Closed Bug 1214548 Opened 6 years ago Closed 6 years ago

Crash [@ js::GetCodeCoverageSummary]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla44
Tracking Flags:
Tracking Status
firefox44 --- fixed

People

(Reporter: gkw, Assigned: nbp)

References

Details

(Keywords: crash, regression, testcase, Whiteboard: [jsbugmon:update,origRev=2387ada86428,testComment=2])

Crash Data

Attachments

(2 files)

stack
3.15 KB, text/plain
Details
Check that we do not OOM in GenerateLcovInfo.
1.44 KB, patch
bhackett1024
: review+
Details | Diff | Splinter Review 
// jsfunfuzz-generated
eval("[function(){}, function(){}, function(){}, function(){}, function(){},        function(){}, function(){}, function(){}, function(){}, function(){},        function(){}, function(){}, function(){}, function(){}];");
// Adapted from randomly chosen test: js/src/jit-test/tests/basic/bug720675.js
eval("evaluate("gcparam('maxBytes', gcparam('gcBytes') + 1)", {});");
// jsfunfuzz-generated
eval("getLcovInfo();");

crashes js debug shell on m-c changeset 2387ada86428 with --fuzzing-safe --no-threads --ion-eager at js::GetCodeCoverageSummary

Configure options:

CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --disable-threadsafe --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests

python -u ~/funfuzz/js/compileShell.py -b "--enable-debug --enable-more-deterministic" -r 2387ada86428

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/8c305052960d
user:        Nicolas B. Pierron
date:        Sat Aug 29 01:32:37 2015 +0200
summary:     Bug 1191289 part 1 - Add a JSFriendApi function to produce LCOV information about the current compartment. r=bhackett

Nicolas, is bug 1191289 a likely regressor?
Flags: needinfo?(nicolas.b.pierron)
Attached file stack 
(lldb) bt 5
* thread #1: tid = 0x61aa8, 0x000000010057571a js-dbg-64-dm-darwin-2387ada86428`js::GetCodeCoverageSummary(JSContext*, unsigned long*) [inlined] JSScript::hasArray(this=0x0000000000000000, kind=OBJECTS) at jsscript.h:1700, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0xc8)
  * frame #0: 0x000000010057571a js-dbg-64-dm-darwin-2387ada86428`js::GetCodeCoverageSummary(JSContext*, unsigned long*) [inlined] JSScript::hasArray(this=0x0000000000000000, kind=OBJECTS) at jsscript.h:1700
    frame #1: 0x000000010057571a js-dbg-64-dm-darwin-2387ada86428`js::GetCodeCoverageSummary(JSContext*, unsigned long*) [inlined] JSScript::hasObjects(this=0x0000000000000000) at jsscript.h:1706
    frame #2: 0x000000010057571a js-dbg-64-dm-darwin-2387ada86428`js::GetCodeCoverageSummary(JSContext*, unsigned long*) + 1042 at jsopcode.cpp:2000
    frame #3: 0x0000000100575308 js-dbg-64-dm-darwin-2387ada86428`js::GetCodeCoverageSummary(cx=0x0000000102c45400, length=0x00007fff5fbfd008) + 664 at jsopcode.cpp:2040
    frame #4: 0x00000001004309d5 js-dbg-64-dm-darwin-2387ada86428`GetLcovInfo(cx=0x0000000102c45400, argc=<unavailable>, vp=0x00007fff5fbfd210) + 213 at TestingFunctions.cpp:2857
(lldb)
// jsfunfuzz-generated
eval("[function(){}, function(){}, function(){}, function(){}, function(){}, \
       function(){}, function(){}, function(){}, function(){}, function(){}, \
       function(){}, function(){}, function(){}, function(){}];");
// Adapted from randomly chosen test: js/src/jit-test/tests/basic/bug720675.js
eval("evaluate(\"gcparam('maxBytes', gcparam('gcBytes') + 1)\", {});");
// jsfunfuzz-generated
eval("getLcovInfo();");

crashes js debug shell on m-c changeset 2387ada86428 with --fuzzing-safe --no-threads --ion-eager at js::GetCodeCoverageSummary
Whiteboard: [jsbugmon:update] → [jsbugmon:update,origRev=2387ada86428,testComment=2]
This is an OOM in the testing function.  I am making a patch and improving the test case as well.
Assignee: nobody → nicolas.b.pierron
Flags: needinfo?(nicolas.b.pierron)
Attachment #8673653 - Flags: review?(bhackett1024)
Attachment #8673653 - Flags: review?(bhackett1024) → review+
https://hg.mozilla.org/mozilla-central/rev/b9c043ef1332
https://hg.mozilla.org/mozilla-central/rev/74c356ccba60
Status: NEW → RESOLVED
Closed: 6 years ago
status-firefox44: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla44
You need to log in before you can comment on or make changes to this bug.