Closed
Bug 1298355
Opened 8 years ago
Closed 8 years ago
Assertion failure: isObjectOrNull(), at dist/include/js/Value.h:1279 with OOM and Promise
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
Tracking | Status | |
---|---|---|
firefox51 | --- | affected |
People
(Reporter: decoder, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: assertion, bugmon, testcase, Whiteboard: [jsbugmon:update])
The following testcase crashes on mozilla-central revision 01748a2b1a46 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug --without-intl-api --enable-optimize --target=i686-pc-linux-gnu, run with --fuzzing-safe --thread-count=2 --ion-check-range-analysis): var lfLogBuffer = ` let g = newGlobal(); let dbg = new Debugger(); let gw = dbg.addDebuggee(g); g.promise = Promise.resolve(42); let promiseDO = gw.getOwnPropertyDescriptor('promise').value; let resolutionSite = promiseDO.promiseResolutionSite; `; loadFile(lfLogBuffer); function loadFile(lfVarx) { try { oomTest(function() { eval(lfVarx); }); } catch (lfVare) {} } Backtrace: received signal SIGSEGV, Segmentation fault. 0x080e785e in JS::Value::toObjectOrNull (this=0xf462f988) at /srv/jenkins/jobs/mozilla-central-build-jsshell/workspace/arch/32/compiler/gcc/sanitizer/none/type/debug/dist/include/js/Value.h:1279 #0 0x080e785e in JS::Value::toObjectOrNull (this=0xf462f988) at /srv/jenkins/jobs/mozilla-central-build-jsshell/workspace/arch/32/compiler/gcc/sanitizer/none/type/debug/dist/include/js/Value.h:1279 #1 0x0865f3cd in js::PromiseObject::resolutionSite (this=<optimized out>) at js/src/builtin/Promise.h:51 #2 js::DebuggerObject::promiseResolutionSiteGetter (cx=0xf7953000, argc=0, vp=0xffffb370) at js/src/vm/Debugger.cpp:8706 #3 0x087034cb in js::CallJSNative (cx=0xf7953000, native=0x865f1e0 <js::DebuggerObject::promiseResolutionSiteGetter(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235 #4 0x086fa776 in js::InternalCallOrConstruct (cx=0xf7953000, args=..., construct=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:453 #5 0x086faaad in InternalCall (cx=cx@entry=0xf7953000, args=...) at js/src/vm/Interpreter.cpp:498 #6 0x086fac3b in js::Call (cx=0xf7953000, fval=..., thisv=..., args=..., rval=...) at js/src/vm/Interpreter.cpp:517 #7 0x086fad26 in js::CallGetter (cx=0xf7953000, thisv=..., getter=..., rval=...) at js/src/vm/Interpreter.cpp:631 #8 0x086faff9 in CallGetter (vp=..., shape=..., receiver=..., obj=..., cx=0xf7953000) at js/src/vm/NativeObject.cpp:1737 #9 GetExistingProperty<(js::AllowGC)1> (cx=0xf7953000, receiver=..., obj=..., shape=..., vp=...) at js/src/vm/NativeObject.cpp:1785 #10 0x086fbb50 in NativeGetPropertyInline<(js::AllowGC)1> (cx=0xf7953000, obj=..., receiver=..., id=..., nameLookup=NotNameLookup, vp=...) at js/src/vm/NativeObject.cpp:2012 #11 0x086fc1c7 in js::NativeGetProperty (cx=<optimized out>, obj=..., receiver=..., id=..., vp=...) at js/src/vm/NativeObject.cpp:2046 #12 0x0830fd53 in js::GetProperty (cx=0xf7953000, obj=..., receiver=..., id=..., vp=...) at js/src/vm/NativeObject.h:1479 #13 0x086fcd16 in js::GetProperty (vp=..., name=<optimized out>, receiver=..., obj=..., cx=0xf7953000) at js/src/jsobj.h:836 #14 js::GetProperty (cx=0xf7953000, v=..., name=..., vp=...) at js/src/vm/Interpreter.cpp:4169 #15 0x086ef94a in GetPropertyOperation (vp=..., lval=..., pc=<optimized out>, script=..., fp=<optimized out>, cx=0xf7953000) at js/src/vm/Interpreter.cpp:189 #16 Interpret (cx=0xf7953000, state=...) at js/src/vm/Interpreter.cpp:2598 #17 0x086fa5be in js::RunScript (cx=0xf7953000, state=...) at js/src/vm/Interpreter.cpp:399 #18 0x08700950 in js::ExecuteKernel (cx=0xf7953000, script=..., scopeChainArg=..., newTargetValue=..., evalInFrame=..., result=0xffffbc10) at js/src/vm/Interpreter.cpp:679 #19 0x086324a3 in js::DirectEvalStringFromIon (cx=0xf7953000, scopeObj=..., callerScript=..., newTargetValue=..., str=..., pc=0xf426bae5 "{", vp=...) at js/src/builtin/Eval.cpp:426 #20 0xf7be8bea in ?? () eax 0x0 0 ebx 0x8c32ff4 147009524 ecx 0xf7da4864 -136689564 edx 0x0 0 esi 0xf7953000 -141217792 edi 0xffffb178 -20104 ebp 0xffffb148 4294947144 esp 0xffffb140 4294947136 eip 0x80e785e <JS::Value::toObjectOrNull() const+110> => 0x80e785e <JS::Value::toObjectOrNull() const+110>: movl $0x0,0x0 0x80e7868 <JS::Value::toObjectOrNull() const+120>: ud2
Updated•8 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update,ignore]
Comment 1•8 years ago
|
||
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 506facea6316). JSBugMon: Bisection requested, failed due to error (try manually).
Updated•8 years ago
|
Whiteboard: [jsbugmon:update,ignore] → [jsbugmon:bisectfix]
Updated•8 years ago
|
Whiteboard: [jsbugmon:bisectfix] → [jsbugmon:]
Comment 2•8 years ago
|
||
JSBugMon: Fix Bisection requested, result: Due to skipped revisions, the first good revision could be any of: changeset: https://hg.mozilla.org/mozilla-central/rev/cb6fc6d38f8d user: Shu-yu Guo date: Thu Aug 25 01:28:47 2016 -0700 summary: Bug 1263355 - Rewrite the frontend: bindings. (r=jorendorff,Waldo) changeset: https://hg.mozilla.org/mozilla-central/rev/18bec78f348e user: Shu-yu Guo date: Thu Aug 25 01:28:47 2016 -0700 summary: Bug 1263355 - Report memory metrics for Scopes. (r=njn) This iteration took 199.197 seconds to run.
Shu-yu, is bug 1263355 a likely fix?
Flags: needinfo?(shu)
Comment 4•8 years ago
|
||
(In reply to Gary Kwong [:gkw] [:nth10sd] from comment #3) > Shu-yu, is bug 1263355 a likely fix? I don't know the promise stuff, but I don't see why bug 1263355 would have fixed a promise OOM bug.
Flags: needinfo?(shu)
Till, the fix range is probably bogus, any thoughts on whether the issue still exists?
Flags: needinfo?(till)
Comment 6•8 years ago
|
||
It doesn't seem to exist anymore. My best guess at what fixed it is bug 1298776.
Flags: needinfo?(till)
Assuming FIXED by bug 1298776 as per comment 6.
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Updated•8 years ago
|
Whiteboard: [jsbugmon:] → [jsbugmon:update]
You need to log in
before you can comment on or make changes to this bug.
Description
•