The following testcase crashes on mozilla-central revision 401ea746b1a9 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug --enable-optimize, run with --fuzzing-safe --ion-offthread-compile=off): evaluate(` var du = new Debugger(); du.setupTraceLoggerScriptCalls(); du.startTraceLogger(); `); Backtrace: received signal SIGSEGV, Segmentation fault. 0x000000000051b3d8 in mozilla::Vector<unsigned int, 1ul, js::SystemAllocPolicy>::back (this=0x7ffff69a0110) at /srv/jenkins/jobs/mozilla-central-build-jsshell/workspace/arch/64/compiler/gcc/sanitizer/none/type/debug/dist/include/mozilla/Vector.h:473 #0 0x000000000051b3d8 in mozilla::Vector<unsigned int, 1ul, js::SystemAllocPolicy>::back (this=0x7ffff69a0110) at /srv/jenkins/jobs/mozilla-central-build-jsshell/workspace/arch/64/compiler/gcc/sanitizer/none/type/debug/dist/include/mozilla/Vector.h:473 #1 mozilla::Vector<unsigned int, 1ul, js::SystemAllocPolicy>::popCopy (this=0x7ffff69a0110) at /srv/jenkins/jobs/mozilla-central-build-jsshell/workspace/arch/64/compiler/gcc/sanitizer/none/type/debug/dist/include/mozilla/Vector.h:1358 #2 js::TraceLoggerThread::stopEvent (id=23, this=0x7ffff69a0040) at js/src/vm/TraceLogging.cpp:537 #3 js::TraceLoggerThread::stopEvent (this=0x7ffff69a0040, event=...) at js/src/vm/TraceLogging.cpp:524 #4 0x0000000000ad9615 in js::TraceLogStopEvent (event=..., logger=<optimized out>) at js/src/vm/TraceLogging.h:444 [...] #15 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:7659 Happens quite frequently, marking fuzzblocker.
Whiteboard: [jsbugmon:update,bisect][fuzzblocker] → [fuzzblocker] [jsbugmon:update]
JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/9bf32cd7b3e5 user: Hannes Verschore date: Fri Sep 02 18:19:27 2016 +0200 summary: Bug 1298541: Tracelogger: Part 1: Add debugging to check start and stop correspond, r=bbouvier This iteration took 247.493 seconds to run.
status-firefox48: --- → unaffected
status-firefox49: --- → unaffected
status-firefox50: --- → unaffected
Created attachment 8788770 [details] [diff] [review] Patch I made a small reasoning error. I assumed that I always fully constructed the active scripts on the stack when enabling tracelogger, but that is wrong. I only log the parent script. Which was a conscious decission, only I forgot this. That means we should just ignore the debug tests after the debug stack is empty.
Assignee: nobody → hv1989
Attachment #8788770 - Flags: review?(bbouvier)
Comment on attachment 8788770 [details] [diff] [review] Patch Review of attachment 8788770 [details] [diff] [review]: ----------------------------------------------------------------- Got it. Mind to add a test case, please?
Attachment #8788770 - Flags: review?(bbouvier) → review+
Pushed by email@example.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/8e68d6ac1801 TraceLogger - Ignore debug checks when stack is empty, r=bbouvier
Status: NEW → RESOLVED
Last Resolved: 2 years ago
status-firefox51: affected → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla51
You need to log in before you can comment on or make changes to this bug.