Closed Bug 1207413 Opened 9 years ago Closed 9 years ago

Crash [@ js::TypeSet::unionSets]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla44
Tracking Flags:
Tracking Status
firefox44 --- fixed

People

(Reporter: decoder, Assigned: bbouvier)

References

(Blocks 1 open bug)

Details

(Keywords: crash, regression, testcase, Whiteboard: [jsbugmon:update,ignore])

Crash Data

Attachments

(1 file)

1207413.patch
2.34 KB, patch
h4writer
: review+
Details | Diff | Splinter Review 
The following testcase crashes on mozilla-central revision f61c3cc0eb8b (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --ion-offthread-compile=off --ion-eager):

function first(a) {
    return a[0];
}
first([function() {}]);
first([function() {}]);
oomAfterAllocations(50);
first([function() {}]);


Backtrace:

Program received signal SIGSEGV, Segmentation fault.
js::TypeSet::unionSets (a=a@entry=0x0, b=0x7ffff3e1a1a8, alloc=alloc@entry=0x7ffff3d20c40) at js/src/vm/TypeInference.cpp:876
#0  js::TypeSet::unionSets (a=a@entry=0x0, b=0x7ffff3e1a1a8, alloc=alloc@entry=0x7ffff3d20c40) at js/src/vm/TypeInference.cpp:876
#1  0x000000000097ceb0 in js::jit::IonBuilder::computeHeapType (this=this@entry=0x7ffff3e021a8, objTypes=objTypes@entry=0x7ffff3e03248, id=...) at js/src/jit/IonBuilder.cpp:8772
#2  0x000000000097d70d in js::jit::IonBuilder::jsop_getelem_dense (this=0x7ffff3e021a8, obj=<optimized out>, index=<optimized out>, unboxedType=<optimized out>) at js/src/jit/IonBuilder.cpp:8830
#3  0x000000000097d9b9 in js::jit::IonBuilder::getElemTryDense (this=this@entry=0x7ffff3e021a8, emitted=emitted@entry=0x7fffffffcbd0, obj=obj@entry=0x7ffff3e031b0, index=index@entry=0x7ffff3e03440) at js/src/jit/IonBuilder.cpp:8434
#4  0x000000000098b9a9 in js::jit::IonBuilder::jsop_getelem (this=0x7ffff3e021a8) at js/src/jit/IonBuilder.cpp:8014
#5  0x00000000009a77e5 in js::jit::IonBuilder::inspectOpcode (this=this@entry=0x7ffff3e021a8, op=op@entry=JSOP_GETELEM) at js/src/jit/IonBuilder.cpp:1926
#6  0x00000000009a8920 in js::jit::IonBuilder::traverseBytecode (this=this@entry=0x7ffff3e021a8) at js/src/jit/IonBuilder.cpp:1506
#7  0x00000000009a8d65 in js::jit::IonBuilder::build (this=0x7ffff3e021a8) at js/src/jit/IonBuilder.cpp:905
#8  0x00000000009ab961 in js::jit::IonCompile (cx=cx@entry=0x7ffff6906800, script=script@entry=0x7ffff3f62230, baselineFrame=baselineFrame@entry=0x0, osrPc=<optimized out>, constructing=<optimized out>, recompile=<optimized out>, optimizationLevel=optimizationLevel@entry=js::jit::Optimization_Normal) at js/src/jit/Ion.cpp:2031
#9  0x00000000009b155a in js::jit::Compile (cx=cx@entry=0x7ffff6906800, script=..., script@entry=..., osrFrame=osrFrame@entry=0x0, osrPc=osrPc@entry=0x0, constructing=<optimized out>, forceRecompile=forceRecompile@entry=false) at js/src/jit/Ion.cpp:2262
#10 0x00000000009b177e in js::jit::CanEnter (cx=cx@entry=0x7ffff6906800, state=...) at js/src/jit/Ion.cpp:2421
#11 0x00000000006b4f5d in js::RunScript (cx=cx@entry=0x7ffff6906800, state=...) at js/src/vm/Interpreter.cpp:680
#12 0x00000000006b5794 in js::Invoke (cx=cx@entry=0x7ffff6906800, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:781
#13 0x00000000006b76b6 in js::Invoke (cx=cx@entry=0x7ffff6906800, thisv=..., fval=..., argc=argc@entry=1, argv=argv@entry=0x7fffffffd958, rval=..., rval@entry=...) at js/src/vm/Interpreter.cpp:818
#14 0x00000000008ffcda in js::jit::DoCallFallback (cx=0x7ffff6906800, frame=0x7fffffffd998, stub_=<optimized out>, argc=<optimized out>, vp=0x7fffffffd948, res=...) at js/src/jit/BaselineIC.cpp:9361
#15 0x00007ffff7e54edf in ?? ()
[...]
#37 0x0000000000000000 in ?? ()
rax	0x7fffffffca68	140737488341608
rbx	0x2	2
rcx	0x2	2
rdx	0x7ffff3d20c40	140737284017216
rsi	0x7ffff3e1a1a8	140737285038504
rdi	0x0	0
rbp	0x7fffffffc9b0	140737488341424
rsp	0x7fffffffc970	140737488341360
r8	0xffffffffffb53694	-4901228
r9	0x0	0
r10	0x1	1
r11	0x1	1
r12	0x7ffff3d20c40	140737284017216
r13	0x0	0
r14	0x7ffff3e1a1a8	140737285038504
r15	0x7ffff3f5b700	140737286354688
rip	0x79d92a <js::TypeSet::unionSets(js::TypeSet*, js::TypeSet*, js::LifoAlloc*)+26>
=> 0x79d92a <js::TypeSet::unionSets(js::TypeSet*, js::TypeSet*, js::LifoAlloc*)+26>:	mov    (%rdi),%r15d
   0x79d92d <js::TypeSet::unionSets(js::TypeSet*, js::TypeSet*, js::LifoAlloc*)+29>:	or     (%rsi),%r15d
Attached patch 1207413.patchSplinter Review 
Two callers of TypeSet::unionSet didn't check the returned values.
Assignee: nobody → benj
Status: NEW → ASSIGNED
Attachment #8664741 - Flags: review?(hv1989)
Comment on attachment 8664741 [details] [diff] [review]
1207413.patch

Review of attachment 8664741 [details] [diff] [review]:
-----------------------------------------------------------------

Good find
Attachment #8664741 - Flags: review?(hv1989) → review+
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result:
=== Treeherder Build Bisection Results by autoBisect ===

The "bad" changeset has the timestamp "20150923081616" and the hash "4a7d755389226c95e9e53fabda254ba6586ee5dc".
The "good" changeset has the timestamp "20150923082126" and the hash "016b66704e01984b876c007722f67d5a0da24e43".

Likely fix window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=4a7d755389226c95e9e53fabda254ba6586ee5dc&tochange=016b66704e01984b876c007722f67d5a0da24e43
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 001942e4617b).
https://hg.mozilla.org/mozilla-central/rev/016b66704e01
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
status-firefox44: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla44
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: