Assertion failure: initialized(), at dist/include/js/RootingAPI.h:1052

RESOLVED FIXED in Firefox 47

Status

()

Core
JavaScript Engine
--
critical
RESOLVED FIXED
2 years ago
2 years ago

People

(Reporter: decoder, Assigned: jandem)

Tracking

(Blocks: 1 bug, {assertion, regression, testcase})

Trunk
mozilla47
x86
Linux
assertion, regression, testcase
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox47 fixed)

Details

(Whiteboard: [jsbugmon:update])

Attachments

(1 attachment)

(Reporter)

Description

2 years ago
The following testcase crashes on mozilla-central revision f2f8fc172f4c (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --target=i686-pc-linux-gnu --disable-tests --enable-debug, run with --fuzzing-safe --thread-count=2):

evalInWorker(`
    function f() { setInterruptCallback(function() {}); }
    try { f(); } catch(e) {}
`);



Backtrace:

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0xf56ffb40 (LWP 9296)]
0x080e31b9 in set (value=..., this=<optimized out>) at js/src/debug32/dist/include/js/RootingAPI.h:1052
#0  0x080e31b9 in set (value=..., this=<optimized out>) at js/src/debug32/dist/include/js/RootingAPI.h:1052
#1  operator= (p=..., this=<optimized out>) at js/src/debug32/dist/include/js/RootingAPI.h:1035
#2  SetInterruptCallback (cx=0xf7a7bd20, argc=1, vp=0xf57f30b0) at js/src/shell/js.cpp:3248
#3  0x0872138a in js::CallJSNative (cx=0xf7a7bd20, native=0x80e3050 <SetInterruptCallback(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235
#4  0x0871b264 in js::Invoke (cx=0xf7a7bd20, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:475
#5  0x0870b360 in Interpret (cx=cx@entry=0xf7a7bd20, state=...) at js/src/vm/Interpreter.cpp:2799
#6  0x0871af8f in js::RunScript (cx=cx@entry=0xf7a7bd20, state=...) at js/src/vm/Interpreter.cpp:425
#7  0x0872024b in js::ExecuteKernel (cx=cx@entry=0xf7a7bd20, script=..., script@entry=..., scopeChainArg=..., newTargetValue=..., evalInFrame=evalInFrame@entry=..., result=result@entry=0xf56ff240) at js/src/vm/Interpreter.cpp:681
#8  0x08720542 in js::Execute (cx=cx@entry=0xf7a7bd20, script=script@entry=..., scopeChainArg=..., rval=rval@entry=0xf56ff240) at js/src/vm/Interpreter.cpp:714
#9  0x08515e9c in ExecuteScript (cx=cx@entry=0xf7a7bd20, scope=scope@entry=..., script=script@entry=..., rval=rval@entry=0xf56ff240) at js/src/jsapi.cpp:4357
#10 0x08515fd5 in JS_ExecuteScript (cx=0xf7a7bd20, scriptArg=scriptArg@entry=..., rval=rval@entry=...) at js/src/jsapi.cpp:4383
#11 0x080efd36 in WorkerMain (arg=0xf7a02720) at js/src/shell/js.cpp:2821
#12 0x08734041 in nspr::Thread::ThreadRoutine (arg=0xf7a02730) at js/src/vm/PosixNSPR.cpp:45
#13 0xf7fb0f70 in start_thread (arg=0xf56ffb40) at pthread_create.c:312
#14 0xf7d7a4ce in clone () at ../sysdeps/unix/sysv/linux/i386/clone.S:129
eax	0x0	0
ebx	0x9857490	159741072
ecx	0xf7e3b88c	-136071028
edx	0x0	0
esi	0xf57f30b0	-176213840
edi	0xf56feb60	-177214624
ebp	0xf56feb88	4117752712
esp	0xf56feb50	4117752656
eip	0x80e31b9 <SetInterruptCallback(JSContext*, unsigned int, JS::Value*)+361>
=> 0x80e31b9 <SetInterruptCallback(JSContext*, unsigned int, JS::Value*)+361>:	movl   $0x41c,0x0
   0x80e31c3 <SetInterruptCallback(JSContext*, unsigned int, JS::Value*)+371>:	call   0x80ff950 <abort()>
(Assignee)

Comment 1

2 years ago
Created attachment 8715883 [details] [diff] [review]
Patch

Make sure ShellRuntime::interruptFunc is always initialized.
Assignee: nobody → jdemooij
Status: NEW → ASSIGNED
Attachment #8715883 - Flags: review?(jcoppeard)

Updated

2 years ago
Attachment #8715883 - Flags: review?(jcoppeard) → review+

Updated

2 years ago
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]

Comment 2

2 years ago
JSBugMon: Bisection requested, result:
=== Treeherder Build Bisection Results by autoBisect ===

The "good" changeset has the timestamp "20151008094633" and the hash "e04c59fd01c4b07898f805938e131afb3d71f7e5".
The "bad" changeset has the timestamp "20151008095537" and the hash "ecabb878492d482b3caac0b125df41e8a9278a39".

Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=e04c59fd01c4b07898f805938e131afb3d71f7e5&tochange=ecabb878492d482b3caac0b125df41e8a9278a39
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/1f46ca0a518a
user:        Jon Coppeard
date:        Thu Oct 08 17:48:53 2015 +0100
summary:     Bug 1212349 - Encapsulate the shell's per-runtime state r=jandem

Guessing this is related to bug 1212349.
Blocks: 1212349

Comment 5

2 years ago
bugherder
https://hg.mozilla.org/mozilla-central/rev/b78ea6f025af
Status: ASSIGNED → RESOLVED
Last Resolved: 2 years ago
status-firefox47: affected → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla47
You need to log in before you can comment on or make changes to this bug.