Closed
Bug 1212279
Opened 9 years ago
Closed 9 years ago
Fprinter::init field is not initialized.
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla45
Tracking | Status | |
---|---|---|
firefox45 | --- | fixed |
People
(Reporter: decoder, Assigned: nbp)
References
(Blocks 1 open bug)
Details
(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:ignore][js-oom2015][fuzzblocker])
Crash Data
Attachments
(1 file)
822 bytes,
patch
|
h4writer
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central-oom (https://github.com/nbp/gecko-dev/tree/oom) revision c4c41d3e65e713af85f588d0a51fd7190ff8745c (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --target=i686-pc-linux-gnu --disable-tests --disable-debug, run with --fuzzing-safe --thread-count=2 --ion-extra-checks): function optionsClear() { optionsClear(); } optionsClear(); Backtrace: Program terminated with signal SIGSEGV, Segmentation fault. #0 ReadFrameDoubleSlot (slot=4718817, fp=0xffab6110) at /home/ownhero/homes/mozilla/repos/gecko-dev/js/src/jit/JitFrames.cpp:78 #1 js::jit::SnapshotIterator::allocationValue (this=this@entry=0xffab5cf0, alloc=..., rm=rm@entry=js::jit::SnapshotIterator::RM_Normal) at /home/ownhero/homes/mozilla/repos/gecko-dev/js/src/jit/JitFrames.cpp:1933 #2 0x083c1b08 in js::jit::SnapshotIterator::read (this=0xffab5cf0) at /home/ownhero/homes/mozilla/repos/gecko-dev/js/src/jit/JitFrameIterator.h:557 #3 0x083a3185 in InitFromBailout (ionScript=<optimized out>, invalidate=<optimized out>, excInfo=<optimized out>, callPC=<synthetic pointer>, nextCallee=..., startFrameFormals=..., builder=..., iter=..., script=..., fun=..., callerPC=<optimized out>, cx=0xf727c040, caller=...) at /home/ownhero/homes/mozilla/repos/gecko-dev/js/src/jit/BaselineBailouts.cpp:685 #4 js::jit::BailoutIonToBaseline (cx=cx@entry=0xf727c040, activation=0xffab6170, iter=..., invalidate=invalidate@entry=true, bailoutInfo=bailoutInfo@entry=0xffab5f60, excInfo=excInfo@entry=0x0) at /home/ownhero/homes/mozilla/repos/gecko-dev/js/src/jit/BaselineBailouts.cpp:1548 #5 0x083a53d9 in js::jit::InvalidationBailout (sp=0xffab5f68, frameSizeOut=0xffab5f64, bailoutInfo=0xffab5f60) at /home/ownhero/homes/mozilla/repos/gecko-dev/js/src/jit/Bailouts.cpp:130 #6 0xf74546ef in ?? () Backtrace stopped: previous frame inner to this frame (corrupt stack?) eax 0xffab5af8 -5547272 ebx 0x94623d0 155591632 ecx 0xffab6110 -5545712 edx 0xffb7ff1f -4718817 esi 0xffab5cf0 -5546768 edi 0x83f2ca6 138357926 ebp 0xffab5a48 4289419848 esp 0xffab5a10 4289419792 eip 0x83f2cae <js::jit::SnapshotIterator::allocationValue(js::jit::RValueAllocation const&, js::jit::SnapshotIterator::ReadMethod)+830> => 0x83f2cae <js::jit::SnapshotIterator::allocationValue(js::jit::RValueAllocation const&, js::jit::SnapshotIterator::ReadMethod)+830>: fldl (%ecx,%edx,1) 0x83f2cb1 <js::jit::SnapshotIterator::allocationValue(js::jit::RValueAllocation const&, js::jit::SnapshotIterator::ReadMethod)+833>: fstpl (%eax)
Assignee | ||
Updated•9 years ago
|
Flags: needinfo?(nicolas.b.pierron)
Assignee | ||
Updated•9 years ago
|
Assignee: nobody → nicolas.b.pierron
Flags: needinfo?(nicolas.b.pierron)
Assignee | ||
Comment 1•9 years ago
|
||
(unrelated but in my way)
Attachment #8670804 -
Flags: review?(hv1989)
Updated•9 years ago
|
Attachment #8670804 -
Flags: review?(hv1989) → review+
Assignee | ||
Comment 2•9 years ago
|
||
The original error was a typo in one of the patches of the oom-branch, which got caught by Hannes. I will re-use this bug to land the patch which is currently attached to it. Fprinter is only used when spewing in debug builds, which explains why fuzzers / valgrind tests did not notice the error which is fixed in the patch attached on this bug.
Summary: Crash [@ ReadFrameDoubleSlot] → Fprinter::init field is not initialized.
Comment 4•9 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/be3d699655ec
Status: NEW → RESOLVED
Closed: 9 years ago
status-firefox45:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla45
Comment 5•9 years ago
|
||
bugherder uplift |
https://hg.mozilla.org/releases/mozilla-b2g44_v2_5/rev/be3d699655ec
status-b2g-v2.5:
--- → fixed
Comment 6•9 years ago
|
||
removing the b2g 2.5 flag since this commit has been reverted due to an incorrect merge, sorry for the confusion
status-b2g-v2.5:
fixed → ---
You need to log in
before you can comment on or make changes to this bug.
Description
•