Closed
Bug 1243787
Opened 10 years ago
Closed 10 years ago
Crash [@ js::jit::ScriptFromCalleeToken] with OOM
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla47
| Tracking | Status | |
|---|---|---|
| firefox47 | --- | fixed |
People
(Reporter: decoder, Assigned: jandem)
References
Details
(Keywords: crash, regression, testcase, Whiteboard: [jsbugmon:])
Crash Data
Attachments
(1 file)
|
1.99 KB,
patch
|
nbp
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision 211a4c710fb6 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --target=i686-pc-linux-gnu --disable-tests --enable-simulator=arm --enable-debug, run with --fuzzing-safe --thread-count=2 --arm-hwcap=vfp --arm-sim-icache-checks --ion-offthread-compile=off --ion-eager --arm-asm-nop-fill=1 --ion-extra-checks --baseline-eager):
gcparam("maxBytes", gcparam("gcBytes"));
enableSPSProfiling();
enableSingleStepProfiling();
gczeal(14);
function f()(function() '' ^ Object)();
for (var i = 0; i < 100; ++i) f();
Backtrace:
Program received signal SIGSEGV, Segmentation fault.
js::jit::ScriptFromCalleeToken (token=<optimized out>) at js/src/jit/JitFrames.h:86
#0 js::jit::ScriptFromCalleeToken (token=<optimized out>) at js/src/jit/JitFrames.h:86
#1 0x082f1c66 in frameScript (this=0xffffbd30) at js/src/jit/JitFrameIterator-inl.h:29
#2 js::jit::JitProfilingFrameIterator::tryInitWithPC (this=0xffffbd30, pc=0x0) at js/src/jit/JitFrames.cpp:3070
#3 0x082f1f8d in js::jit::JitProfilingFrameIterator::JitProfilingFrameIterator (this=0xffffbd30, rt=0xf7a3c000, state=...) at js/src/jit/JitFrames.cpp:2953
#4 0x08768017 in JS::ProfilingFrameIterator::iteratorConstruct (this=this@entry=0xffffbd20, state=...) at js/src/vm/Stack.cpp:1844
#5 0x0876885f in JS::ProfilingFrameIterator::ProfilingFrameIterator (this=0xffffbd20, rt=0xf7a3c000, state=..., sampleBufferGen=4294967295) at js/src/vm/Stack.cpp:1785
#6 0x080eb6d5 in SingleStepCallback (arg=0xf7a3c000, sim=0xf7a77000, pc=0x0) at js/src/shell/js.cpp:4248
#7 0x084bddbe in js::jit::Simulator::softwareInterrupt (this=0xf7a77000, instr=0xf7a02734) at js/src/jit/arm/Simulator-arm.cpp:2534
[...]
#24 main (argc=11, argv=0xffffcb54, envp=0xffffcb84) at js/src/shell/js.cpp:7000
eax 0x0 0
ebx 0x980e4d8 159442136
ecx 0xf59fff38 -174063816
edx 0x0 0
esi 0xffffbd30 -17104
edi 0xf7a3c000 -140263424
ebp 0xffffbbe8 4294949864
esp 0xffffbbd0 4294949840
eip 0x82d2c04 <js::jit::ScriptFromCalleeToken(js::jit::CalleeToken)+36>
=> 0x82d2c04 <js::jit::ScriptFromCalleeToken(js::jit::CalleeToken)+36>: testb $0x1,0x12(%eax)
0x82d2c08 <js::jit::ScriptFromCalleeToken(js::jit::CalleeToken)+40>: je 0x82d2c21 <js::jit::ScriptFromCalleeToken(js::jit::CalleeToken)+65>
|
||
Updated•10 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:bisect]
|
|
||
Comment 1•10 years ago
|
||
JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.
|
|
||
Updated•10 years ago
|
Whiteboard: [jsbugmon:bisect] → [jsbugmon:]
|
Assignee | |
Updated•10 years ago
|
Flags: needinfo?(jdemooij)
|
|
Assignee | |
Comment 2•10 years ago
|
||
When an invalidation bailout fails, we do frame->replaceCalleeToken(nullptr). This can cause profiler crashes because it uses the frame's callee token to get the JSScript.
This patch removes the replaceCalleeToken call; I don't think replacing the callee token there is terribly useful.
I didn't add the test; somehow it didn't fail when I added it as jit-test and used the arm simulator.
Assignee: nobody → jdemooij
Status: NEW → ASSIGNED
Flags: needinfo?(jdemooij)
Attachment #8719449 -
Flags: review?(nicolas.b.pierron)
|
||
Updated•10 years ago
|
Attachment #8719449 -
Flags: review?(nicolas.b.pierron) → review+
|
||
Comment 4•10 years ago
|
||
| bugherder | ||
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla47
You need to log in
before you can comment on or make changes to this bug.
Description
•