Closed
Bug 1210607
Opened 9 years ago
Closed 9 years ago
Crash [@ PopulateReportBlame]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla44
| Tracking | Status | |
|---|---|---|
| firefox44 | --- | fixed |
People
(Reporter: gkw, Assigned: jonco)
References
Details
(Keywords: crash, regression, testcase, Whiteboard: [jsbugmon:update])
Crash Data
Attachments
(2 files)
|
5.11 KB,
text/plain
|
Details | |
|
1.62 KB,
patch
|
terrence
:
review+
|
Details | Diff | Splinter Review |
// Adapted from randomly chosen test: js/src/jit-test/tests/debug/Frame-onPop-multiple-03.js var g = newGlobal(); x = Debugger(g); selectforgc(g); oomAfterAllocations(0); crashes js debug shell on m-c changeset 9169f652fe5e with --fuzzing-safe --no-threads --no-ion --no-baseline at PopulateReportBlame Configure options: CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --disable-threadsafe --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests python -u ~/funfuzz/js/compileShell.py -b "--enable-debug --enable-more-deterministic" -r 9169f652fe5e autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/2e82f6299d4a user: Jon Coppeard date: Wed Sep 30 11:34:49 2015 +0100 summary: Bug 1207519 - Prevent HashTable shrink from ignoring allocation failures that may have been reported r=Waldo Jon, is bug 1207519 a likely regressor?
Flags: needinfo?(jcoppeard)
|
Reporter | |
Comment 1•9 years ago
|
||
(lldb) bt 5
* thread #1: tid = 0xa9ca1, 0x0000000100866032 js-dbg-64-dm-darwin-9169f652fe5e`PopulateReportBlame(JSContext*, JSErrorReport*) [inlined] JSCompartment::principals(this=0x0000000000000000) at jscompartment.h:237, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x48)
* frame #0: 0x0000000100866032 js-dbg-64-dm-darwin-9169f652fe5e`PopulateReportBlame(JSContext*, JSErrorReport*) [inlined] JSCompartment::principals(this=0x0000000000000000) at jscompartment.h:237
frame #1: 0x0000000100866032 js-dbg-64-dm-darwin-9169f652fe5e`PopulateReportBlame(cx=0x0000000103345400, report=0x00007fff5fbfed20) + 82 at jscntxt.cpp:259
frame #2: 0x0000000100862f01 js-dbg-64-dm-darwin-9169f652fe5e`js::ReportOutOfMemory(cxArg=<unavailable>) + 279 at jscntxt.cpp:318
frame #3: 0x00000001004b2d0d js-dbg-64-dm-darwin-9169f652fe5e`bool js::detail::HashTable<unsigned long long const, js::HashSet<unsigned long long, js::DefaultHasher<unsigned long long>, js::TempAllocPolicy>::SetOps, js::TempAllocPolicy>::add<unsigned long long&>(js::detail::HashTable<unsigned long long const, js::HashSet<unsigned long long, js::DefaultHasher<unsigned long long>, js::TempAllocPolicy>::SetOps, js::TempAllocPolicy>::AddPtr&, unsigned long long&&&) [inlined] js::TempAllocPolicy::checkSimulatedOOM() const + 8 at jsalloc.h:125
frame #4: 0x00000001004b2d05 js-dbg-64-dm-darwin-9169f652fe5e`bool js::detail::HashTable<unsigned long long const, js::HashSet<unsigned long long, js::DefaultHasher<unsigned long long>, js::TempAllocPolicy>::SetOps, js::TempAllocPolicy>::add<unsigned long long&>(this=0x00000001033710e0, p=<unavailable>, args=0x00007fff5fbfee20) + 453 at HashTable.h:1648
(lldb)
|
Assignee | |
Updated•9 years ago
|
Assignee: nobody → jcoppeard
Flags: needinfo?(jcoppeard)
|
|
Assignee | |
Comment 2•9 years ago
|
||
We just need to check whether cx->compartment() is null.
Attachment #8669026 -
Flags: review?(terrence)
|
||
Updated•9 years ago
|
Attachment #8669026 -
Flags: review?(terrence) → review+
https://hg.mozilla.org/mozilla-central/rev/15d5166c68aa
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla44
You need to log in
before you can comment on or make changes to this bug.
Description
•