Closed
Bug 1331622
Opened 7 years ago
Closed 7 years ago
js shell crashes on inferflags=results
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
mozilla54
| Tracking | Status | |
|---|---|---|
| firefox54 | --- | fixed |
People
(Reporter: sandervv, Assigned: sandervv)
Details
Attachments
(1 file, 1 obsolete file)
|
1.78 KB,
patch
|
Details | Diff | Splinter Review |
Crash backtrace: #0 0x0000000000b13d8c in js::DtoaCache::lookup (this=0x490, base=10, d=0.10000000000000001) at /home/smvv/work/mozilla-central/js/src/jscompartment.h:58 #1 0x0000000000b07a5f in NumberToStringWithBase<(js::AllowGC)1> (cx=0x7f161c638000, d=0.10000000000000001, base=10) at /home/smvv/work/mozilla-central/js/src/jsnum.cpp:1373 #2 0x0000000000b1a6b7 in js::NumberToString<(js::AllowGC)1> (cx=0x7f161c638000, d=0.10000000000000001) at /home/smvv/work/mozilla-central/js/src/jsnum.cpp:1397 #3 0x0000000000b970aa in js::ToStringSlow<(js::AllowGC)1> (cx=0x7f161c638000, arg=...) at /home/smvv/work/mozilla-central/js/src/jsstr.cpp:3086 #4 0x0000000000b81e98 in js::ToString<(js::AllowGC)1> (cx=0x7f161c638000, v=...) at /home/smvv/work/mozilla-central/js/src/jsstr.h:172 #5 0x0000000000b7d4c1 in js::ValueToSource (cx=0x7f161c638000, v=...) at /home/smvv/work/mozilla-central/js/src/jsstr.cpp:3160 #6 0x0000000000b7cfae in js::ValueToPrintable (cx=0x7f161c638000, vArg=..., bytes=0x7fffbeb85560, asSource=true) at /home/smvv/work/mozilla-central/js/src/jsstr.cpp:3052 #7 0x0000000000b5b963 in ToDisassemblySource (cx=0x7f161c638000, v=..., bytes=0x7fffbeb85560) at /home/smvv/work/mozilla-central/js/src/jsopcode.cpp:880 #8 0x0000000000b5c66a in js::Disassemble1 (cx=0x7f161c638000, script=..., pc=0x7f161b8e7e31 "<", loc=105, lines=true, sp=0x7fffbeb85630) at /home/smvv/work/mozilla-central/js/src/jsopcode.cpp:1045 #9 0x0000000000e436e7 in js::TypeScript::printTypes (this=0x7f161b8bf230, cx=0x7f161c638000, script=...) at /home/smvv/work/mozilla-central/js/src/vm/TypeInference.cpp:4582 #10 0x0000000000e3c5e0 in js::PrintTypes (cx=0x7f161c638000, comp=0x7f161c65f000, force=false) at /home/smvv/work/mozilla-central/js/src/vm/TypeInference.cpp:2620 #11 0x0000000000a7fd42 in js::DestroyContext (cx=0x7f161c638000) at /home/smvv/work/mozilla-central/js/src/jscntxt.cpp:135 #12 0x0000000000a1141a in JS_DestroyContext (cx=0x7f161c638000) at /home/smvv/work/mozilla-central/js/src/jsapi.cpp:486 #13 0x0000000000455eb1 in main (argc=3, argv=0x7fffbeb85bb8, envp=0x7fffbeb85bd8) at /home/smvv/work/mozilla-central/js/src/shell/js.cpp:7982 Notice that this=0x490 (bogus). This is the JSCompartment pointer of the exclusive context. See below: >>> up #1 0x0000000000b07a5f in NumberToStringWithBase<(js::AllowGC)1> (cx=0x7f161c638000, d=0.10000000000000001, base=10) at /home/smvv/work/mozilla-central/js/src/jsnum.cpp:1373 1373 if (JSFlatString* str = comp->dtoaCache.lookup(base, d)) >>> p comp $7 = (JSCompartment *) 0x0 Setting a breakpoint on the compartment, shows that the compartment is destroyed before the types are printed: >>> p &cx->compartment_ $8 = (JSCompartment **) 0x7f161c6381b0 >>> watch *0x7f161c6381b0 >>> reverse-cont Hardware watchpoint 1: *0x7f161c6381b0 Old value = 0 New value = 476442624 0x0000000000463977 in js::ExclusiveContext::setCompartment (this=0x7f161c638000, comp=0x0, maybeLock=0x0) at /home/smvv/work/mozilla-central/js/src/jscntxtinlines.h:446 446 compartment_ = comp; >>> bt #0 0x0000000000463977 in js::ExclusiveContext::setCompartment (this=0x7f161c638000, comp=0x0, maybeLock=0x0) at /home/smvv/work/mozilla-central/js/src/jscntxtinlines.h:446 #1 0x0000000000463673 in js::ExclusiveContext::leaveCompartment (this=0x7f161c638000, oldCompartment=0x0, maybeLock=0x0) at /home/smvv/work/mozilla-central/js/src/jscntxtinlines.h:417 #2 0x0000000000a11eee in JSAutoCompartment::~JSAutoCompartment (this=0x7fffbeb85870, __in_chrg=<optimized out>) at /home/smvv/work/mozilla-central/js/src/jsapi.cpp:750 #3 0x0000000000454884 in Shell (cx=0x7f161c638000, op=0x7fffbeb859c0, envp=0x7fffbeb85bd8) at /home/smvv/work/mozilla-central/js/src/shell/js.cpp:7579 #4 0x0000000000455df7 in main (argc=3, argv=0x7fffbeb85bb8, envp=0x7fffbeb85bd8) at /home/smvv/work/mozilla-central/js/src/shell/js.cpp:7963
|
Assignee | |
Comment 1•7 years ago
|
||
The patched attached to the bug moves the PrintTypes calls from DestroyContext() to the end of Shell(). In Shell(), the compartments are still live. When Shell() returns, the compartments are destroyed by the destructor of JSAutoCompartment (https://dxr.mozilla.org/mozilla-central/rev/88030580b14bb253a55bc174c987a9fa43c3fb55/js/src/shell/js.cpp#7579). Therefore, printing the types should happen before the end of Shell().
Assignee: nobody → sandervv
|
|
Assignee | |
Updated•7 years ago
|
Attachment #8827436 -
Flags: review?(jdemooij)
|
||
Comment 2•7 years ago
|
||
Comment on attachment 8827436 [details] [diff] [review] print-infer-types-before-destroying-compartments.patch Review of attachment 8827436 [details] [diff] [review]: ----------------------------------------------------------------- This breaks INFERFLAGS=results in the browser, but I don't think anyone is using that and we can fix if needed. We already dump other things in Shell so adding PrintTypes there makes sense.
Attachment #8827436 -
Flags: review?(jdemooij) → review+
|
|
Assignee | |
Comment 3•7 years ago
|
||
Rebased on top of mozilla-central.
Attachment #8827436 -
Attachment is obsolete: true
|
|
Assignee | |
Updated•7 years ago
|
Keywords: checkin-needed
Pushed by ryanvm@gmail.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/8f45877833df Print inference types before destroying compartments in js shell. r=jandem
Keywords: checkin-needed
|
||
Comment 5•7 years ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/8f45877833df
Status: NEW → RESOLVED
Closed: 7 years ago
status-firefox54:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla54
You need to log in
before you can comment on or make changes to this bug.
Description
•