Closed
Bug 1299106
Opened 8 years ago
Closed 8 years ago
Crash [@ js::Sprinter::checkInvariants] or Crash [@ js::Sprinter::putString] with OOM
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1298570
Tracking | Status | |
---|---|---|
firefox51 | --- | affected |
People
(Reporter: decoder, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: bugmon, crash, testcase, Whiteboard: [jsbugmon:])
Crash Data
The following testcase crashes on mozilla-central revision 4f72b1d05267 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug --without-intl-api --enable-optimize --target=i686-pc-linux-gnu, run with --fuzzing-safe --no-threads --baseline-eager): var lfLogBuffer = `(function([{x}]) {})({})`; loadFile(); loadFile(lfLogBuffer); function loadFile(lfVarx) { oomTest(function() { eval(lfVarx); }); } Backtrace: received signal SIGSEGV, Segmentation fault. 0x08723ef2 in js::Sprinter::checkInvariants (this=<optimized out>) at js/src/vm/Printer.cpp:132 #0 0x08723ef2 in js::Sprinter::checkInvariants (this=<optimized out>) at js/src/vm/Printer.cpp:132 #1 js::Sprinter::InvariantChecker::InvariantChecker (p=<optimized out>, this=<optimized out>) at js/src/vm/Printer.h:63 #2 js::Sprinter::putString (this=0xffff9f04, s=0x0) at js/src/vm/Printer.cpp:225 #3 0x08577875 in (anonymous namespace)::ExpressionDecompiler::write (this=this@entry=0xffff9ec8, str=<optimized out>) at js/src/jsopcode.cpp:1309 #4 0x085a026d in (anonymous namespace)::ExpressionDecompiler::decompilePC (this=this@entry=0xffff9ec8, pc=pc@entry=0xf6a18f25 "T") at js/src/jsopcode.cpp:1192 #5 0x085a1b6d in DecompileExpressionFromStack (cx=cx@entry=0xf7953000, spindex=spindex@entry=-1, skipStackHits=skipStackHits@entry=0, v=..., res=0xffffa15c) at js/src/jsopcode.cpp:1458 #6 0x085a1e69 in js::DecompileValueGenerator (cx=0xf7953000, spindex=-1, v=..., fallbackArg=..., skipStackHits=0) at js/src/jsopcode.cpp:1471 #7 0x084fc1d3 in js::ReportValueErrorFlags (cx=0xf7953000, flags=0, errorNumber=50, spindex=-1, v=..., fallback=..., arg1=0x0, arg2=0x0) at js/src/jscntxt.cpp:859 #8 0x089e2ac5 in js::jit::DoCallFallback (cx=0xf7953000, frame=0xffffa458, stub_=0xf65f2090, argc=0, vp=0xffffa418, res=...) at js/src/jit/BaselineIC.cpp:5989 #9 0xf7be367c in ?? () #10 0xf65f2090 in ?? () #11 0xf7be2c4a in ?? () #12 0x081f8880 in EnterBaseline (cx=0xf663879d, cx@entry=0xf7953000, data=...) at js/src/jit/BaselineJIT.cpp:157 [...] #38 0x0851039b in JS_CallFunction (cx=0xf7953000, obj=..., fun=..., args=..., rval=...) at js/src/jsapi.cpp:2793 #39 0x08856de4 in OOMTest (cx=0xf7953000, argc=1, vp=0xffffbc88) at js/src/builtin/TestingFunctions.cpp:1395 #40 0xf7beb825 in ?? () [...] #64 main (argc=5, argv=0xffffcde4, envp=0xffffcdfc) at js/src/shell/js.cpp:7623 eax 0x40 64 ebx 0x0 0 ecx 0xf791f000 -141430784 edx 0xf65d1440 -161672128 esi 0xffff9f04 -24828 edi 0x0 0 ebp 0xffff9dc8 4294942152 esp 0xffff9d80 4294942080 eip 0x8723ef2 <js::Sprinter::putString(JSString*)+82> => 0x8723ef2 <js::Sprinter::putString(JSString*)+82>: mov 0x4(%ebx),%edi 0x8723ef5 <js::Sprinter::putString(JSString*)+85>: sub $0x8,%esp
Updated•8 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
Comment 1•8 years ago
|
||
JSBugMon: Bisection requested, result: === Treeherder Build Bisection Results by autoBisect === The "good" changeset has the timestamp "20160825005824" and the hash "181336fdda6625d8ffa5e5764b817cc3da1f9659". The "bad" changeset has the timestamp "20160825011927" and the hash "bd702fa23037799ab4dd266d8a2b59d021f6cfa8". Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=181336fdda6625d8ffa5e5764b817cc3da1f9659&tochange=bd702fa23037799ab4dd266d8a2b59d021f6cfa8
Updated•8 years ago
|
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
Comment 2•8 years ago
|
||
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 1789229965bf).
Updated•8 years ago
|
Whiteboard: [jsbugmon:update,ignore] → [jsbugmon:bisectfix]
Updated•8 years ago
|
Whiteboard: [jsbugmon:bisectfix] → [jsbugmon:]
Comment 3•8 years ago
|
||
JSBugMon: Fix Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first good revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/6c65ad93a66d user: Shu-yu Guo date: Fri Sep 02 15:30:48 2016 -0700 summary: Bug 1298570 - Check result of getArg when decompiling. (r=efaust) This iteration took 244.667 seconds to run.
Shu-yu, is bug 1298570 a likely fix?
Flags: needinfo?(shu)
Comment 5•8 years ago
|
||
(In reply to Gary Kwong [:gkw] [:nth10sd] from comment #4) > Shu-yu, is bug 1298570 a likely fix? ya
Status: NEW → RESOLVED
Closed: 8 years ago
Flags: needinfo?(shu)
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•