Closed
Bug 1257194
Opened 8 years ago
Closed 8 years ago
Crash [@ DefinePropertyById] with OOM and drainTraceLogger
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla48
Tracking | Status | |
---|---|---|
firefox48 | --- | fixed |
People
(Reporter: decoder, Assigned: h4writer)
References
(Blocks 1 open bug)
Details
(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update])
Crash Data
Attachments
(2 files)
1.03 KB,
patch
|
bbouvier
:
review+
|
Details | Diff | Splinter Review |
2.75 KB,
patch
|
h4writer
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision 341344bdec8f (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --thread-count=2): var du = new Debugger(); var obj = du.drainTraceLogger(); oomAfterAllocations(1); du.drainTraceLogger().length; Backtrace: Program received signal SIGSEGV, Segmentation fault. 0x00000000008879b2 in DefinePropertyById (cx=cx@entry=0x7ffff6907800, obj=..., obj@entry=..., id=..., id@entry=..., value=..., value@entry=..., get=..., set=..., attrs=attrs@entry=1, flags=0) at js/src/jsobj.h:122 #0 0x00000000008879b2 in DefinePropertyById (cx=cx@entry=0x7ffff6907800, obj=..., obj@entry=..., id=..., id@entry=..., value=..., value@entry=..., get=..., set=..., attrs=attrs@entry=1, flags=0) at js/src/jsobj.h:122 #1 0x0000000000887ffc in DefineProperty (cx=cx@entry=0x7ffff6907800, obj=..., name=name@entry=0xee1a90 "lostEvents", value=..., getter=..., setter=..., attrs=attrs@entry=1, flags=0) at js/src/jsapi.cpp:2291 #2 0x00000000008880e5 in JS_DefineProperty (cx=cx@entry=0x7ffff6907800, obj=..., obj@entry=..., name=name@entry=0xee1a90 "lostEvents", value=..., value@entry=..., attrs=attrs@entry=1, getter=getter@entry=0x0, setter=setter@entry=0x0) at js/src/jsapi.cpp:2300 #3 0x00000000009abcd1 in js::Debugger::drainTraceLogger (cx=0x7ffff6907800, argc=<optimized out>, vp=<optimized out>) at js/src/vm/Debugger.cpp:4659 #4 0x0000000000a7de62 in js::CallJSNative (cx=0x7ffff6907800, native=0x9ab8a0 <js::Debugger::drainTraceLogger(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235 [...] #16 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:7304 rax 0x0 0 rbx 0x1 1 rcx 0xfffbffffffffffff -1125899906842625 rdx 0x1fff3 131059 rsi 0x7fffffffcaa0 140737488341664 rdi 0x7fffffffc810 140737488341008 rbp 0x7fffffffc890 140737488341136 rsp 0x7fffffffc780 140737488340864 r8 0x0 0 r9 0x7fffffffc9a0 140737488341408 r10 0x7fffffffc820 140737488341024 r11 0x1f 31 r12 0x7fffffffc7f0 140737488340976 r13 0x0 0 r14 0x7ffff6907800 140737330051072 r15 0x0 0 rip 0x8879b2 <DefinePropertyById(JSContext*, JS::HandleObject, JS::HandleId, JS::HandleValue, JSNativeWrapper const&, JSNativeWrapper const&, unsigned int, unsigned int)+1058> => 0x8879b2 <DefinePropertyById(JSContext*, JS::HandleObject, JS::HandleId, JS::HandleValue, JSNativeWrapper const&, JSNativeWrapper const&, unsigned int, unsigned int)+1058>: mov (%rax),%rax 0x8879b5 <DefinePropertyById(JSContext*, JS::HandleObject, JS::HandleId, JS::HandleValue, JSNativeWrapper const&, JSNativeWrapper const&, unsigned int, unsigned int)+1061>: mov (%rax),%rax
Updated•8 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
Comment 1•8 years ago
|
||
JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/ba17a7e1ae7b user: Hannes Verschore date: Thu Nov 20 17:44:02 2014 +0100 summary: Bug 1072910 - TraceLogger: Create hooks for the debugger, r=bbouvier This iteration took 178.940 seconds to run.
Hannes, is bug 1072910 a likely regressor?
Blocks: 1072910
Flags: needinfo?(hv1989)
Assignee | ||
Comment 3•8 years ago
|
||
Comment 4•8 years ago
|
||
Comment on attachment 8732816 [details] [diff] [review] Patch Review of attachment 8732816 [details] [diff] [review]: ----------------------------------------------------------------- Duh!
Attachment #8732816 -
Flags: review?(bbouvier) → review+
Comment 7•8 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/af3a5793ae39 https://hg.mozilla.org/mozilla-central/rev/b79f70a20d4a
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla48
Comment 8•8 years ago
|
||
This test fails on debug Aurora simulation builds: https://treeherder.mozilla.org/logviewer.html#?job_id=18722108&repo=try Can you please wrap the meat of the test inside an |if (typeof du.drainTraceLogger === "function")| guard like other tests in the directory do?
Flags: needinfo?(hv1989)
Assignee | ||
Comment 9•8 years ago
|
||
@RyanVM: That is correct. This need to check if the function is available.
Flags: needinfo?(hv1989)
Attachment #8736291 -
Flags: review+
Comment 11•8 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/2fb51f179164
You need to log in
before you can comment on or make changes to this bug.
Description
•