Closed Bug 1257194 Opened 8 years ago Closed 8 years ago

Crash [@ DefinePropertyById] with OOM and drainTraceLogger

Categories

(Core :: JavaScript Engine, defect)

x86_64
Linux
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla48
Tracking Status
firefox48 --- fixed

People

(Reporter: decoder, Assigned: h4writer)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update])

Crash Data

Attachments

(2 files)

The following testcase crashes on mozilla-central revision 341344bdec8f (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --thread-count=2):

var du = new Debugger();
var obj = du.drainTraceLogger();
oomAfterAllocations(1);
du.drainTraceLogger().length;



Backtrace:

Program received signal SIGSEGV, Segmentation fault.
0x00000000008879b2 in DefinePropertyById (cx=cx@entry=0x7ffff6907800, obj=..., obj@entry=..., id=..., id@entry=..., value=..., value@entry=..., get=..., set=..., attrs=attrs@entry=1, flags=0) at js/src/jsobj.h:122
#0  0x00000000008879b2 in DefinePropertyById (cx=cx@entry=0x7ffff6907800, obj=..., obj@entry=..., id=..., id@entry=..., value=..., value@entry=..., get=..., set=..., attrs=attrs@entry=1, flags=0) at js/src/jsobj.h:122
#1  0x0000000000887ffc in DefineProperty (cx=cx@entry=0x7ffff6907800, obj=..., name=name@entry=0xee1a90 "lostEvents", value=..., getter=..., setter=..., attrs=attrs@entry=1, flags=0) at js/src/jsapi.cpp:2291
#2  0x00000000008880e5 in JS_DefineProperty (cx=cx@entry=0x7ffff6907800, obj=..., obj@entry=..., name=name@entry=0xee1a90 "lostEvents", value=..., value@entry=..., attrs=attrs@entry=1, getter=getter@entry=0x0, setter=setter@entry=0x0) at js/src/jsapi.cpp:2300
#3  0x00000000009abcd1 in js::Debugger::drainTraceLogger (cx=0x7ffff6907800, argc=<optimized out>, vp=<optimized out>) at js/src/vm/Debugger.cpp:4659
#4  0x0000000000a7de62 in js::CallJSNative (cx=0x7ffff6907800, native=0x9ab8a0 <js::Debugger::drainTraceLogger(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235
[...]
#16 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:7304
rax	0x0	0
rbx	0x1	1
rcx	0xfffbffffffffffff	-1125899906842625
rdx	0x1fff3	131059
rsi	0x7fffffffcaa0	140737488341664
rdi	0x7fffffffc810	140737488341008
rbp	0x7fffffffc890	140737488341136
rsp	0x7fffffffc780	140737488340864
r8	0x0	0
r9	0x7fffffffc9a0	140737488341408
r10	0x7fffffffc820	140737488341024
r11	0x1f	31
r12	0x7fffffffc7f0	140737488340976
r13	0x0	0
r14	0x7ffff6907800	140737330051072
r15	0x0	0
rip	0x8879b2 <DefinePropertyById(JSContext*, JS::HandleObject, JS::HandleId, JS::HandleValue, JSNativeWrapper const&, JSNativeWrapper const&, unsigned int, unsigned int)+1058>
=> 0x8879b2 <DefinePropertyById(JSContext*, JS::HandleObject, JS::HandleId, JS::HandleValue, JSNativeWrapper const&, JSNativeWrapper const&, unsigned int, unsigned int)+1058>:	mov    (%rax),%rax
   0x8879b5 <DefinePropertyById(JSContext*, JS::HandleObject, JS::HandleId, JS::HandleValue, JSNativeWrapper const&, JSNativeWrapper const&, unsigned int, unsigned int)+1061>:	mov    (%rax),%rax
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/ba17a7e1ae7b
user:        Hannes Verschore
date:        Thu Nov 20 17:44:02 2014 +0100
summary:     Bug 1072910 - TraceLogger: Create hooks for the debugger, r=bbouvier

This iteration took 178.940 seconds to run.
Hannes, is bug 1072910 a likely regressor?
Blocks: 1072910
Flags: needinfo?(hv1989)
Attached patch PatchSplinter Review
Assignee: nobody → hv1989
Flags: needinfo?(hv1989)
Attachment #8732816 - Flags: review?(bbouvier)
Comment on attachment 8732816 [details] [diff] [review]
Patch

Review of attachment 8732816 [details] [diff] [review]:
-----------------------------------------------------------------

Duh!
Attachment #8732816 - Flags: review?(bbouvier) → review+
https://hg.mozilla.org/mozilla-central/rev/af3a5793ae39
https://hg.mozilla.org/mozilla-central/rev/b79f70a20d4a
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla48
This test fails on debug Aurora simulation builds:
https://treeherder.mozilla.org/logviewer.html#?job_id=18722108&repo=try

Can you please wrap the meat of the test inside an |if (typeof du.drainTraceLogger === "function")| guard like other tests in the directory do?
Flags: needinfo?(hv1989)
Attached patch Aurora patchSplinter Review
@RyanVM: That is correct. This need to check if the function is available.
Flags: needinfo?(hv1989)
Attachment #8736291 - Flags: review+
You need to log in before you can comment on or make changes to this bug.