Closed
Bug 1300515
Opened 8 years ago
Closed 8 years ago
Assertion failure: !empty(), at dist/include/mozilla/Vector.h:473 with Trace Logger
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla51
Tracking | Status | |
---|---|---|
firefox48 | --- | unaffected |
firefox49 | --- | unaffected |
firefox50 | --- | unaffected |
firefox51 | --- | fixed |
People
(Reporter: decoder, Assigned: h4writer)
References
Details
(4 keywords, Whiteboard: [fuzzblocker] [jsbugmon:update])
Attachments
(1 file)
899 bytes,
patch
|
bbouvier
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision 401ea746b1a9 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug --enable-optimize, run with --fuzzing-safe --ion-offthread-compile=off):
evaluate(`
var du = new Debugger();
du.setupTraceLoggerScriptCalls();
du.startTraceLogger();
`);
Backtrace:
received signal SIGSEGV, Segmentation fault.
0x000000000051b3d8 in mozilla::Vector<unsigned int, 1ul, js::SystemAllocPolicy>::back (this=0x7ffff69a0110) at /srv/jenkins/jobs/mozilla-central-build-jsshell/workspace/arch/64/compiler/gcc/sanitizer/none/type/debug/dist/include/mozilla/Vector.h:473
#0 0x000000000051b3d8 in mozilla::Vector<unsigned int, 1ul, js::SystemAllocPolicy>::back (this=0x7ffff69a0110) at /srv/jenkins/jobs/mozilla-central-build-jsshell/workspace/arch/64/compiler/gcc/sanitizer/none/type/debug/dist/include/mozilla/Vector.h:473
#1 mozilla::Vector<unsigned int, 1ul, js::SystemAllocPolicy>::popCopy (this=0x7ffff69a0110) at /srv/jenkins/jobs/mozilla-central-build-jsshell/workspace/arch/64/compiler/gcc/sanitizer/none/type/debug/dist/include/mozilla/Vector.h:1358
#2 js::TraceLoggerThread::stopEvent (id=23, this=0x7ffff69a0040) at js/src/vm/TraceLogging.cpp:537
#3 js::TraceLoggerThread::stopEvent (this=0x7ffff69a0040, event=...) at js/src/vm/TraceLogging.cpp:524
#4 0x0000000000ad9615 in js::TraceLogStopEvent (event=..., logger=<optimized out>) at js/src/vm/TraceLogging.h:444
[...]
#15 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:7659
Happens quite frequently, marking fuzzblocker.
Updated•8 years ago
|
Whiteboard: [jsbugmon:update,bisect][fuzzblocker] → [fuzzblocker] [jsbugmon:update]
Comment 1•8 years ago
|
||
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/9bf32cd7b3e5
user: Hannes Verschore
date: Fri Sep 02 18:19:27 2016 +0200
summary: Bug 1298541: Tracelogger: Part 1: Add debugging to check start and stop correspond, r=bbouvier
This iteration took 247.493 seconds to run.
status-firefox48:
--- → unaffected
status-firefox49:
--- → unaffected
status-firefox50:
--- → unaffected
Hannes, is bug 1298541 a likely regressor?
Blocks: 1298541
Flags: needinfo?(hv1989)
Assignee | ||
Comment 3•8 years ago
|
||
I made a small reasoning error. I assumed that I always fully constructed the active scripts on the stack when enabling tracelogger, but that is wrong. I only log the parent script. Which was a conscious decission, only I forgot this.
That means we should just ignore the debug tests after the debug stack is empty.
Comment 4•8 years ago
|
||
Comment on attachment 8788770 [details] [diff] [review]
Patch
Review of attachment 8788770 [details] [diff] [review]:
-----------------------------------------------------------------
Got it. Mind to add a test case, please?
Attachment #8788770 -
Flags: review?(bbouvier) → review+
Pushed by hv1989@gmail.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/8e68d6ac1801
TraceLogger - Ignore debug checks when stack is empty, r=bbouvier
Comment 6•8 years ago
|
||
bugherder |
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla51
You need to log in
before you can comment on or make changes to this bug.
Description
•