Closed
Bug 1252912
Opened 9 years ago
Closed 9 years ago
Crash [@ js::CompartmentChecker::fail] with shortestPaths shell function
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla47
| Tracking | Status | |
|---|---|---|
| firefox47 | --- | fixed |
People
(Reporter: decoder, Assigned: fitzgen)
References
Details
(Keywords: crash, regression, testcase, Whiteboard: [jsbugmon:update])
Crash Data
Attachments
(1 file)
|
1.79 KB,
patch
|
jimb
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision e15383656900 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --no-threads):
try {
x = evalcx('')
toSource = (function() {
})
} catch (foo) {}
shortestPaths(this, ["$4"], 5)
Backtrace:
Program received signal SIGSEGV, Segmentation fault.
0x000000000084a9b0 in js::CompartmentChecker::fail (c1=<optimized out>, c2=<optimized out>) at js/src/jscntxtinlines.h:49
#0 0x000000000084a9b0 in js::CompartmentChecker::fail (c1=<optimized out>, c2=<optimized out>) at js/src/jscntxtinlines.h:49
#1 0x000000000084aaf3 in check (c=<optimized out>, this=0x7fffffffc420) at js/src/jscntxtinlines.h:70
#2 check (obj=<optimized out>, this=0x7fffffffc420) at js/src/jscntxtinlines.h:81
#3 js::CompartmentChecker::check (this=0x7fffffffc420, v=...) at js/src/jscntxtinlines.h:101
#4 0x00000000008bdb94 in check<JS::Value> (handle=..., this=0x7fffffffc420) at js/src/jscntxtinlines.h:91
#5 assertSameCompartment<JS::Handle<JSObject*>, JS::Handle<jsid>, JS::Handle<JS::Value>, JSObject*, JSObject*> (t5=<optimized out>, t4=<optimized out>, t3=<synthetic pointer>, t2=<synthetic pointer>, t1=<synthetic pointer>, cx=0x7ffff6907800) at js/src/jscntxtinlines.h:217
#6 DefinePropertyById (cx=cx@entry=0x7ffff6907800, obj=..., obj@entry=..., id=..., id@entry=..., value=..., value@entry=..., get=..., set=..., attrs=attrs@entry=1, flags=0) at js/src/jsapi.cpp:2183
#7 0x00000000008be262 in DefineProperty (cx=0x7ffff6907800, obj=..., name=name@entry=0xecbd94 "predecessor", value=..., getter=..., setter=..., attrs=attrs@entry=1, flags=0) at js/src/jsapi.cpp:2285
#8 0x00000000008be315 in JS_DefineProperty (cx=<optimized out>, obj=..., obj@entry=..., name=name@entry=0xecbd94 "predecessor", value=..., value@entry=..., attrs=attrs@entry=1, getter=getter@entry=0x0, setter=setter@entry=0x0) at js/src/jsapi.cpp:2294
#9 0x0000000000a6121b in ShortestPaths (cx=0x7ffff6907800, argc=<optimized out>, vp=<optimized out>) at js/src/builtin/TestingFunctions.cpp:2779
#10 0x0000000000ac0722 in js::CallJSNative (cx=0x7ffff6907800, native=0xa60300 <ShortestPaths(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235
[...]
#22 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:7244
rax 0x0 0
rbx 0x7fffffffc420 140737488340000
rcx 0x7ffff6ca5870 140737333844080
rdx 0x0 0
rsi 0x7ffff6f7a9d0 140737336814032
rdi 0x7ffff6f791c0 140737336807872
rbp 0x7fffffffc360 140737488339808
rsp 0x7fffffffc360 140737488339808
r8 0x7ffff7fdf7c0 140737354004416
r9 0x6372732f736a2f6c 7165916604736876396
r10 0x7fffffffc120 140737488339232
r11 0x7ffff6c27ee0 140737333329632
r12 0x7fffffffc400 140737488339968
r13 0x0 0
r14 0x7ffff6907800 140737330051072
r15 0x0 0
rip 0x84a9b0 <js::CompartmentChecker::fail(JSCompartment*, JSCompartment*)+48>
=> 0x84a9b0 <js::CompartmentChecker::fail(JSCompartment*, JSCompartment*)+48>: movl $0x31,0x0
0x84a9bb <js::CompartmentChecker::fail(JSCompartment*, JSCompartment*)+59>: callq 0x4a6780 <abort()>
|
||
Updated•9 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
|
|
||
Comment 1•9 years ago
|
||
JSBugMon: Bisection requested, result:
=== Treeherder Build Bisection Results by autoBisect ===
The "good" changeset has the timestamp "20160216024750" and the hash "374422755fccfd9e8296195ad60b6f4b752238e6".
The "bad" changeset has the timestamp "20160216032050" and the hash "d73b4d5f5d259b9015d7af8f7bfaae81d33529ec".
Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=374422755fccfd9e8296195ad60b6f4b752238e6&tochange=d73b4d5f5d259b9015d7af8f7bfaae81d33529ec
Nick, guessing bug 961323 is a likely regressor?
Blocks: 961323
Flags: needinfo?(nfitzgerald)
|
Assignee | |
Comment 3•9 years ago
|
||
Looking into it.
Assignee: nobody → nfitzgerald
Status: NEW → ASSIGNED
Flags: needinfo?(nfitzgerald)
|
|
Assignee | |
Comment 4•9 years ago
|
||
Attachment #8725869 -
Flags: review?(jimb)
|
||
Updated•9 years ago
|
Attachment #8725869 -
Flags: review?(jimb) → review+
|
|
Assignee | |
Updated•9 years ago
|
Keywords: checkin-needed
Keywords: checkin-needed
|
|
||
Updated•9 years ago
|
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
|
|
||
Comment 6•9 years ago
|
||
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 33d36bf6ca0c).
|
||
Comment 7•9 years ago
|
||
| bugherder | ||
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla47
|
||
Updated•9 years ago
|
Whiteboard: [jsbugmon:update,ignore] → [jsbugmon:update]
You need to log in
before you can comment on or make changes to this bug.
Description
•