Closed Bug 1214051 Opened 9 years ago Closed 9 years ago

Assertion failure: 0 <= aProbability && aProbability <= 1, at ../../dist/include/mozilla/FastBernoulliTrial.h:229

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla44
Tracking Flags:
Tracking Status
firefox44 --- fixed

People

(Reporter: decoder, Assigned: Waldo)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update])

Attachments

(1 file)

Patch
3.52 KB, patch
jimb
: review+
Details | Diff | Splinter Review 
The following testcase crashes on mozilla-central revision b68eab795f9d (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --no-threads --disable-oom-functions --baseline-eager --ion-eager):

const root = newGlobal();
const dbg = new Debugger();
const wrappedRoot = dbg.addDebuggee(root);
function measure(P, expected) {
    dbg.memory.allocationSamplingProbability = P;
}
dbg.memory.trackingAllocationSites = true;
measure(dbg);


Backtrace:

Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x0000000000a51448 in setProbability (aProbability=<optimized out>, this=0x7fd2fb4528f8) at ../../dist/include/mozilla/FastBernoulliTrial.h:229
#1  js::SavedStacks::chooseSamplingProbability (this=0x7fd2fb4528a8, compartment=0x7fd2fb452800) at js/src/vm/SavedStacks.cpp:1361
#2  0x000000000097a118 in chooseAllocationSamplingProbability (this=<optimized out>) at js/src/jscompartment.h:381
#3  js::DebuggerMemory::setAllocationSamplingProbability (cx=<optimized out>, argc=<optimized out>, vp=<optimized out>) at js/src/vm/DebuggerMemory.cpp:325
#4  0x00000000009e3be2 in js::CallJSNative (cx=0x7fd2fb407400, native=0x979e90 <js::DebuggerMemory::setAllocationSamplingProbability(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235
#5  0x00000000009e0720 in js::Invoke (cx=cx@entry=0x7fd2fb407400, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:773
#6  0x00000000009e1735 in js::Invoke (cx=cx@entry=0x7fd2fb407400, thisv=..., fval=..., argc=argc@entry=1, argv=argv@entry=0x7ffc4ecec100, rval=..., rval@entry=...) at js/src/vm/Interpreter.cpp:828
#7  0x00000000009e1b0b in js::InvokeSetter (cx=cx@entry=0x7fd2fb407400, thisv=..., fval=..., v=v@entry=...) at js/src/vm/Interpreter.cpp:946
#8  0x0000000000a2d2f8 in SetExistingProperty (result=..., shape=..., pobj=..., receiver=..., v=..., id=..., obj=..., cx=0x7fd2fb407400) at js/src/vm/NativeObject.cpp:2274
#9  js::NativeSetProperty (cx=cx@entry=0x7fd2fb407400, obj=..., obj@entry=..., id=id@entry=..., value=..., receiver=..., qualified=qualified@entry=js::Qualified, result=...) at js/src/vm/NativeObject.cpp:2308
#10 0x00000000009e2e92 in SetProperty (result=..., receiver=..., v=..., id=..., obj=..., cx=0x7fd2fb407400) at js/src/vm/NativeObject.h:1450
#11 js::PutProperty (cx=0x7fd2fb407400, obj=..., id=..., v=..., strict=<optimized out>) at js/src/jsobj.h:946
#12 0x0000000000c34ef3 in js::jit::DoSetPropFallback (cx=0x7fd2fb407400, frame=0x7ffc4ecec5d8, stub_=<optimized out>, lhs=..., rhs=..., res=...) at js/src/jit/BaselineIC.cpp:7662
#13 0x00007fd2fcaf009f in ?? ()
[...]
#27 0x0000000000000000 in ?? ()
rax	0x0	0
rbx	0x7fd2fb452800	140544135473152
rcx	0x7fd2fb79b870	140544138918000
rdx	0x0	0
rsi	0x7fd2fba709d0	140544141887952
rdi	0x7fd2fba6f1c0	140544141881792
rbp	0x7ffc4ecebc80	140721630657664
rsp	0x7ffc4ecebc50	140721630657616
r8	0x7fd2fcafe780	140544159246208
r9	0x6c697a6f6d2f6564	7811909647642617188
r10	0x7fd2fba6cbe0	140544141872096
r11	0x246	582
r12	0x7fd2fb4528a8	140544135473320
r13	0x7ffc4ecebcd0	140721630657744
r14	0x7fd2f9c35428	140544110187560
r15	0x979e90	9936528
rip	0xa51448 <js::SavedStacks::chooseSamplingProbability(JSCompartment*)+232>
=> 0xa51448 <js::SavedStacks::chooseSamplingProbability(JSCompartment*)+232>:	movl   $0xe5,0x0
   0xa51453 <js::SavedStacks::chooseSamplingProbability(JSCompartment*)+243>:	callq  0x4a51d0 <abort()>
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result:
=== Treeherder Build Bisection Results by autoBisect ===

The "good" changeset has the timestamp "20151008152318" and the hash "de953677a1819ad7e64e647d4c5d6093b2cc76c2".
The "bad" changeset has the timestamp "20151008152919" and the hash "df0f9214b22402bd7badcd4d3547da1e3bf7ff5a".

Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=de953677a1819ad7e64e647d4c5d6093b2cc76c2&tochange=df0f9214b22402bd7badcd4d3547da1e3bf7ff5a
Attached patch PatchSplinter Review 

        Attachment #8672894 -
        Flags: review?(jimb)

    
  
Assignee: nobody → jwalden+bmo
Status: NEW → ASSIGNED

    
    

    
  
Comment on attachment 8672894 [details] [diff] [review]
Patch

Review of attachment 8672894 [details] [diff] [review]:
-----------------------------------------------------------------

Thanks very much for this fix!

::: js/src/vm/DebuggerMemory.cpp
@@ +306,5 @@
>      double probability;
>      if (!ToNumber(cx, args[0], &probability))
>          return false;
>  
> +    if (!(0.0 <= probability && probability <= 1.0)) {

Could we have a comment here like:

/* Compare in a way that ensures NaN is rejected. */

        Attachment #8672894 -
        Flags: review?(jimb) → review+

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/d4ab193bab01
Status: ASSIGNED → RESOLVED
Closed: 9 years ago

          status-firefox44:
          affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla44

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: