Closed
Bug 1213576
Opened 9 years ago
Closed 9 years ago
Assertion failure: &i.block() == scope->as<ClonedBlockObject>().staticScope(), at js/src/vm/Stack.cpp:166
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1213574
| Tracking | Status | |
|---|---|---|
| firefox44 | --- | affected |
People
(Reporter: decoder, Unassigned)
Details
(Keywords: assertion, regression, testcase, Whiteboard: [fuzzblocker] [jsbugmon:update])
The following testcase crashes on mozilla-central revision c6ede6f30f3d (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --target=i686-pc-linux-gnu --disable-tests --enable-debug, run with --fuzzing-safe --thread-count=2):
var lfcode = new Array();
lfcode.push = loadFile;
lfcode.push(`
var myObj = {p1: 'a',
}
with(myObj){
var f = function(){
}
}
result = f();
`);
function loadFile(lfVarx) {
var lfGlobal = newGlobal();
lfGlobal.offThreadCompileScript(lfVarx);
lfGlobal.runOffThreadScript();
}
Backtrace:
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x0871aec5 in AssertDynamicScopeMatchesStaticScope (cx=<optimized out>, script=<optimized out>, scope=<optimized out>) at js/src/vm/Stack.cpp:166
#1 0x0871bb27 in js::InterpreterFrame::prologue (this=0xf4fb4120, cx=cx@entry=0xf7177020) at js/src/vm/Stack.cpp:248
#2 0x0865b29f in Interpret (cx=cx@entry=0xf7177020, state=...) at js/src/vm/Interpreter.cpp:3131
#3 0x08661e49 in js::RunScript (cx=cx@entry=0xf7177020, state=...) at js/src/vm/Interpreter.cpp:708
#4 0x0866464a in js::ExecuteKernel (cx=cx@entry=0xf7177020, script=..., script@entry=..., scopeChainArg=..., thisv=..., newTargetValue=..., type=js::EXECUTE_GLOBAL, evalInFrame=..., evalInFrame@entry=..., result=result@entry=0xffd56820) at js/src/vm/Interpreter.cpp:983
#5 0x08664ad7 in js::Execute (cx=cx@entry=0xf7177020, script=script@entry=..., scopeChainArg=..., rval=rval@entry=0xffd56820) at js/src/vm/Interpreter.cpp:1018
#6 0x084b8d1f in ExecuteScript (cx=cx@entry=0xf7177020, scope=..., scope@entry=..., script=script@entry=..., rval=rval@entry=0xffd56820) at js/src/jsapi.cpp:4505
#7 0x084b8ea5 in JS_ExecuteScript (cx=cx@entry=0xf7177020, scriptArg=scriptArg@entry=..., rval=rval@entry=...) at js/src/jsapi.cpp:4531
#8 0x080e8f84 in runOffThreadScript (cx=0xf7177020, argc=0, vp=0xffd56820) at js/src/shell/js.cpp:3438
#9 0x086658fa in js::CallJSNative (cx=0xf7177020, native=0x80e8e90 <runOffThreadScript(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235
#10 0x08662797 in js::Invoke (cx=cx@entry=0xf7177020, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:767
#11 0x0866372a in js::Invoke (cx=cx@entry=0xf7177020, thisv=..., fval=..., argc=0, argv=0xffd56bd0, rval=...) at js/src/vm/Interpreter.cpp:822
#12 0x085cecb2 in js::DirectProxyHandler::call (this=this@entry=0x982db6c <js::CrossCompartmentWrapper::singleton>, cx=cx@entry=0xf7177020, proxy=..., proxy@entry=..., args=...) at js/src/proxy/DirectProxyHandler.cpp:77
#13 0x085c1f2d in js::CrossCompartmentWrapper::call (this=0x982db6c <js::CrossCompartmentWrapper::singleton>, cx=0xf7177020, wrapper=..., args=...) at js/src/proxy/CrossCompartmentWrapper.cpp:289
#14 0x085cdada in js::Proxy::call (cx=cx@entry=0xf7177020, proxy=proxy@entry=..., args=...) at js/src/proxy/Proxy.cpp:412
#15 0x085cdb7a in js::proxy_Call (cx=0xf7177020, argc=0, vp=0xffd56bc0) at js/src/proxy/Proxy.cpp:710
#16 0x086658fa in js::CallJSNative (cx=0xf7177020, native=0x85cdb00 <js::proxy_Call(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235
#17 0x08662797 in js::Invoke (cx=cx@entry=0xf7177020, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:767
#18 0x0866372a in js::Invoke (cx=cx@entry=0xf7177020, thisv=..., fval=..., argc=argc@entry=0, argv=argv@entry=0xffd56ee0, rval=rval@entry=...) at js/src/vm/Interpreter.cpp:822
#19 0x088af58f in js::jit::DoCallFallback (cx=0xf7177020, frame=0xffd56f00, stub_=0xf4f2a170, argc=0, vp=0xffd56ed0, res=...) at js/src/jit/BaselineIC.cpp:8996
#20 0xf77406be in ?? ()
#21 0xf4f2a170 in ?? ()
#22 0xf7747f3a in ?? ()
#23 0xf4f1c010 in ?? ()
#24 0xf773fc5c in ?? ()
#25 0x0822d3c5 in EnterBaseline (cx=0xf4f2a170, cx@entry=0xf7177020, data=...) at js/src/jit/BaselineJIT.cpp:126
#26 0x082660e9 in js::jit::EnterBaselineAtBranch (cx=0xf7177020, fp=0xf4fb4028, pc=0xf713ede1 "\343\201C\b\377\377\377Z\231\230,\210\004\235/\210\bʘ;\210\t\230\001\220א\210\004\226\210\004\226\210\004\226\210\004\225\210\bʐ\210\bʐ\210\bϘ\002\234\v\210\003\230\016Ј\026\220Ј\027\220Ј \220Ј\027\220Ј?\220Ј\024\220Ј\030\230\031Ј#\220Ј\037\230\035Ј,\230\037\210\004\314\b\225\210\002Έ\020\230,\210\004͈\020\230.(\200") at js/src/jit/BaselineJIT.cpp:229
#27 0x08661b3b in Interpret (cx=cx@entry=0xf7177020, state=...) at js/src/vm/Interpreter.cpp:2119
#28 0x08661e49 in js::RunScript (cx=cx@entry=0xf7177020, state=...) at js/src/vm/Interpreter.cpp:708
#29 0x0866464a in js::ExecuteKernel (cx=cx@entry=0xf7177020, script=..., script@entry=..., scopeChainArg=..., thisv=..., newTargetValue=..., type=js::EXECUTE_GLOBAL, evalInFrame=..., evalInFrame@entry=..., result=result@entry=0x0) at js/src/vm/Interpreter.cpp:983
#30 0x08664ad7 in js::Execute (cx=cx@entry=0xf7177020, script=script@entry=..., scopeChainArg=..., rval=rval@entry=0x0) at js/src/vm/Interpreter.cpp:1018
#31 0x084b8d1f in ExecuteScript (cx=cx@entry=0xf7177020, scope=..., scope@entry=..., script=script@entry=..., rval=rval@entry=0x0) at js/src/jsapi.cpp:4505
#32 0x084b8f46 in JS_ExecuteScript (cx=cx@entry=0xf7177020, scriptArg=scriptArg@entry=...) at js/src/jsapi.cpp:4538
#33 0x0806b6b0 in RunFile (compileOnly=false, file=0xf71ea9e0, filename=0xffd59c0f "driver.js", cx=0xf7177020) at js/src/shell/js.cpp:469
#34 Process (cx=cx@entry=0xf7177020, filename=0xffd59c0f "driver.js", forceTTY=forceTTY@entry=false) at js/src/shell/js.cpp:587
#35 0x080e0101 in ProcessArgs (op=0xffd57ca0, cx=0xf7177020) at js/src/shell/js.cpp:5903
#36 Shell (envp=<optimized out>, op=0xffd57ca0, cx=0xf7177020) at js/src/shell/js.cpp:6228
#37 main (argc=5, argv=0xffd57df4, envp=0xffd57e0c) at js/src/shell/js.cpp:6586
eax 0x0 0
ebx 0x97fbe34 159366708
ecx 0xf75a688c -145069940
edx 0x0 0
esi 0x9802d60 159395168
edi 0xf509c040 -183910336
ebp 0xffd55f38 4292173624
esp 0xffd55ee0 4292173536
eip 0x871aec5 <AssertDynamicScopeMatchesStaticScope(JSContext*, JSScript*, JSObject*)+1301>
=> 0x871aec5 <AssertDynamicScopeMatchesStaticScope(JSContext*, JSScript*, JSObject*)+1301>: movl $0xa6,0x0
0x871aecf <AssertDynamicScopeMatchesStaticScope(JSContext*, JSScript*, JSObject*)+1311>: call 0x8101690 <abort()>
|
Reporter | |
Comment 1•9 years ago
|
||
Another high-frequency fuzzblocker that is likely fallout from the let patch.
Flags: needinfo?(shu)
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update,bisect][fuzzblocker]
|
||
Updated•9 years ago
|
Whiteboard: [jsbugmon:update,bisect][fuzzblocker] → [fuzzblocker] [jsbugmon:update]
|
|
||
Comment 2•9 years ago
|
||
JSBugMon: Bisection requested, result: === Treeherder Build Bisection Results by autoBisect === The "good" changeset has the timestamp "20151006132131" and the hash "d6059530b0317e6f6b141582b611469505256be4". The "bad" changeset has the timestamp "20151006135536" and the hash "cfc1820361f599c55128b29de4332f8d06511e07". Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=d6059530b0317e6f6b141582b611469505256be4&tochange=cfc1820361f599c55128b29de4332f8d06511e07
|
||
Comment 3•9 years ago
|
||
seems also to hit bughunter a lot of times
|
||
Updated•9 years ago
|
Status: NEW → RESOLVED
Closed: 9 years ago
Flags: needinfo?(shu)
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•