Status
()
People
(Reporter: gkw, Assigned: nbp)
Tracking
(Blocks: 2 bugs, {crash, regression, testcase})
Firefox Tracking Flags
(firefox44 fixed)
Details
(Whiteboard: [jsbugmon:update,origRev=2387ada86428,testComment=2], crash signature)
Attachments
(2 attachments)
|
3.15 KB,
text/plain
|
Details | |
|
1.44 KB,
patch
|
bhackett
:
review+
|
Details | Diff | Splinter Review |
// jsfunfuzz-generated
eval("[function(){}, function(){}, function(){}, function(){}, function(){}, function(){}, function(){}, function(){}, function(){}, function(){}, function(){}, function(){}, function(){}, function(){}];");
// Adapted from randomly chosen test: js/src/jit-test/tests/basic/bug720675.js
eval("evaluate("gcparam('maxBytes', gcparam('gcBytes') + 1)", {});");
// jsfunfuzz-generated
eval("getLcovInfo();");
crashes js debug shell on m-c changeset 2387ada86428 with --fuzzing-safe --no-threads --ion-eager at js::GetCodeCoverageSummary
Configure options:
CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --disable-threadsafe --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests
python -u ~/funfuzz/js/compileShell.py -b "--enable-debug --enable-more-deterministic" -r 2387ada86428
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/8c305052960d
user: Nicolas B. Pierron
date: Sat Aug 29 01:32:37 2015 +0200
summary: Bug 1191289 part 1 - Add a JSFriendApi function to produce LCOV information about the current compartment. r=bhackett
Nicolas, is bug 1191289 a likely regressor?Flags: needinfo?(nicolas.b.pierron)
|
(Reporter) | |
Comment 1•3 years ago
|
||
Created attachment 8673574 [details]
stack
(lldb) bt 5
* thread #1: tid = 0x61aa8, 0x000000010057571a js-dbg-64-dm-darwin-2387ada86428`js::GetCodeCoverageSummary(JSContext*, unsigned long*) [inlined] JSScript::hasArray(this=0x0000000000000000, kind=OBJECTS) at jsscript.h:1700, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0xc8)
* frame #0: 0x000000010057571a js-dbg-64-dm-darwin-2387ada86428`js::GetCodeCoverageSummary(JSContext*, unsigned long*) [inlined] JSScript::hasArray(this=0x0000000000000000, kind=OBJECTS) at jsscript.h:1700
frame #1: 0x000000010057571a js-dbg-64-dm-darwin-2387ada86428`js::GetCodeCoverageSummary(JSContext*, unsigned long*) [inlined] JSScript::hasObjects(this=0x0000000000000000) at jsscript.h:1706
frame #2: 0x000000010057571a js-dbg-64-dm-darwin-2387ada86428`js::GetCodeCoverageSummary(JSContext*, unsigned long*) + 1042 at jsopcode.cpp:2000
frame #3: 0x0000000100575308 js-dbg-64-dm-darwin-2387ada86428`js::GetCodeCoverageSummary(cx=0x0000000102c45400, length=0x00007fff5fbfd008) + 664 at jsopcode.cpp:2040
frame #4: 0x00000001004309d5 js-dbg-64-dm-darwin-2387ada86428`GetLcovInfo(cx=0x0000000102c45400, argc=<unavailable>, vp=0x00007fff5fbfd210) + 213 at TestingFunctions.cpp:2857
(lldb)|
|
(Reporter) | |
Comment 2•3 years ago
|
||
// jsfunfuzz-generated
eval("[function(){}, function(){}, function(){}, function(){}, function(){}, \
function(){}, function(){}, function(){}, function(){}, function(){}, \
function(){}, function(){}, function(){}, function(){}];");
// Adapted from randomly chosen test: js/src/jit-test/tests/basic/bug720675.js
eval("evaluate(\"gcparam('maxBytes', gcparam('gcBytes') + 1)\", {});");
// jsfunfuzz-generated
eval("getLcovInfo();");
crashes js debug shell on m-c changeset 2387ada86428 with --fuzzing-safe --no-threads --ion-eager at js::GetCodeCoverageSummaryWhiteboard: [jsbugmon:update] → [jsbugmon:update,origRev=2387ada86428,testComment=2]
|
(Assignee) | |
Comment 3•3 years ago
|
||
This is an OOM in the testing function. I am making a patch and improving the test case as well.
Assignee: nobody → nicolas.b.pierron
Flags: needinfo?(nicolas.b.pierron)
|
|
(Assignee) | |
Comment 4•3 years ago
|
||
Created attachment 8673653 [details] [diff] [review] Check that we do not OOM in GenerateLcovInfo.
Attachment #8673653 -
Flags: review?(bhackett1024)
|
||
Updated•3 years ago
|
Attachment #8673653 -
Flags: review?(bhackett1024) → review+
|
||
Comment 7•3 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/b9c043ef1332 https://hg.mozilla.org/mozilla-central/rev/74c356ccba60
Status: NEW → RESOLVED
Last Resolved: 3 years ago
status-firefox44: affected → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla44
You need to log in
before you can comment on or make changes to this bug.
Description
•