Closed
Bug 1304569
Opened 8 years ago
Closed 7 years ago
Crash [@ js::coverage::LCovSource::writeScript]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla56
People
(Reporter: gkw, Assigned: nbp)
References
Details
(Keywords: bugmon, crash, testcase, Whiteboard: [jsbugmon:update])
Crash Data
Attachments
(3 files)
The following testcase crashes on mozilla-central revision 560b2c805bf7 (build with --enable-debug --enable-more-deterministic --32, run with --fuzzing-safe --no-threads --baseline-eager --no-ion):
s = newGlobal()
evalcx("\
switch (0) {\
default: break;\
case 1:\
this.s += this.s;\
g(h(\"\", 2));\
break;\
break\
}\
", s)
evalcx("getLcovInfo()", s)
Backtrace:
0 js-dbg-32-dm-clang-darwin-560b2c805bf7 0x00795980 js::coverage::LCovSource::writeScript(JSScript*) + 8720 (jsopcode.h:604)
1 js-dbg-32-dm-clang-darwin-560b2c805bf7 0x00795e55 js::coverage::LCovCompartment::collectCodeCoverageInfo(JSCompartment*, JSObject*, JSScript*) + 85 (CodeCoverage.cpp:420)
2 js-dbg-32-dm-clang-darwin-560b2c805bf7 0x006dbe1c js::GetCodeCoverageSummary(JSContext*, unsigned long*) + 1532 (jsopcode.cpp:2084)
3 js-dbg-32-dm-clang-darwin-560b2c805bf7 0x00a68a69 GetLcovInfo(JSContext*, unsigned int, JS::Value*) + 233 (TestingFunctions.cpp:3420)
4 js-dbg-32-dm-clang-darwin-560b2c805bf7 0x0085dbb5 js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) + 261 (jscntxtinlines.h:236)
/snip
For detailed crash information, see attachment.
Full configuration command:
LD=ld CROSS_COMPILE=1 CC="clang -Qunused-arguments -msse2 -mfpmath=sse -arch i386" RANLIB=ranlib CXX="clang++ -Qunused-arguments -msse2 -mfpmath=sse -arch i386" AS=$CC AR=ar STRIP="strip -x -S" HOST_CC="clang -Qunused-arguments -msse2 -mfpmath=sse" AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 HOST_CXX="clang++ -Qunused-arguments -msse2 -mfpmath=sse" sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=i386-apple-darwin14.5.0 --disable-jemalloc --enable-debug --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests
|
Reporter | |
Comment 1•8 years ago
|
||
|
|
Reporter | |
Comment 2•8 years ago
|
||
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/2c0f213c8eec
user: Nicolas B. Pierron
date: Tue Jun 28 15:19:55 2016 +0000
summary: Bug 1229813 - Enable branch pruning. r=jandem
Nicolas, is bug 1229813 a likely regressor?
Blocks: 1229813
Flags: needinfo?(nicolas.b.pierron)
|
Assignee | |
Comment 3•8 years ago
|
||
(In reply to Gary Kwong [:gkw] [:nth10sd] from comment #2)
> Nicolas, is bug 1229813 a likely regressor?
Strange but plausible.
|
||
Comment 4•8 years ago
|
||
Too late for firefox 52, mass-wontfix.
|
|
Assignee | |
Comment 5•7 years ago
|
||
This bug is not important as other fuxx-test cases, it might only block CCov builds.
Flags: needinfo?(nicolas.b.pierron)
|
||
Comment 6•7 years ago
|
||
Is it still reproducible? I can't reproduce locally, but there might be something different in my configuration.
Flags: needinfo?(gary)
|
|
Reporter | |
Comment 7•7 years ago
|
||
This still crashes for me on m-c rev tip 03bcd6d65af6.
# Full configuration command with needed environment variables is:
CXX="g++ -m32 -msse2 -mfpmath=sse" CC="gcc -m32 -msse2 -mfpmath=sse" AR=ar PKG_CONFIG_LIBDIR=/usr/lib/pkgconfig sh ./configure --target=i686-pc-linux --enable-debug --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests
Flags: needinfo?(gary)
|
|
Reporter | |
Updated•7 years ago
|
Flags: needinfo?(mcastelluccio)
|
|
||
Comment 8•7 years ago
|
||
Unfortunately I still can't reproduce (building with that configuration command and running "js --fuzzing-safe --no-threads --baseline-eager --no-ion testcase.js").
Flags: needinfo?(mcastelluccio)
|
|
Reporter | |
Comment 9•7 years ago
|
||
I tested on Ubuntu 16.04. Nicolas, do you mind testing to see if it reproduces for you?
Flags: needinfo?(nicolas.b.pierron)
|
|
Assignee | |
Comment 10•7 years ago
|
||
(In reply to Gary Kwong [:gkw] [:nth10sd] from comment #9)
> I tested on Ubuntu 16.04. Nicolas, do you mind testing to see if it
> reproduces for you?
I tried on the latest m-c, and I cannot reproduce this issue either, with both configuration from comment 0 and comment 7, apart from being on Linux.
Do you have other test cases which are failing the same way?
Flags: needinfo?(nicolas.b.pierron)
|
|
Reporter | |
Comment 11•7 years ago
|
||
Setting needinfo? from Sean to see if he can reproduce this.
Flags: needinfo?(sstangl)
|
||
Comment 12•7 years ago
|
||
Yes, I can reproduce this on Linux. The partial backtrace is:
> #0 0x089016f3 in js::GetBytecodeLength (pc=0xe0660148 <error: Cannot access memory at address 0xe0660148>)
> at /home/sstangl/dev/gecko-dev/js/src/jsopcode.h:607
> #1 0x08901789 in js::GetNextPc (pc=0xe0660148 <error: Cannot access memory at address 0xe0660148>)
> at /home/sstangl/dev/gecko-dev/js/src/jsopcode.h:887
> #2 0x089033ac in js::coverage::LCovSource::writeScript (this=0xf79a2054, script=0xf6c940b0)
> at /home/sstangl/dev/gecko-dev/js/src/vm/CodeCoverage.cpp:357
> #3 0x089036d2 in js::coverage::LCovCompartment::collectCodeCoverageInfo (this=0xffffb4fc, comp=0xf6969400, script=0xf6c940b0,
> name=0xf6a9eae0 "/home/sstangl/tmp/bug1304569.js") at /home/sstangl/dev/gecko-dev/js/src/vm/CodeCoverage.cpp:431
> #4 0x0881ab86 in GenerateLcovInfo (cx=0xf7948800, comp=0xf6969400, out=...)
> at /home/sstangl/dev/gecko-dev/js/src/jsopcode.cpp:2981
> #5 0x0881ae94 in js::GetCodeCoverageSummary (cx=0xf7948800, length=0xffffb644)
> at /home/sstangl/dev/gecko-dev/js/src/jsopcode.cpp:3026
> #6 0x08615f21 in GetLcovInfo (cx=0xf7948800, argc=0, vp=0xffffba28)
> at /home/sstangl/dev/gecko-dev/js/src/builtin/TestingFunctions.cpp:3815
Flags: needinfo?(sstangl)
|
|
Reporter | |
Comment 13•7 years ago
|
||
My GCC version:
$ gcc --version
gcc (Ubuntu 5.4.0-6ubuntu1~16.04.4) 5.4.0 20160609
Copyright (C) 2015 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
|
|
||
Comment 14•7 years ago
|
||
Setting ni? for nbp since it's confirmed to still reproduce.
Flags: needinfo?(nicolas.b.pierron)
|
|
Reporter | |
Comment 15•7 years ago
|
||
Sean mentioned over IRC he was on GCC 7.1.1. Thanks for your help!
|
|
Assignee | |
Comment 16•7 years ago
|
||
Ok, I managed to reproduce it, and saw that we compute an endpc which is overflowing the bounds of the code of the JSScript. I will investigate what might be going wrong. Likely a missing bound check.
|
|
Assignee | |
Comment 17•7 years ago
|
||
This patch does 2 things:
1/ Add a bunch of sanity assertions, to ensure that we never go out of
bounds with any of the pc.
2/ Ensure that lastcasepc is never used when we do not find any case pc
before the defaultpc.
Attachment #8888352 -
Flags: review?(bhackett1024)
|
||
Updated•7 years ago
|
Attachment #8888352 -
Flags: review?(bhackett1024) → review+
|
|
Assignee | |
Updated•7 years ago
|
Flags: needinfo?(nicolas.b.pierron)
|
||
Comment 18•7 years ago
|
||
Pushed by npierron@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/da3b6b55ed0b
JS Code Coverage: Simplify checks for the last found case-statement body. r=bhackett
|
|
||
Comment 19•7 years ago
|
||
| bugherder | ||
Status: NEW → RESOLVED
Closed: 7 years ago
status-firefox56:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla56
|
||
Updated•7 years ago
|
Assignee: nobody → nicolas.b.pierron
status-firefox54:
--- → wontfix
status-firefox55:
--- → wontfix
status-firefox-esr52:
--- → wontfix
You need to log in
before you can comment on or make changes to this bug.
Description
•