1212279 - Fprinter::init field is not initialized.

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

The following testcase crashes on mozilla-central-oom (https://github.com/nbp/gecko-dev/tree/oom) revision c4c41d3e65e713af85f588d0a51fd7190ff8745c (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --target=i686-pc-linux-gnu --disable-tests --disable-debug, run with --fuzzing-safe --thread-count=2 --ion-extra-checks):

function optionsClear() {
    optionsClear();
}
optionsClear();


Backtrace:

Program terminated with signal SIGSEGV, Segmentation fault.
#0  ReadFrameDoubleSlot (slot=4718817, fp=0xffab6110) at /home/ownhero/homes/mozilla/repos/gecko-dev/js/src/jit/JitFrames.cpp:78
#1  js::jit::SnapshotIterator::allocationValue (this=this@entry=0xffab5cf0, alloc=..., rm=rm@entry=js::jit::SnapshotIterator::RM_Normal) at /home/ownhero/homes/mozilla/repos/gecko-dev/js/src/jit/JitFrames.cpp:1933
#2  0x083c1b08 in js::jit::SnapshotIterator::read (this=0xffab5cf0) at /home/ownhero/homes/mozilla/repos/gecko-dev/js/src/jit/JitFrameIterator.h:557
#3  0x083a3185 in InitFromBailout (ionScript=<optimized out>, invalidate=<optimized out>, excInfo=<optimized out>, callPC=<synthetic pointer>, nextCallee=..., startFrameFormals=..., builder=..., iter=..., script=..., fun=..., callerPC=<optimized out>, cx=0xf727c040, caller=...) at /home/ownhero/homes/mozilla/repos/gecko-dev/js/src/jit/BaselineBailouts.cpp:685
#4  js::jit::BailoutIonToBaseline (cx=cx@entry=0xf727c040, activation=0xffab6170, iter=..., invalidate=invalidate@entry=true, bailoutInfo=bailoutInfo@entry=0xffab5f60, excInfo=excInfo@entry=0x0) at /home/ownhero/homes/mozilla/repos/gecko-dev/js/src/jit/BaselineBailouts.cpp:1548
#5  0x083a53d9 in js::jit::InvalidationBailout (sp=0xffab5f68, frameSizeOut=0xffab5f64, bailoutInfo=0xffab5f60) at /home/ownhero/homes/mozilla/repos/gecko-dev/js/src/jit/Bailouts.cpp:130
#6  0xf74546ef in ?? ()
Backtrace stopped: previous frame inner to this frame (corrupt stack?)
eax	0xffab5af8	-5547272
ebx	0x94623d0	155591632
ecx	0xffab6110	-5545712
edx	0xffb7ff1f	-4718817
esi	0xffab5cf0	-5546768
edi	0x83f2ca6	138357926
ebp	0xffab5a48	4289419848
esp	0xffab5a10	4289419792
eip	0x83f2cae <js::jit::SnapshotIterator::allocationValue(js::jit::RValueAllocation const&, js::jit::SnapshotIterator::ReadMethod)+830>
=> 0x83f2cae <js::jit::SnapshotIterator::allocationValue(js::jit::RValueAllocation const&, js::jit::SnapshotIterator::ReadMethod)+830>:	fldl   (%ecx,%edx,1)
   0x83f2cb1 <js::jit::SnapshotIterator::allocationValue(js::jit::RValueAllocation const&, js::jit::SnapshotIterator::ReadMethod)+833>:	fstpl  (%eax)

Comment 1

[Nicolas B. Pierron [:nbp]]

Attachment: part 0 - Fix uninitialized boolean in Fprinter.

(unrelated but in my way)

Comment 2

[Nicolas B. Pierron [:nbp]]

The original error was a typo in one of the patches of the oom-branch, which got caught by Hannes.
I will re-use this bug to land the patch which is currently attached to it.

Fprinter is only used when spewing in debug builds, which explains why fuzzers / valgrind tests did not notice the error which is fixed in the patch attached on this bug.

Comment 3

[Pulsebot]

https://hg.mozilla.org/integration/mozilla-inbound/rev/be3d699655ec

Comment 4

[Wes Kocher (:KWierso) (Not reading bugmail; email directly if needed)]

https://hg.mozilla.org/mozilla-central/rev/be3d699655ec

Comment 5

[Carsten Book [:Tomcat]]

https://hg.mozilla.org/releases/mozilla-b2g44_v2_5/rev/be3d699655ec

Comment 6

[Carsten Book [:Tomcat]]

removing the b2g 2.5 flag since this commit has been reverted due to an incorrect merge, sorry for the confusion