Closed
Bug 1254203
Opened 8 years ago
Closed 8 years ago
Crash [@ js::jit::SnapshotIterator::maybeRead] with OOM
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla48
People
(Reporter: decoder, Assigned: nbp)
References
(Blocks 1 open bug)
Details
(Keywords: crash, regression, testcase, Whiteboard: [jsbugmon:])
Crash Data
Attachments
(1 file)
1.20 KB,
patch
|
jandem
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision b6acf4d4fc20 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --target=i686-pc-linux-gnu --disable-tests --enable-simulator=arm --disable-debug, run with --fuzzing-safe --thread-count=2 --ion-eager): gcparam("maxBytes", gcparam("gcBytes") + 4*1024); var o = {} Object.defineProperty(o, "p", { get: function() { return arguments.callee.caller.caller; } }); function f() { function g() { return o.p; } return g(); } for (var k = 0; k < 2; k--) f("x"); Backtrace: Program received signal SIGSEGV, Segmentation fault. js::jit::SnapshotIterator::maybeRead (this=this@entry=0xffffbe9c, a=..., fallback=...) at js/src/jit/JitFrames.cpp:1905 #0 js::jit::SnapshotIterator::maybeRead (this=this@entry=0xffffbe9c, a=..., fallback=...) at js/src/jit/JitFrames.cpp:1905 #1 0x0821c294 in js::jit::InlineFrameIterator::callee (this=this@entry=0xffffbfe4, fallback=...) at js/src/jit/JitFrames.cpp:2391 #2 0x08548a11 in js::FrameIter::callee (this=this@entry=0xffffbf80, cx=cx@entry=0xf7a75040) at js/src/vm/Stack.cpp:1099 #3 0x0838d43c in CallerGetterImpl (cx=cx@entry=0xf7a75040, args=...) at js/src/jsfun.cpp:264 #4 0x0838d613 in CallNonGenericMethod<IsFunction, CallerGetterImpl> (args=..., cx=0xf7a75040) at js/src/optarmsim/dist/include/js/CallNonGenericMethod.h:100 #5 CallerGetter (cx=0xf7a75040, argc=argc@entry=0, vp=vp@entry=0xf59fff18) at js/src/jsfun.cpp:296 #6 0x0834e09f in js::jit::Simulator::softwareInterrupt (this=0xf7a1c000, instr=0xf56fd7b4) at js/src/jit/arm/Simulator-arm.cpp:2339 #7 0x0834e5bd in js::jit::Simulator::decodeType7 (this=this@entry=0xf7a1c000, instr=instr@entry=0xf56fd7b4) at js/src/jit/arm/Simulator-arm.cpp:3482 [...] #23 main (argc=5, argv=0xffffcc44, envp=0xffffcc5c) at js/src/shell/js.cpp:7250 eax 0x0 0 ebx 0x94993e4 155816932 ecx 0xf55c9c00 -178480128 edx 0xf55c9834 -178481100 esi 0xffffbe88 -16760 edi 0xffffbe9c -16740 ebp 0xffffbe68 4294950504 esp 0xffffbe40 4294950464 eip 0x821c229 <js::jit::SnapshotIterator::maybeRead(js::jit::RValueAllocation const&, js::jit::MaybeReadFallback&)+217> => 0x821c229 <js::jit::SnapshotIterator::maybeRead(js::jit::RValueAllocation const&, js::jit::MaybeReadFallback&)+217>: movl $0x771,0x0 0x821c233 <js::jit::SnapshotIterator::maybeRead(js::jit::RValueAllocation const&, js::jit::MaybeReadFallback&)+227>: call 0x8090500 <abort()>
Assignee | ||
Updated•8 years ago
|
Flags: needinfo?(nicolas.b.pierron)
Updated•8 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:bisect]
Comment 1•8 years ago
|
||
JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.
Updated•8 years ago
|
Whiteboard: [jsbugmon:bisect] → [jsbugmon:]
autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/7f84fe59708a user: Nicolas B. Pierron date: Mon Dec 22 20:31:53 2014 +0100 summary: Bug 1113940 - Disable the object metadata callback in order to avoid recover instructions re-entry. r=bhackett (I had to use some tweaks to get this range w/an intermittent testcase, e.g. retrying 99 times with a timeout of 5 seconds): time ~/funfuzz/autobisect-js/autoBisect.py -p "--fuzzing-safe --thread-count=2 --ion-eager 1254203.js" -b "--enable-debug --enable-more-deterministic --32 --enable-simulator=arm --enable-arm-simulator" -s dc4b163f7db7 -e f50a771d7d1b -k -i range 1 99 crashes --timeout=5 Nicolas, is bug 1113940 a likely regressor?
Blocks: 1113940
Assignee | ||
Updated•8 years ago
|
Assignee: nobody → nicolas.b.pierron
Assignee | ||
Comment 3•8 years ago
|
||
I am able to reproduce it on x86, and x64, and also without the arm simulator.
Hardware: ARM → All
Assignee | ||
Comment 4•8 years ago
|
||
(In reply to Gary Kwong [:gkw] [:nth10sd] from comment #2) > Nicolas, is bug 1113940 a likely regressor? No, this location is an uncacthable oom at the moment, because handling it would have huge ripples in the JS engine. I will mark it as such and replace the current MOZ_CRASH.
Assignee | ||
Comment 5•8 years ago
|
||
Attachment #8733454 -
Flags: review?(jdemooij)
Updated•8 years ago
|
Attachment #8733454 -
Flags: review?(jdemooij) → review+
Assignee | ||
Updated•8 years ago
|
Flags: needinfo?(nicolas.b.pierron)
Comment 7•8 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/553e7909bae1
Status: NEW → RESOLVED
Closed: 8 years ago
status-firefox48:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla48
Comment 8•8 years ago
|
||
Patch converts a MOZ_CRASH to a crash that the fuzzers understand. No need to uplift. WONTFIX 47.
You need to log in
before you can comment on or make changes to this bug.
Description
•