Closed
Bug 1245861
Opened 8 years ago
Closed 8 years ago
Assertion failure: initialized(), at dist/include/js/RootingAPI.h:1052
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla47
Tracking | Status | |
---|---|---|
firefox47 | --- | fixed |
People
(Reporter: decoder, Assigned: jandem)
References
Details
(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update])
Attachments
(1 file)
3.54 KB,
patch
|
jonco
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision f2f8fc172f4c (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --target=i686-pc-linux-gnu --disable-tests --enable-debug, run with --fuzzing-safe --thread-count=2): evalInWorker(` function f() { setInterruptCallback(function() {}); } try { f(); } catch(e) {} `); Backtrace: Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 0xf56ffb40 (LWP 9296)] 0x080e31b9 in set (value=..., this=<optimized out>) at js/src/debug32/dist/include/js/RootingAPI.h:1052 #0 0x080e31b9 in set (value=..., this=<optimized out>) at js/src/debug32/dist/include/js/RootingAPI.h:1052 #1 operator= (p=..., this=<optimized out>) at js/src/debug32/dist/include/js/RootingAPI.h:1035 #2 SetInterruptCallback (cx=0xf7a7bd20, argc=1, vp=0xf57f30b0) at js/src/shell/js.cpp:3248 #3 0x0872138a in js::CallJSNative (cx=0xf7a7bd20, native=0x80e3050 <SetInterruptCallback(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235 #4 0x0871b264 in js::Invoke (cx=0xf7a7bd20, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:475 #5 0x0870b360 in Interpret (cx=cx@entry=0xf7a7bd20, state=...) at js/src/vm/Interpreter.cpp:2799 #6 0x0871af8f in js::RunScript (cx=cx@entry=0xf7a7bd20, state=...) at js/src/vm/Interpreter.cpp:425 #7 0x0872024b in js::ExecuteKernel (cx=cx@entry=0xf7a7bd20, script=..., script@entry=..., scopeChainArg=..., newTargetValue=..., evalInFrame=evalInFrame@entry=..., result=result@entry=0xf56ff240) at js/src/vm/Interpreter.cpp:681 #8 0x08720542 in js::Execute (cx=cx@entry=0xf7a7bd20, script=script@entry=..., scopeChainArg=..., rval=rval@entry=0xf56ff240) at js/src/vm/Interpreter.cpp:714 #9 0x08515e9c in ExecuteScript (cx=cx@entry=0xf7a7bd20, scope=scope@entry=..., script=script@entry=..., rval=rval@entry=0xf56ff240) at js/src/jsapi.cpp:4357 #10 0x08515fd5 in JS_ExecuteScript (cx=0xf7a7bd20, scriptArg=scriptArg@entry=..., rval=rval@entry=...) at js/src/jsapi.cpp:4383 #11 0x080efd36 in WorkerMain (arg=0xf7a02720) at js/src/shell/js.cpp:2821 #12 0x08734041 in nspr::Thread::ThreadRoutine (arg=0xf7a02730) at js/src/vm/PosixNSPR.cpp:45 #13 0xf7fb0f70 in start_thread (arg=0xf56ffb40) at pthread_create.c:312 #14 0xf7d7a4ce in clone () at ../sysdeps/unix/sysv/linux/i386/clone.S:129 eax 0x0 0 ebx 0x9857490 159741072 ecx 0xf7e3b88c -136071028 edx 0x0 0 esi 0xf57f30b0 -176213840 edi 0xf56feb60 -177214624 ebp 0xf56feb88 4117752712 esp 0xf56feb50 4117752656 eip 0x80e31b9 <SetInterruptCallback(JSContext*, unsigned int, JS::Value*)+361> => 0x80e31b9 <SetInterruptCallback(JSContext*, unsigned int, JS::Value*)+361>: movl $0x41c,0x0 0x80e31c3 <SetInterruptCallback(JSContext*, unsigned int, JS::Value*)+371>: call 0x80ff950 <abort()>
Assignee | ||
Comment 1•8 years ago
|
||
Make sure ShellRuntime::interruptFunc is always initialized.
Updated•8 years ago
|
Attachment #8715883 -
Flags: review?(jcoppeard) → review+
Updated•8 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
Comment 2•8 years ago
|
||
JSBugMon: Bisection requested, result: === Treeherder Build Bisection Results by autoBisect === The "good" changeset has the timestamp "20151008094633" and the hash "e04c59fd01c4b07898f805938e131afb3d71f7e5". The "bad" changeset has the timestamp "20151008095537" and the hash "ecabb878492d482b3caac0b125df41e8a9278a39". Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=e04c59fd01c4b07898f805938e131afb3d71f7e5&tochange=ecabb878492d482b3caac0b125df41e8a9278a39
autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/1f46ca0a518a user: Jon Coppeard date: Thu Oct 08 17:48:53 2015 +0100 summary: Bug 1212349 - Encapsulate the shell's per-runtime state r=jandem Guessing this is related to bug 1212349.
Blocks: 1212349
Comment 5•8 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/b78ea6f025af
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla47
You need to log in
before you can comment on or make changes to this bug.
Description
•