Closed Bug 1260712 Opened 10 years ago Closed 9 years ago

Assertion failure: false (not implemented), at js/src/shell/js.cpp:263 with serialize and saveStack

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
ARM
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla49
Tracking Flags:
Tracking Status
firefox48 --- affected
firefox49 --- fixed

People

(Reporter: decoder, Assigned: fitzgen)

Details

(Keywords: assertion, testcase, Whiteboard: [jsbugmon:update])

Attachments

(1 file)

The JS shell's principals should be structured cloneable
1.49 KB, patch
sfink
: review+
Details | Diff | Splinter Review
The following testcase crashes on mozilla-central revision a66bf0a800f3 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --target=i686-pc-linux-gnu --disable-tests --enable-simulator=arm --enable-debug, run with --fuzzing-safe --ion-offthread-compile=off): low = high = newGlobal({ principal: 5 }) high.low = low high.eval("function a() { return saveStack(1, low) }") set = eval("high.a()") serialize(set) Backtrace: Program received signal SIGSEGV, Segmentation fault. 0x080f57aa in ShellPrincipals::write (this=0xf4be9430, cx=0xf7a70020, writer=0xffffc9f0) at js/src/shell/js.cpp:263 #0 0x080f57aa in ShellPrincipals::write (this=0xf4be9430, cx=0xf7a70020, writer=0xffffc9f0) at js/src/shell/js.cpp:263 #1 0x087a3629 in JSStructuredCloneWriter::traverseSavedFrame (this=this@entry=0xffffc9f0, obj=obj@entry=...) at js/src/vm/StructuredClone.cpp:1111 #2 0x087a401c in JSStructuredCloneWriter::startWrite (this=0xffffc9f0, v=v@entry=...) at js/src/vm/StructuredClone.cpp:1224 #3 0x087a4899 in JSStructuredCloneWriter::write (this=this@entry=0xffffc9f0, v=v@entry=...) at js/src/vm/StructuredClone.cpp:1360 #4 0x087a55d3 in WriteStructuredClone (cx=cx@entry=0xf7a70020, v=v@entry=..., bufp=bufp@entry=0xffffcd08, nbytesp=nbytesp@entry=0xffffcd0c, cb=cb@entry=0x0, cbClosure=cbClosure@entry=0x0, transferable=...) at js/src/vm/StructuredClone.cpp:391 #5 0x087a5703 in JS_WriteStructuredClone (cx=cx@entry=0xf7a70020, value=value@entry=..., bufp=bufp@entry=0xffffcd08, nbytesp=nbytesp@entry=0xffffcd0c, optionalCallbacks=optionalCallbacks@entry=0x0, closure=closure@entry=0x0, transferable=transferable@entry=...) at js/src/vm/StructuredClone.cpp:2166 #6 0x087a5870 in JSAutoStructuredCloneBuffer::write (this=this@entry=0xffffcd08, cx=cx@entry=0xf7a70020, value=..., transferable=..., optionalCallbacks=optionalCallbacks@entry=0x0, closure=closure@entry=0x0) at js/src/vm/StructuredClone.cpp:2354 #7 0x0883fb91 in Serialize (cx=0xf7a70020, argc=1, vp=0xf4b1f058) at js/src/builtin/TestingFunctions.cpp:2117 #8 0x0870b92a in js::CallJSNative (cx=0xf7a70020, native=0x883fb00 <Serialize(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235 [...] #20 main (argc=4, argv=0xffffd8a4, envp=0xffffd8b8) at js/src/shell/js.cpp:7443 eax 0x0 0 ebx 0x988f438 159970360 ecx 0xf7e4488c -136034164 edx 0x0 0 esi 0xffffc9f0 -13840 edi 0xffffc7a4 -14428 ebp 0xffffc718 4294952728 esp 0xffffc700 4294952704 eip 0x80f57aa <ShellPrincipals::write(JSContext*, JSStructuredCloneWriter*)+42> => 0x80f57aa <ShellPrincipals::write(JSContext*, JSStructuredCloneWriter*)+42>: movl $0x107,0x0 0x80f57b4 <ShellPrincipals::write(JSContext*, JSStructuredCloneWriter*)+52>: call 0x8100760 <abort()>
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result: === Treeherder Build Bisection Results by autoBisect === The "good" changeset has the timestamp "20151012132238" and the hash "001f7d3139ce06e63075cb46bc4c6cbb607e4be4". The "bad" changeset has the timestamp "20151012133138" and the hash "b0380aa2d9c2a0064272840a922c35f0a482113b". Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=001f7d3139ce06e63075cb46bc4c6cbb607e4be4&tochange=b0380aa2d9c2a0064272840a922c35f0a482113b
Nick, is bug 1201620 or bug 1201621 a likely regressor?
Flags: needinfo?(nfitzgerald)
(Not ignoring this, just fairly busy at the moment and haven't had time to investigate yet)
Try push: https://treeherder.mozilla.org/#/jobs?repo=try&revision=3252cac9c2f9
Assignee: nobody → nfitzgerald
Status: NEW → ASSIGNED
Flags: needinfo?(nfitzgerald)
Comment on attachment 8744108 [details] [diff] [review] The JS shell's principals should be structured cloneable Review of attachment 8744108 [details] [diff] [review]: ----------------------------------------------------------------- Sorry for the delay. Would it help other testing if these were deserializable as well? Would this be enough to structured clone stacks? (But that's for future followup; I apologize for preventing you from landing this sooner.)
Attachment #8744108 - Flags: review?(sphink) → review+
(In reply to Steve Fink [:sfink] [:s:] from comment #6) > Would it help other testing if these were > deserializable as well? Would this be enough to structured clone stacks? We could. If that would enable better exercising this code in the shell, it might be valuable.
Keywords: checkin-needed
https://hg.mozilla.org/mozilla-central/rev/5f70b758154b
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
status-firefox49: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla49
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: