Crash [@ js::GetCodeCoverageSummary]

RESOLVED FIXED in Firefox 44

Status

()

Product:
Core
Component:
JavaScript Engine
--
critical
RESOLVED FIXED
Reported:
3 years ago
Modified:
3 years ago

People

(Reporter: gkw, Assigned: nbp)

Tracking

(Blocks: 2 bugs, {crash, regression, testcase})

Version:
Trunk
Target:
mozilla44
x86_64
Mac OS X
Keywords:
crash, regression, testcase
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox44 fixed)

Details

(Whiteboard: [jsbugmon:update,origRev=2387ada86428,testComment=2], crash signature)

Attachments

(2 attachments)

stack
3.15 KB, text/plain
Details
Check that we do not OOM in GenerateLcovInfo.
1.44 KB, patch
bhackett
: review+
Details | Diff | Splinter Review
(Reporter)

Description

3 years ago 
// jsfunfuzz-generated
eval("[function(){}, function(){}, function(){}, function(){}, function(){},        function(){}, function(){}, function(){}, function(){}, function(){},        function(){}, function(){}, function(){}, function(){}];");
// Adapted from randomly chosen test: js/src/jit-test/tests/basic/bug720675.js
eval("evaluate("gcparam('maxBytes', gcparam('gcBytes') + 1)", {});");
// jsfunfuzz-generated
eval("getLcovInfo();");

crashes js debug shell on m-c changeset 2387ada86428 with --fuzzing-safe --no-threads --ion-eager at js::GetCodeCoverageSummary

Configure options:

CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --disable-threadsafe --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests

python -u ~/funfuzz/js/compileShell.py -b "--enable-debug --enable-more-deterministic" -r 2387ada86428

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/8c305052960d
user:        Nicolas B. Pierron
date:        Sat Aug 29 01:32:37 2015 +0200
summary:     Bug 1191289 part 1 - Add a JSFriendApi function to produce LCOV information about the current compartment. r=bhackett

Nicolas, is bug 1191289 a likely regressor?
Flags: needinfo?(nicolas.b.pierron)
(Reporter)

Comment 1

3 years ago 
Created attachment 8673574 [details]
stack

(lldb) bt 5
* thread #1: tid = 0x61aa8, 0x000000010057571a js-dbg-64-dm-darwin-2387ada86428`js::GetCodeCoverageSummary(JSContext*, unsigned long*) [inlined] JSScript::hasArray(this=0x0000000000000000, kind=OBJECTS) at jsscript.h:1700, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0xc8)
  * frame #0: 0x000000010057571a js-dbg-64-dm-darwin-2387ada86428`js::GetCodeCoverageSummary(JSContext*, unsigned long*) [inlined] JSScript::hasArray(this=0x0000000000000000, kind=OBJECTS) at jsscript.h:1700
    frame #1: 0x000000010057571a js-dbg-64-dm-darwin-2387ada86428`js::GetCodeCoverageSummary(JSContext*, unsigned long*) [inlined] JSScript::hasObjects(this=0x0000000000000000) at jsscript.h:1706
    frame #2: 0x000000010057571a js-dbg-64-dm-darwin-2387ada86428`js::GetCodeCoverageSummary(JSContext*, unsigned long*) + 1042 at jsopcode.cpp:2000
    frame #3: 0x0000000100575308 js-dbg-64-dm-darwin-2387ada86428`js::GetCodeCoverageSummary(cx=0x0000000102c45400, length=0x00007fff5fbfd008) + 664 at jsopcode.cpp:2040
    frame #4: 0x00000001004309d5 js-dbg-64-dm-darwin-2387ada86428`GetLcovInfo(cx=0x0000000102c45400, argc=<unavailable>, vp=0x00007fff5fbfd210) + 213 at TestingFunctions.cpp:2857
(lldb)
(Reporter)

Comment 2

3 years ago 
// jsfunfuzz-generated
eval("[function(){}, function(){}, function(){}, function(){}, function(){}, \
       function(){}, function(){}, function(){}, function(){}, function(){}, \
       function(){}, function(){}, function(){}, function(){}];");
// Adapted from randomly chosen test: js/src/jit-test/tests/basic/bug720675.js
eval("evaluate(\"gcparam('maxBytes', gcparam('gcBytes') + 1)\", {});");
// jsfunfuzz-generated
eval("getLcovInfo();");

crashes js debug shell on m-c changeset 2387ada86428 with --fuzzing-safe --no-threads --ion-eager at js::GetCodeCoverageSummary
Whiteboard: [jsbugmon:update] → [jsbugmon:update,origRev=2387ada86428,testComment=2]
(Assignee)

Comment 3

3 years ago 
This is an OOM in the testing function.  I am making a patch and improving the test case as well.
Assignee: nobody → nicolas.b.pierron
Flags: needinfo?(nicolas.b.pierron)
(Assignee)

Comment 4

3 years ago 
Created attachment 8673653 [details] [diff] [review]
Check that we do not OOM in GenerateLcovInfo.
Attachment #8673653 - Flags: review?(bhackett1024)
Attachment #8673653 - Flags: review?(bhackett1024) → review+

Comment 7

3 years ago 
https://hg.mozilla.org/mozilla-central/rev/b9c043ef1332
https://hg.mozilla.org/mozilla-central/rev/74c356ccba60
Status: NEW → RESOLVED
Last Resolved: 3 years ago
status-firefox44: affected → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla44
You need to log in before you can comment on or make changes to this bug.