Closed
Bug 1298570
Opened 7 years ago
Closed 7 years ago
Crash [@ js::Sprinter::putString]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla51
| Tracking | Status | |
|---|---|---|
| firefox51 | --- | fixed |
People
(Reporter: gkw, Unassigned)
References
Details
(Keywords: bugmon, crash, testcase, Whiteboard: [jsbugmon:update])
Crash Data
Attachments
(2 files)
|
27.92 KB,
text/plain
|
Details | |
|
831 bytes,
patch
|
efaust
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision a551f534773c (build with --enable-debug --32, run with --fuzzing-safe --no-threads --no-baseline --no-ion):
oomTest(function([]){})
Backtrace:
0 js-dbg-32-clang-darwin-a551f534773c 0x00aa31b0 js::Sprinter::putString(JSString*) + 32 (String.h:331)
1 js-dbg-32-clang-darwin-a551f534773c 0x008705fb (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*) + 2923 (jsopcode.cpp:1309)
2 js-dbg-32-clang-darwin-a551f534773c 0x00848807 js::DecompileValueGenerator(JSContext*, int, JS::Handle<JS::Value>, JS::Handle<JSString*>, int) + 1319 (jsopcode.cpp:1458)
3 js-dbg-32-clang-darwin-a551f534773c 0x0079d60a js::ReportIsNullOrUndefined(JSContext*, int, JS::Handle<JS::Value>, JS::Handle<JSString*>) + 74 (jscntxt.cpp:805)
4 js-dbg-32-clang-darwin-a551f534773c 0x0085b05d js::ToObjectSlow(JSContext*, JS::Handle<JS::Value>, bool) + 109 (jsobj.cpp:3195)
5 js-dbg-32-clang-darwin-a551f534773c 0x00a56393 js::GetElementOperation(JSContext*, JSOp, JS::MutableHandle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) + 403 (RootingAPI.h:687)
/snip
For detailed crash information, see attachment.
|
Reporter | |
Comment 1•7 years ago
|
||
|
|
Reporter | |
Comment 2•7 years ago
|
||
Due to skipped revisions, the first bad revision could be any of: changeset: https://hg.mozilla.org/mozilla-central/rev/cb6fc6d38f8d user: Shu-yu Guo date: Thu Aug 25 01:28:47 2016 -0700 summary: Bug 1263355 - Rewrite the frontend: bindings. (r=jorendorff,Waldo) changeset: https://hg.mozilla.org/mozilla-central/rev/18bec78f348e user: Shu-yu Guo date: Thu Aug 25 01:28:47 2016 -0700 summary: Bug 1263355 - Report memory metrics for Scopes. (r=njn) Shu-yu, is bug 1263355 a likely regressor?
Blocks: 1263355
Flags: needinfo?(shu)
|
||
Comment 3•7 years ago
|
||
Attachment #8785533 -
Flags: review?(efaustbmo)
|
|
||
Updated•7 years ago
|
Flags: needinfo?(shu)
|
||
Comment 4•7 years ago
|
||
Comment on attachment 8785533 [details] [diff] [review] Check result of getArg when decompiling. Review of attachment 8785533 [details] [diff] [review]: ----------------------------------------------------------------- No objections to this. I could also imagine making it a common property name, so that we didn't have to atomize. Shu is right, though, that this should be "fairly uncommon".
Attachment #8785533 -
Flags: review?(efaustbmo) → review+
Pushed by shu@rfrn.org: https://hg.mozilla.org/integration/mozilla-inbound/rev/6c65ad93a66d Check result of getArg when decompiling. (r=efaust)
|
||
Comment 6•7 years ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/6c65ad93a66d
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla51
You need to log in
before you can comment on or make changes to this bug.
Description
•