Closed Bug 1206247 Opened 9 years ago Closed 9 years ago

Crash [@ js::GetCodeCoverageSummary]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla44
Tracking Flags:
Tracking Status
firefox43 --- affected
firefox44 --- fixed

People

(Reporter: gkw, Assigned: nbp)

References

Details

(Keywords: crash, regression, testcase, Whiteboard: [fuzzblocker][jsbugmon:update])

Crash Data

Attachments

(2 files)

stack
4.94 KB, text/plain
Details
Do not collect coverage information if the source has no filename.
2.25 KB, patch
bhackett1024
: review+
Details | Diff | Splinter Review
evaluate("", { fileName: null }); // Adapted from randomly chosen test: js/src/jit-test/tests/coverage/bug1203695.js getLcovInfo(); crashes js debug shell on m-c changeset de0e763b5210 with --fuzzing-safe --no-threads --no-ion --no-baseline at js::GetCodeCoverageSummary Configure options: CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests python -u ~/funfuzz/js/compileShell.py -b "--enable-debug --enable-more-deterministic --enable-nspr-build" -r de0e763b5210 autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/8c305052960d user: Nicolas B. Pierron date: Sat Aug 29 01:32:37 2015 +0200 summary: Bug 1191289 part 1 - Add a JSFriendApi function to produce LCOV information about the current compartment. r=bhackett Nicolas, is bug 1191289 a likely regressor?
Flags: needinfo?(nicolas.b.pierron)
Attached file stack
(lldb) bt 5 * thread #1: tid = 0x77cfe2, 0x00007fff95a8cbb0 libsystem_platform.dylib`_platform_strcmp + 176, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0) * frame #0: 0x00007fff95a8cbb0 libsystem_platform.dylib`_platform_strcmp + 176 frame #1: 0x00000001008a071d js-dbg-64-dm-nsprBuild-darwin-de0e763b5210`js::GetCodeCoverageSummary(JSContext*, unsigned long*) [inlined] GenerateLcovInfo(JSContext*, JSCompartment*, js::GenericPrinter&)::$_0::operator()(JSScript const*, JSScript const*) const + 1165 at jsopcode.cpp:2135 frame #2: 0x00000001008a0700 js-dbg-64-dm-nsprBuild-darwin-de0e763b5210`js::GetCodeCoverageSummary(JSContext*, unsigned long*) + 21 at stl_algo.h:2382 frame #3: 0x00000001008a06eb js-dbg-64-dm-nsprBuild-darwin-de0e763b5210`js::GetCodeCoverageSummary(JSContext*, unsigned long*) [inlined] void std::__final_insertion_sort<JSScript**, GenerateLcovInfo(JSContext*, JSCompartment*, js::GenericPrinter&)::$_0>(__first=0x000000010283e310, __last=0x000000010283e320)::$_0) + 300 at stl_algo.h:2462 frame #4: 0x00000001008a05bf js-dbg-64-dm-nsprBuild-darwin-de0e763b5210`js::GetCodeCoverageSummary(JSContext*, unsigned long*) [inlined] void std::sort<JSScript**, GenerateLcovInfo(JSContext*, JSCompartment*, js::GenericPrinter&)::$_0>(__first=0x000000010283e310, __last=0x000000010283e320)::$_0) + 15 at stl_algo.h:2868 (lldb)
Can we please have some traction on this? This is causing issues with randorderfuzz as there are now tests involving getLcovInfo(), and these tests do get integrated into fuzzing.
Whiteboard: [jsbugmon:update] → [fuzzblocker][jsbugmon:update]
Assignee: nobody → nicolas.b.pierron
Attachment #8667341 - Flags: review?(bhackett1024) → review+
https://hg.mozilla.org/mozilla-central/rev/ccb996c662e3
Status: NEW → RESOLVED
Closed: 9 years ago
status-firefox44: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla44
Flags: needinfo?(nicolas.b.pierron)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: