Closed
Bug 1208403
Opened 9 years ago
Closed 9 years ago
Crash [@ js::jit::AddSizeOfBaselineData] (and various other crashes) with byteSizeOfScript shell function
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla44
Tracking | Status | |
---|---|---|
firefox44 | --- | fixed |
People
(Reporter: decoder, Assigned: jandem)
Details
(4 keywords, Whiteboard: [fuzzblocker] [jsbugmon:update])
Crash Data
Attachments
(1 file)
1.57 KB,
patch
|
jonco
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision f1dffc8682fb (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-debug, run with --fuzzing-safe --thread-count=2 --ion-extra-checks --ion-eager --ion-offthread-compile=off): assertEq(byteSizeOfScript(Array) > 1, true); Backtrace: Program terminated with signal 11, Segmentation fault. #0 js::jit::AddSizeOfBaselineData (script=<optimized out>, mallocSizeOf=mallocSizeOf@entry=0x44bd00 <moz_malloc_size_of(void const*)>, data=data@entry=0x7ffcdee122e0, fallbackStubs=fallbackStubs@entry=0x7ffcdee122e8) at js/src/jit/ICStubSpace.h:39 #1 0x00000000009468e1 in JS::ubi::Concrete<JSScript>::size (this=0x7ffcdee12340, mallocSizeOf=0x44bd00 <moz_malloc_size_of(void const*)>) at js/src/jsscript.cpp:4339 #2 0x000000000052c1d5 in size (mallocSizeof=<optimized out>, this=0x7ffcdee12340) at ../../dist/include/js/UbiNode.h:756 #3 ByteSizeOfScript (cx=<optimized out>, argc=<optimized out>, vp=<optimized out>) at js/src/builtin/TestingFunctions.cpp:2487 #4 0x00000000005e8561 in CallJSNative (args=..., native=0x52c0e0 <ByteSizeOfScript(JSContext*, unsigned int, JS::Value*)>, cx=0x7f3bbb207000) at js/src/jscntxtinlines.h:235 #5 js::Invoke (cx=0x7f3bbb207000, args=..., construct=<optimized out>) at js/src/vm/Interpreter.cpp:768 #6 0x00000000005e2242 in Interpret (cx=0x7f3bbb207000, state=...) at js/src/vm/Interpreter.cpp:3071 #7 0x00000000005e7a4d in js::RunScript (cx=cx@entry=0x7f3bbb207000, state=...) at js/src/vm/Interpreter.cpp:709 #8 0x00000000005e8311 in js::Invoke (cx=cx@entry=0x7f3bbb207000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:786 #9 0x00000000005e8ccb in js::Invoke (cx=cx@entry=0x7f3bbb207000, thisv=..., fval=..., argc=argc@entry=0, argv=<optimized out>, rval=..., rval@entry=...) at js/src/vm/Interpreter.cpp:823 #10 0x00000000008764b0 in js::jit::InvokeFunction (cx=0x7f3bbb207000, obj=..., constructing=<optimized out>, argc=0, argv=0x7ffcdee13310, rval=...) at js/src/jit/VMFunctions.cpp:96 #11 0x00007f3bbc880264 in ?? () [...] #21 0x0000000000000000 in ?? () rax 0x0 0 rbx 0x4800000125840f0a 5188146775655190282 rcx 0x3e 62 rdx 0x0 0 rsi 0x44bd00 4504832 rdi 0x4800000125840f0a 5188146775655190282 rbp 0x0 0 rsp 0x7ffcdee122a0 140724047782560 r8 0x2 2 r9 0x11 17 r10 0x7f3bbb3010d8 139894520287448 r11 0xe 14 r12 0x44bd00 4504832 r13 0x7ffcdee122e8 140724047782632 r14 0x1 1 r15 0x7ffcdee123b0 140724047782832 rip 0x6fc424 <js::jit::AddSizeOfBaselineData(JSScript*, unsigned long (*)(void const*), unsigned long*, unsigned long*)+52> => 0x6fc424 <js::jit::AddSizeOfBaselineData(JSScript*, unsigned long (*)(void const*), unsigned long*, unsigned long*)+52>: mov 0x10(%rbx),%rbx 0x6fc428 <js::jit::AddSizeOfBaselineData(JSScript*, unsigned long (*)(void const*), unsigned long*, unsigned long*)+56>: test %rbx,%rbx Marking fuzzblocker because it asserts/crashes in various ways.
Updated•9 years ago
|
Whiteboard: [jsbugmon:update,bisect][fuzzblocker] → [fuzzblocker] [jsbugmon:update]
Comment 1•9 years ago
|
||
JSBugMon: Bisection requested, result: === Treeherder Build Bisection Results by autoBisect === The "good" changeset has the timestamp "20150922121034" and the hash "e39c3474267e273b3ecd847a86fb788b43de4301". The "bad" changeset has the timestamp "20150922121636" and the hash "562373c7e91c8b8872a3c1cbdfdcbeb5af769a8a". Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=e39c3474267e273b3ecd847a86fb788b43de4301&tochange=562373c7e91c8b8872a3c1cbdfdcbeb5af769a8a
Comment 2•9 years ago
|
||
involves ByteSizeOfScript => needinfo fitzgen who implemented it :)
Comment 3•9 years ago
|
||
see comment 2 (mir air collision with the bisection bot)
Flags: needinfo?(nfitzgerald)
Comment 4•9 years ago
|
||
Looking into this.
Assignee: nobody → nfitzgerald
Status: NEW → ASSIGNED
Flags: needinfo?(nfitzgerald)
Reporter | ||
Comment 5•9 years ago
|
||
This is marked as a fuzzblocker and still not fixed. Please fix it now, thanks :)
Flags: needinfo?(nfitzgerald)
Assignee | ||
Updated•9 years ago
|
Assignee: nfitzgerald → jdemooij
Assignee | ||
Comment 6•9 years ago
|
||
The byteSizeOfScript shell function was missing a check to guard against native functions.
Attachment #8670767 -
Flags: review?(jcoppeard)
Comment 7•9 years ago
|
||
Comment on attachment 8670767 [details] [diff] [review] Patch Review of attachment 8670767 [details] [diff] [review]: ----------------------------------------------------------------- Looks good!
Attachment #8670767 -
Flags: review?(jcoppeard) → review+
Assignee | ||
Updated•9 years ago
|
Flags: needinfo?(nfitzgerald)
Updated•9 years ago
|
Whiteboard: [fuzzblocker] [jsbugmon:update] → [fuzzblocker] [jsbugmon:update,ignore]
Comment 9•9 years ago
|
||
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 1f4cf75c8948).
Comment 10•9 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/c96111315a3f
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla44
Updated•9 years ago
|
Whiteboard: [fuzzblocker] [jsbugmon:update,ignore] → [fuzzblocker] [jsbugmon:update]
You need to log in
before you can comment on or make changes to this bug.
Description
•