Closed
Bug 1299115
Opened 8 years ago
Closed 7 years ago
Crash [@ std::__atomic_base<unsigned int>::load] with OOM
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1307633
| Tracking | Status | |
|---|---|---|
| firefox51 | --- | affected |
People
(Reporter: decoder, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: assertion, bugmon, testcase, Whiteboard: [jsbugmon:update])
Crash Data
Attachments
(1 file)
|
4.52 KB,
text/plain
|
Details |
The following testcase crashes on mozilla-central revision 4f72b1d05267 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug --enable-optimize, run with --fuzzing-safe):
loadFile(`
test = (function () {
function f(assertEq) {};
return "var obj ;" + f.toSource(constructor + "asserts.js") + "; f()";
})();
evalWithCache(test, {});
function evalWithCache(code, ctx) {
code = cacheEntry(code);
ctx.global = newGlobal({ cloneSingletons: true });
var res1 = evaluate(code, Object.create(ctx, {saveBytecode: { value: true } }));
var res2 = evaluate(code, Object.create(ctx, {loadBytecode: { value: true }, continue (f) {}}));
}
`);
function loadFile(lfVarx) {
oomTest(new Function(lfVarx));
}
Backtrace:
received signal SIGSEGV, Segmentation fault.
0x000000000098563f in std::__atomic_base<unsigned int>::load (__m=std::memory_order_seq_cst, this=<optimized out>) at /usr/include/c++/5/bits/atomic_base.h:396
396 return __atomic_load_n(&_M_i, __m);
#0 0x000000000098563f in std::__atomic_base<unsigned int>::load (__m=std::memory_order_seq_cst, this=<optimized out>) at /usr/include/c++/5/bits/atomic_base.h:396
#1 mozilla::detail::IntrinsicMemoryOps<unsigned int, (mozilla::MemoryOrdering)2>::load (aPtr=...) at /srv/jenkins/jobs/mozilla-central-build-jsshell/workspace/arch/64/compiler/gcc/sanitizer/none/type/debug/dist/include/mozilla/Atomics.h:225
#2 mozilla::detail::AtomicBaseIncDec<unsigned int, (mozilla::MemoryOrdering)2>::operator unsigned int (this=<optimized out>) at /srv/jenkins/jobs/mozilla-central-build-jsshell/workspace/arch/64/compiler/gcc/sanitizer/none/type/debug/dist/include/mozilla/Atomics.h:606
#3 js::SharedScriptData::refCount (this=<optimized out>) at js/src/jsscript.h:656
#4 JSScript::freeScriptData (this=0x7fffeab872b8) at js/src/jsscript.cpp:2121
#5 0x00000000009bda3c in bool js::XDRScript<(js::XDRMode)1>(js::XDRState<(js::XDRMode)1>*, JS::Handle<js::Scope*>, JS::Handle<JSScript*>, JS::Handle<JSFunction*>, JS::MutableHandle<JSScript*>)::{lambda()#1}::operator()() const (__closure=0x7fffffffb8d0) at js/src/jsscript.cpp:617
#6 mozilla::ScopeExit<bool js::XDRScript<(js::XDRMode)1>(js::XDRState<(js::XDRMode)1>*, JS::Handle<js::Scope*>, JS::Handle<JSScript*>, JS::Handle<JSFunction*>, JS::MutableHandle<JSScript*>)::{lambda()#1}>::~ScopeExit() (this=0x7fffffffb8d0, __in_chrg=<optimized out>) at /srv/jenkins/jobs/mozilla-central-build-jsshell/workspace/arch/64/compiler/gcc/sanitizer/none/type/debug/dist/include/mozilla/ScopeExit.h:112
#7 js::XDRScript<(js::XDRMode)1> (xdr=xdr@entry=0x7fffffffbed0, scriptEnclosingScope=..., scriptEnclosingScope@entry=..., enclosingScript=..., enclosingScript@entry=..., fun=..., fun@entry=..., scriptp=..., scriptp@entry=...) at js/src/jsscript.cpp:618
#8 0x000000000094523c in js::XDRInterpretedFunction<(js::XDRMode)1> (xdr=xdr@entry=0x7fffffffbed0, enclosingScope=..., enclosingScope@entry=..., enclosingScript=..., enclosingScript@entry=..., objp=..., objp@entry=...) at js/src/jsfun.cpp:638
#9 0x00000000009be60c in js::XDRScript<(js::XDRMode)1> (xdr=xdr@entry=0x7fffffffbed0, scriptEnclosingScope=..., scriptEnclosingScope@entry=..., enclosingScript=..., enclosingScript@entry=..., fun=..., fun@entry=..., scriptp=..., scriptp@entry=...) at js/src/jsscript.cpp:815
#10 0x0000000000c19065 in js::XDRState<(js::XDRMode)1>::codeScript (this=this@entry=0x7fffffffbed0, scriptp=scriptp@entry=...) at js/src/vm/Xdr.cpp:171
#11 0x00000000008b2691 in JS_DecodeScript (cx=cx@entry=0x7ffff695f000, data=data@entry=0x7fffea926000, length=length@entry=430) at js/src/jsapi.cpp:6496
#12 0x0000000000457e3a in Evaluate (cx=0x7ffff695f000, argc=<optimized out>, vp=0x7fffffffc368) at js/src/shell/js.cpp:1602
#13 0x00007ffff7e33635 in ?? ()
#14 0x00007fffffffc408 in ?? ()
#15 0x00007fffffffc340 in ?? ()
#16 0x0000000000000000 in ?? ()
rax 0x7fffffffb8e0 140737488337120
rbx 0x7fffeab872b8 140737131344568
rcx 0x1da0b00 31066880
rdx 0x7ffff6985020 140737330565152
rsi 0xfffafffff061ca00 -1407375145580032
rdi 0x0 0
rbp 0x7fffffffb810 140737488336912
rsp 0x7fffffffb800 140737488336896
r8 0x0 0
r9 0x0 0
r10 0x40 64
r11 0x38 56
r12 0x7fffffffb8e0 140737488337120
r13 0x7fffffffbed0 140737488338640
r14 0x0 0
r15 0x7ffff695f000 140737330409472
rip 0x98563f <JSScript::freeScriptData()+15>
=> 0x98563f <JSScript::freeScriptData()+15>: mov (%rdi),%eax
0x985641 <JSScript::freeScriptData()+17>: cmp $0x1,%eax
Possibly the same issue as bug 1269718 but I'm not sure.
|
||
Updated•8 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
|
|
||
Comment 1•8 years ago
|
||
JSBugMon: Bisection requested, result: === Treeherder Build Bisection Results by autoBisect === The "good" changeset has the timestamp "20151013053056" and the hash "8d9c20c241be7d7b3cfa90a3368a77db42172781". The "bad" changeset has the timestamp "20151013054956" and the hash "d80f9d6921f8209ef01aa730be9a97ab727704d1". Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=8d9c20c241be7d7b3cfa90a3368a77db42172781&tochange=d80f9d6921f8209ef01aa730be9a97ab727704d1
Also setting needinfo? from :nbp as he has needinfo'ed himself in bug 1269718.
Flags: needinfo?(nicolas.b.pierron)
|
||
Updated•7 years ago
|
Blocks: js-startup-cache
|
|
||
Comment 4•7 years ago
|
||
The OOM_VERBOSE stack is almost the same, and this should be covered by the patch made in Bug 1307633.
Status: NEW → RESOLVED
Closed: 7 years ago
Flags: needinfo?(nicolas.b.pierron)
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•