Closed
Bug 1219954
Opened 9 years ago
Closed 9 years ago
Crash [@ js::AutoStableStringChars::initTwoByte]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla45
People
(Reporter: gkw, Assigned: jonco)
References
Details
(Keywords: crash, regression, testcase, Whiteboard: [jsbugmon:update])
Crash Data
Attachments
(2 files)
10.38 KB,
text/plain
|
Details | |
1.42 KB,
patch
|
bbouvier
:
review+
|
Details | Diff | Splinter Review |
// jsfunfuzz-generated
function g() {};
// Adapted from randomly chosen test: js/src/jit-test/tests/gc/bug-1208994.js
eval("\
\"use strict\";\
g = (function() {\
\"use asm\";\
function f() {}\
return f;\
})();\
oomTest(() => getBacktrace({\
thisprops: true\
}));\
");
crashes js debug shell on m-c changeset 1fbc958f7557 with --fuzzing-safe --no-threads --no-ion --no-baseline at js::AutoStableStringChars::initTwoByte
Configure options:
CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --disable-threadsafe --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests
python -u ~/funfuzz/js/compileShell.py -b "--enable-debug --enable-more-deterministic" -r 1fbc958f7557
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/9c365490d4ce
user: Jon Coppeard
date: Tue Oct 13 13:37:07 2015 +0100
summary: Bug 1212469 - Make oomTest() into a shell function r=nbp
Jon, is bug 1212469 a likely regressor? (I tried removing oomTest but it didn't seem to reproduce)
Flags: needinfo?(jcoppeard)
Reporter | ||
Comment 1•9 years ago
|
||
(lldb) bt 5
* thread #1: tid = 0x347a71, 0x000000010078bbd3 js-dbg-64-dm-darwin-1fbc958f7557`js::AutoStableStringChars::initTwoByte(JSContext*, JSString*) [inlined] JSString::isLinear(this=0x0000000000000000) const at String.h:371, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
* frame #0: 0x000000010078bbd3 js-dbg-64-dm-darwin-1fbc958f7557`js::AutoStableStringChars::initTwoByte(JSContext*, JSString*) [inlined] JSString::isLinear(this=0x0000000000000000) const at String.h:371
frame #1: 0x000000010078bbd3 js-dbg-64-dm-darwin-1fbc958f7557`js::AutoStableStringChars::initTwoByte(JSContext*, JSString*) [inlined] JSString::ensureLinear(this=0x0000000000000000, cx=<unavailable>) at String.h:1234
frame #2: 0x000000010078bbd3 js-dbg-64-dm-darwin-1fbc958f7557`js::AutoStableStringChars::initTwoByte(this=0x00007fff5fbfbb28, cx=0x0000000102c45400, s=0x0000000000000000) + 19 at String.cpp:912
frame #3: 0x00000001004fc7a9 js-dbg-64-dm-darwin-1fbc958f7557`js::FindBody(cx=0x0000000102c45400, fun=<unavailable>, src=<unavailable>, bodyStart=0x00007fff5fbfbc60, bodyEnd=0x00007fff5fbfbc58) + 265 at jsfun.cpp:869
frame #4: 0x00000001000c5068 js-dbg-64-dm-darwin-1fbc958f7557`AppendUseStrictSource(cx=<unavailable>, fun=<unavailable>, src=<unavailable>, out=0x00007fff5fbfbcd8) + 40 at AsmJSLink.cpp:1143
(lldb)
Assignee | ||
Updated•9 years ago
|
Assignee | ||
Comment 2•9 years ago
|
||
Patch to check the result of ScriptSource::substring().
Assignee: nobody → jcoppeard
Attachment #8681186 -
Flags: review?(luke)
Comment 3•9 years ago
|
||
Comment on attachment 8681186 [details] [diff] [review]
bug1219954-asmjs-fun-to-string
Review of attachment 8681186 [details] [diff] [review]:
-----------------------------------------------------------------
Stealing, as it's trivial and I *think* I wrote this code. Thanks!
Attachment #8681186 -
Flags: review?(luke) → review+
Comment 5•9 years ago
|
||
bugherder |
Status: NEW → RESOLVED
Closed: 9 years ago
status-firefox45:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla45
Comment 6•9 years ago
|
||
bugherder uplift |
status-b2g-v2.5:
--- → fixed
Comment 7•9 years ago
|
||
removing the b2g 2.5 flag since this commit has been reverted due to an incorrect merge, sorry for the confusion
status-b2g-v2.5:
fixed → ---
You need to log in
before you can comment on or make changes to this bug.
Description
•