Closed Bug 1298568 Opened 5 years ago Closed 5 years ago

Crash [@ js::VarScope::Data::trace] or [@ js::TraceChildren]

Categories

(Core :: JavaScript Engine, defect)

x86_64
macOS
defect
Not set
critical

Tracking

()

VERIFIED FIXED
mozilla51
Tracking Status
firefox48 --- unaffected
firefox49 --- unaffected
firefox-esr45 --- unaffected
firefox50 --- unaffected
firefox51 --- verified

People

(Reporter: gkw, Assigned: shu)

References

Details

(4 keywords, Whiteboard: [jsbugmon:update])

Crash Data

Attachments

(2 files)

The following testcase crashes on mozilla-central revision a551f534773c (build with --enable-debug --enable-more-deterministic --enable-profiling, run with --fuzzing-safe --no-threads --ion-eager):

oomTest(Map.prototype.forEach);
fullcompartmentchecks(true);


Backtrace:

0   js-dbg-64-prof-dm-clang-darwin-a551f534773c	0x00000001045db094 js::VarScope::Data::trace(JSTracer*) + 20 (Marking.cpp:1248)
1   js-dbg-64-prof-dm-clang-darwin-a551f534773c	0x000000010460fb78 js::TraceChildren(JSTracer*, void*, JS::TraceKind) + 40 (Tracer.cpp:127)
2   js-dbg-64-prof-dm-clang-darwin-a551f534773c	0x00000001040eb92f js::gc::GCRuntime::checkForCompartmentMismatches() + 559 (jsgc.cpp:3701)
3   js-dbg-64-prof-dm-clang-darwin-a551f534773c	0x00000001040ebcc5 js::gc::GCRuntime::beginMarkPhase(JS::gcreason::Reason, js::AutoLockForExclusiveAccess&) + 53 (jsgc.cpp:3739)
4   js-dbg-64-prof-dm-clang-darwin-a551f534773c	0x00000001040f7a83 js::gc::GCRuntime::incrementalCollectSlice(js::SliceBudget&, JS::gcreason::Reason, js::AutoLockForExclusiveAccess&) + 691 (jsgc.cpp:5817)
/snip

For detailed crash information, see attachment.

This might not be that bad, but gc is on the stack, so setting s-s as a start.
Due to skipped revisions, the first bad revision could be any of:

changeset:   https://hg.mozilla.org/mozilla-central/rev/cb6fc6d38f8d
user:        Shu-yu Guo
date:        Thu Aug 25 01:28:47 2016 -0700
summary:     Bug 1263355 - Rewrite the frontend: bindings. (r=jorendorff,Waldo)

changeset:   https://hg.mozilla.org/mozilla-central/rev/18bec78f348e
user:        Shu-yu Guo
date:        Thu Aug 25 01:28:47 2016 -0700
summary:     Bug 1263355 - Report memory metrics for Scopes. (r=njn)

Shu-yu, is bug 1263355 a likely regressor?
Blocks: 1263355
Flags: needinfo?(shu)
Crash Signature: [@ js::VarScope::Data::trace] → [@ js::VarScope::Data::trace] [@ js::TraceChildren]
Summary: Crash [@ js::VarScope::Data::trace] → Crash [@ js::VarScope::Data::trace] or [@ js::TraceChildren]
I messed up the invariant in ::clone when I refactored the data stuff for
UniquePtr.
Attachment #8785536 - Flags: review?(jwalden+bmo)
Flags: needinfo?(shu)
Comment on attachment 8785536 [details] [diff] [review]
Ensure Scopes that can have data always have non-null data on clone.

Review of attachment 8785536 [details] [diff] [review]:
-----------------------------------------------------------------

Bah, I could have seen this.
Attachment #8785536 - Flags: review?(jwalden+bmo) → review+
https://hg.mozilla.org/mozilla-central/rev/3c3194673109
Assignee: nobody → shu
Status: NEW → RESOLVED
Closed: 5 years ago
Flags: in-testsuite?
Resolution: --- → FIXED
Target Milestone: --- → mozilla51
Status: RESOLVED → VERIFIED
Crash Signature: [@ js::VarScope::Data::trace] [@ js::TraceChildren] → [@ js::VarScope::Data::trace] [@ js::TraceChildren]
JSBugMon: This bug has been automatically verified fixed.
Group: javascript-core-security → core-security-release
Group: core-security-release
Crash Signature: [@ js::VarScope::Data::trace] [@ js::TraceChildren] → [@ js::VarScope::Data::trace] [@ js::TraceChildren]
Keywords: regression
You need to log in before you can comment on or make changes to this bug.