Closed Bug 1214548 Opened 10 years ago Closed 10 years ago

Crash [@ js::GetCodeCoverageSummary]

Categories

(Core :: JavaScript Engine, defect)

x86_64
macOS
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla44
Tracking Status
firefox44 --- fixed

People

(Reporter: gkw, Assigned: nbp)

References

Details

(Keywords: crash, regression, testcase, Whiteboard: [jsbugmon:update,origRev=2387ada86428,testComment=2])

Crash Data

Attachments

(2 files)

// jsfunfuzz-generated eval("[function(){}, function(){}, function(){}, function(){}, function(){}, function(){}, function(){}, function(){}, function(){}, function(){}, function(){}, function(){}, function(){}, function(){}];"); // Adapted from randomly chosen test: js/src/jit-test/tests/basic/bug720675.js eval("evaluate("gcparam('maxBytes', gcparam('gcBytes') + 1)", {});"); // jsfunfuzz-generated eval("getLcovInfo();"); crashes js debug shell on m-c changeset 2387ada86428 with --fuzzing-safe --no-threads --ion-eager at js::GetCodeCoverageSummary Configure options: CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --disable-threadsafe --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests python -u ~/funfuzz/js/compileShell.py -b "--enable-debug --enable-more-deterministic" -r 2387ada86428 autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/8c305052960d user: Nicolas B. Pierron date: Sat Aug 29 01:32:37 2015 +0200 summary: Bug 1191289 part 1 - Add a JSFriendApi function to produce LCOV information about the current compartment. r=bhackett Nicolas, is bug 1191289 a likely regressor?
Flags: needinfo?(nicolas.b.pierron)
Attached file stack
(lldb) bt 5 * thread #1: tid = 0x61aa8, 0x000000010057571a js-dbg-64-dm-darwin-2387ada86428`js::GetCodeCoverageSummary(JSContext*, unsigned long*) [inlined] JSScript::hasArray(this=0x0000000000000000, kind=OBJECTS) at jsscript.h:1700, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0xc8) * frame #0: 0x000000010057571a js-dbg-64-dm-darwin-2387ada86428`js::GetCodeCoverageSummary(JSContext*, unsigned long*) [inlined] JSScript::hasArray(this=0x0000000000000000, kind=OBJECTS) at jsscript.h:1700 frame #1: 0x000000010057571a js-dbg-64-dm-darwin-2387ada86428`js::GetCodeCoverageSummary(JSContext*, unsigned long*) [inlined] JSScript::hasObjects(this=0x0000000000000000) at jsscript.h:1706 frame #2: 0x000000010057571a js-dbg-64-dm-darwin-2387ada86428`js::GetCodeCoverageSummary(JSContext*, unsigned long*) + 1042 at jsopcode.cpp:2000 frame #3: 0x0000000100575308 js-dbg-64-dm-darwin-2387ada86428`js::GetCodeCoverageSummary(cx=0x0000000102c45400, length=0x00007fff5fbfd008) + 664 at jsopcode.cpp:2040 frame #4: 0x00000001004309d5 js-dbg-64-dm-darwin-2387ada86428`GetLcovInfo(cx=0x0000000102c45400, argc=<unavailable>, vp=0x00007fff5fbfd210) + 213 at TestingFunctions.cpp:2857 (lldb)
// jsfunfuzz-generated eval("[function(){}, function(){}, function(){}, function(){}, function(){}, \ function(){}, function(){}, function(){}, function(){}, function(){}, \ function(){}, function(){}, function(){}, function(){}];"); // Adapted from randomly chosen test: js/src/jit-test/tests/basic/bug720675.js eval("evaluate(\"gcparam('maxBytes', gcparam('gcBytes') + 1)\", {});"); // jsfunfuzz-generated eval("getLcovInfo();"); crashes js debug shell on m-c changeset 2387ada86428 with --fuzzing-safe --no-threads --ion-eager at js::GetCodeCoverageSummary
Whiteboard: [jsbugmon:update] → [jsbugmon:update,origRev=2387ada86428,testComment=2]
This is an OOM in the testing function. I am making a patch and improving the test case as well.
Assignee: nobody → nicolas.b.pierron
Flags: needinfo?(nicolas.b.pierron)
Attachment #8673653 - Flags: review?(bhackett1024)
Attachment #8673653 - Flags: review?(bhackett1024) → review+
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla44
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: