2112,5 @@
>                  continue;
>  
> +            // If we evaluate some code which contains a syntax error, then we
> +            // might produce a JSScript which has no associated bytecode. This
> +            // line filter out these kind of scripts.

filters out this kind
Attachment #8660790 - Flags: review?(bhackett1024) → review+
https://hg.mozilla.org/mozilla-central/rev/cdbdb471f9c7
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla43
You need to log in before you can comment on or make changes to this bug.