Closed
Bug 1341311
Opened 7 years ago
Closed 7 years ago
Crash [@ CheckHeapTracer::check] or Assertion failure: failures == 0, at gc/Verifier.cpp:560
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1340822
| Tracking | Status | |
|---|---|---|
| firefox51 | --- | unaffected |
| firefox52 | --- | unaffected |
| firefox53 | --- | unaffected |
| firefox54 | --- | fixed |
People
(Reporter: decoder, Unassigned)
Details
(5 keywords, Whiteboard: [jsbugmon:update,bisect][fuzzblocker])
Crash Data
The following testcase crashes on mozilla-central revision d84beb192e57 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-stdcxx-compat --disable-profiling --disable-debug --without-intl-api --enable-optimize --target=i686-pc-linux-gnu, run with --fuzzing-safe --ion-offthread-compile=off):
gczeal(15);
gczeal(9);
evalInCooperativeThread("foo");
Backtrace:
received signal SIGSEGV, Segmentation fault.
#0 CheckHeapTracer::check (this=0xf7bf0b88, lock=...) at js/src/gc/Verifier.cpp:560
#1 0x086efa7d in js::gc::CheckHeapAfterGC (rt=0xf7951000) at js/src/gc/Verifier.cpp:569
#2 0x08412db9 in js::ZoneGroup::minorGC (this=0xf7972000, reason=reason@entry=JS::gcreason::DEBUG_GC, phase=phase@entry=js::gcstats::PHASE_EVICT_NURSERY) at js/src/jsgc.cpp:6686
#3 0x0843b803 in js::ZoneGroup::minorGC (phase=js::gcstats::PHASE_EVICT_NURSERY, reason=JS::gcreason::DEBUG_GC, this=<optimized out>) at js/src/jsgc.cpp:6323
#4 js::ZoneGroup::evictNursery (reason=JS::gcreason::DEBUG_GC, this=<optimized out>) at js/src/gc/ZoneGroup.h:80
#5 js::EvictAllNurseries (reason=JS::gcreason::DEBUG_GC, rt=<optimized out>) at js/src/gc/Nursery-inl.h:78
#6 js::gc::GCRuntime::gcCycle (this=0xf7951268, nonincrementalByAPI=false, budget=..., reason=JS::gcreason::DEBUG_GC) at js/src/jsgc.cpp:6256
#7 0x0843bc3c in js::gc::GCRuntime::collect (this=0xf7951268, nonincrementalByAPI=false, budget=..., reason=JS::gcreason::DEBUG_GC) at js/src/jsgc.cpp:6454
#8 0x0843c57c in js::gc::GCRuntime::runDebugGC (this=0xf7951268) at js/src/jsgc.cpp:6997
#9 0x08668d29 in js::gc::GCRuntime::gcIfNeededPerAllocation (cx=0xf792a000, this=0xf7951268) at js/src/gc/Allocator.cpp:233
#10 js::gc::GCRuntime::checkAllocatorState<(js::AllowGC)1> (this=0xf7951268, cx=0xf792a000, kind=js::gc::AllocKind::STRING) at js/src/gc/Allocator.cpp:194
#11 0x08669a8c in js::Allocate<JSString, (js::AllowGC)1> (cx=0xf792a000) at js/src/gc/Allocator.cpp:145
#12 0x085a952e in JSFlatString::new_<(js::AllowGC)1, unsigned char> (length=27, chars=0xf13442c0 "os.path - interface object", cx=0xf792a000) at js/src/vm/String-inl.h:228
#13 js::NewStringDontDeflate<(js::AllowGC)1, unsigned char> (cx=0xf792a000, chars=0xf13442c0 "os.path - interface object", length=27) at js/src/vm/String.cpp:1257
#14 0x0859c6f9 in FinishStringFlat<unsigned char, mozilla::Vector<unsigned char, 64u, js::TempAllocPolicy> > (cb=..., sb=..., cx=<optimized out>) at js/src/vm/StringBuffer.cpp:87
#15 js::StringBuffer::finishString (this=0xf7bf1010) at js/src/vm/StringBuffer.cpp:128
#16 0x0808b5a1 in js::shell::GenerateInterfaceHelp (cx=0xf792a000, obj=..., name=0x87b00c8 "os.path") at js/src/shell/jsshell.cpp:66
#17 0x0808c156 in js::shell::DefineOS (cx=0xf792a000, global=..., fuzzingSafe=true, shellOut=0x8a81130 <gOutFile>, shellErr=0x8a81134 <gErrFile>) at js/src/shell/OSObject.cpp:989
#18 0x0808c4f9 in NewGlobalObject (cx=cx@entry=0xf792a000, options=..., principals=principals@entry=0x0) at js/src/shell/js.cpp:7422
#19 0x0808d621 in WorkerMain (arg=0xf13dd6d0) at js/src/shell/js.cpp:3527
[...]
#23 0xf7cd94ce in clone () from /lib32/libc.so.6
eax 0x8a811b4 145232308
ebx 0x8a7eff4 145223668
ecx 0x37 55
edx 0x87af38c 142275468
esi 0xe5e5e501 -437918463
edi 0xf7bf0b88 -138474616
ebp 0xf1301000 4046458880
esp 0xf7bf0b10 4156492560
eip 0x86ef965 <CheckHeapTracer::check(js::AutoLockForExclusiveAccess&)+261>
=> 0x86ef965 <CheckHeapTracer::check(js::AutoLockForExclusiveAccess&)+261>: movl $0x0,0x0
0x86ef96f <CheckHeapTracer::check(js::AutoLockForExclusiveAccess&)+271>: ud2
Likely shell only.
|
Reporter | |
Comment 1•7 years ago
|
||
Fuzzblocker because this happens with various signatures and not all of them go through WorkerMain or use evalInCooperativeThread. Some also use cooperativeYield and setInterruptCallback and those cannot be matched by stack at all. NI from bhackett.
Flags: needinfo?(bhackett1024)
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update,bisect][fuzzblocker]
|
||
Updated•7 years ago
|
status-firefox51:
--- → unaffected
status-firefox52:
--- → unaffected
status-firefox53:
--- → unaffected
|
||
Comment 2•7 years ago
|
||
I think this was fixed by bug 1340822. I can reproduce this on the parent revision of a40af83f562a but not a40af83f562a itself.
|
|
||
Updated•7 years ago
|
Status: NEW → RESOLVED
Closed: 7 years ago
Flags: needinfo?(bhackett1024)
Resolution: --- → DUPLICATE
|
||
Comment 4•7 years ago
|
||
FF54 was fixed in bug 1340822. Mark 54 fixed.
You need to log in
before you can comment on or make changes to this bug.
Description
•