Closed Bug 1248343 Opened 7 years ago Closed 7 years ago

Crash [@ js::ToPrimitiveSlow]

Categories

(Core :: JavaScript Engine, defect)

x86_64
macOS
defect
Not set
critical

Tracking

()

RESOLVED DUPLICATE of bug 1232685
Tracking Status
firefox47 --- fixed

People

(Reporter: gkw, Unassigned)

References

Details

(Keywords: crash, regression, testcase, Whiteboard: [jsbugmon:update])

Crash Data

The following testcase crashes on mozilla-central revision e355cacefc88 (build with --enable-more-deterministic, run with --fuzzing-safe --no-threads --ion-eager --no-baseline):

// Adapted from randomly chosen test: js/src/jit-test/tests/modules/bug-1233915.js
g = newGlobal();
g.parent = this;
g.eval("(" + function() {
    Debugger(parent).onExceptionUnwind = function(frame) frame.eval("");
} + ")()");
// Adapted from randomly chosen test: js/src/jit-test/tests/basic/bug602088.js
var p = Proxy.createFunction({}, function() {});
print(new p);

Backtrace:

0   js-64-dm-clang-darwin-e355cacefc88	0x0000000100384d5d js::ToPrimitiveSlow(JSContext*, JSType, JS::MutableHandle<JS::Value>) + 237 (jsobj.h:122)
1   ???                           	0x0000000101c02ec0 0 + 4324339392
This does not seem to reproduce with a debug build. I used the following configuration command:

CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin14.5.0 --disable-jemalloc --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests
I wonder what autoBisect has to say about this?
Bisecting in progress...
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/320b84c9e321
user:        simplyblue
date:        Wed Oct 28 16:38:27 2015 +0530
summary:     Bug 1212533 - Change the out-param of js/JS::Construct from MutableHandleValue to MutableHandleObject.  r=arai, r=jorendorff

Arai-san/jorendorff, is bug 1212533 a likely regressor?
Blocks: 1212533
Flags: needinfo?(jorendorff)
Flags: needinfo?(arai.unmht)
Debugger overwriting return value in a constructing frame with a primitive, or Bob's your uncle.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → DUPLICATE
Flags: needinfo?(arai.unmht)
Flags: needinfo?(jorendorff)
You need to log in before you can comment on or make changes to this bug.