Closed
Bug 1251090
Opened 9 years ago
Closed 9 years ago
Crash [@ js::ModuleObject::fixScopesAfterCompartmentMerge] or Assertion failure: parseTask->kind == kind, at vm/HelperThreads.cpp:1138
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla47
| Tracking | Status | |
|---|---|---|
| firefox47 | --- | fixed |
People
(Reporter: decoder, Assigned: jonco)
Details
(4 keywords, Whiteboard: [jsbugmon:update,bisect])
Crash Data
Attachments
(1 file)
|
5.41 KB,
patch
|
shu
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision 5b2baa5e9356 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-debug, run with --fuzzing-safe --ion-offthread-compile=off):
offThreadCompileScript("");
finishOffThreadModule();
Backtrace:
Program received signal SIGSEGV, Segmentation fault.
js::ModuleObject::fixScopesAfterCompartmentMerge (this=0x0, cx=cx@entry=0x7ffff6907800) at js/src/builtin/ModuleObject.cpp:752
#0 js::ModuleObject::fixScopesAfterCompartmentMerge (this=0x0, cx=cx@entry=0x7ffff6907800) at js/src/builtin/ModuleObject.cpp:752
#1 0x0000000000813a06 in js::GlobalHelperThreadState::finishModuleParseTask (this=<optimized out>, maybecx=maybecx@entry=0x7ffff6907800, rt=rt@entry=0x7ffff695d000, token=token@entry=0x7ffff3132c40) at js/src/vm/HelperThreads.cpp:1218
#2 0x000000000043bbc3 in FinishOffThreadModule (token=<optimized out>, rt=0x7ffff695d000, maybecx=0x7ffff6907800) at js/src/shell/js.cpp:3802
#3 FinishOffThreadModule (cx=0x7ffff6907800, argc=<optimized out>, vp=0x7ffff314f090) at js/src/shell/js.cpp:3884
#4 0x000000000088f441 in CallJSNative (args=..., native=0x43bb20 <FinishOffThreadModule(JSContext*, unsigned int, JS::Value*)>, cx=0x7ffff6907800) at js/src/jscntxtinlines.h:235
[...]
rax 0x7fffffffcff0 140737488343024
rbx 0x0 0
rcx 0x3 3
rdx 0x7ffff6a00048 140737331069000
rsi 0x7ffff6907800 140737330051072
rdi 0x0 0
rbp 0x7ffff6907800 140737330051072
rsp 0x7fffffffc6f0 140737488340720
r8 0x0 0
r9 0xffffff80 4294967168
r10 0x2000 8192
r11 0x7ffff6a00121 140737331069217
r12 0x7ffff3132c40 140737271508032
r13 0x7ffff314f090 140737271623824
r14 0x43bb20 4438816
r15 0x0 0
rip 0x6be6c4 <js::ModuleObject::fixScopesAfterCompartmentMerge(JSContext*)+20>
=> 0x6be6c4 <js::ModuleObject::fixScopesAfterCompartmentMerge(JSContext*)+20>: mov 0x8(%rdi),%rax
0x6be6c8 <js::ModuleObject::fixScopesAfterCompartmentMerge(JSContext*)+24>: mov 0x10(%rax),%eax
|
Assignee | |
Comment 1•9 years ago
|
||
This is a bug in the shell functions for testing off main thread compilation.
At the moment, the shell doesn't track whether we're compiling a script or a module and so it can attempt to use the token for one kind to finish the compilation for the other kind. We just need to track this so that we report an error if the shell functions are called in a mismatched way as we have here.
Assignee: nobody → jcoppeard
Attachment #8723489 -
Flags: review?(shu)
|
|
Assignee | |
Updated•9 years ago
|
Severity: critical → normal
|
||
Updated•9 years ago
|
Attachment #8723489 -
Flags: review?(shu) → review+
|
||
Comment 3•9 years ago
|
||
| bugherder | ||
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla47
You need to log in
before you can comment on or make changes to this bug.
Description
•