Closed
Bug 1343876
Opened 7 years ago
Closed 7 years ago
Assertion failure: CurrentThreadCanAccessZone(zone), at js/src/gc/Heap.h:1262
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1342101
Tracking | Status | |
---|---|---|
firefox53 | --- | fixed |
People
(Reporter: decoder, Unassigned)
Details
(5 keywords, Whiteboard: [jsbugmon:])
Attachments
(1 file)
7.79 KB,
text/plain
|
Details |
The following testcase crashes on mozilla-central revision e91de6fb2b3d (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-stdcxx-compat --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe --thread-count=2 --ion-check-range-analysis --ion-extra-checks --baseline-eager --ion-offthread-compile=off): See attachment. Backtrace: received signal SIGSEGV, Segmentation fault. #0 0x00000000004f93f8 in js::gc::TenuredCell::zone (this=<optimized out>) at js/src/gc/Heap.h:1262 #1 0x0000000000bdbfa3 in JSObject::zone (this=<optimized out>) at js/src/jsobj.h:302 #2 js::FunctionScope::Data::zone (this=0x7fffdafbae50) at js/src/vm/Scope.cpp:608 #3 js::GCManagedDeletePolicy<js::FunctionScope::Data>::operator() (ptr=0x7fffdafbae50, this=<optimized out>) at js/src/gc/Zone.h:889 #4 mozilla::UniquePtr<js::FunctionScope::Data, JS::DeletePolicy<js::FunctionScope::Data> >::reset (aPtr=0x0, this=<optimized out>) at dist/include/mozilla/UniquePtr.h:343 #5 mozilla::UniquePtr<js::FunctionScope::Data, JS::DeletePolicy<js::FunctionScope::Data> >::~UniquePtr (this=<optimized out>, __in_chrg=<optimized out>) at dist/include/mozilla/UniquePtr.h:288 #6 js::DispatchWrapper<mozilla::UniquePtr<js::FunctionScope::Data, JS::DeletePolicy<js::FunctionScope::Data> > >::~DispatchWrapper (this=<optimized out>, __in_chrg=<optimized out>) at dist/include/js/RootingAPI.h:711 #7 JS::Rooted<mozilla::UniquePtr<js::FunctionScope::Data, JS::DeletePolicy<js::FunctionScope::Data> > >::~Rooted (this=<optimized out>, __in_chrg=<optimized out>) at dist/include/js/RootingAPI.h:790 #8 0x0000000000bd47e0 in js::FunctionScope::clone (cx=cx@entry=0x7fffdcd8a000, scope=scope@entry=..., fun=..., fun@entry=..., enclosing=..., enclosing@entry=...) at js/src/vm/Scope.cpp:700 #9 0x00000000009f7a95 in js::CloneScriptIntoFunction (cx=cx@entry=0x7fffdcd8a000, enclosingScope=enclosingScope@entry=..., fun=fun@entry=..., src=src@entry=...) at js/src/jsscript.cpp:3533 #10 0x0000000000bb1cae in JSRuntime::cloneSelfHostedFunctionScript (this=<optimized out>, cx=cx@entry=0x7fffdcd8a000, name=..., name@entry=..., targetFun=targetFun@entry=...) at js/src/vm/SelfHosting.cpp:3228 #11 0x0000000000987d1a in JSFunction::createScriptForLazilyInterpretedFunction (cx=0x7fffdcd8a000, fun=fun@entry=...) at js/src/jsfun.cpp:1509 #12 0x00000000004631cc in JSFunction::getOrCreateScript (cx=<optimized out>, fun=...) at js/src/jsfun.h:421 #13 0x0000000000536297 in js::InternalCallOrConstruct (cx=cx@entry=0x7fffdcd8a000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:451 #14 0x00000000005365f6 in InternalCall (cx=cx@entry=0x7fffdcd8a000, args=...) at js/src/vm/Interpreter.cpp:493 #15 0x000000000053674e in js::Call (cx=cx@entry=0x7fffdcd8a000, fval=..., fval@entry=..., thisv=..., thisv@entry=..., args=..., rval=..., rval@entry=...) at js/src/vm/Interpreter.cpp:512 #16 0x00000000009d6010 in js::Call (rval=..., thisObj=<optimized out>, fval=..., cx=0x7fffdcd8a000) at js/src/vm/Interpreter.h:96 #17 MaybeCallMethod (cx=cx@entry=0x7fffdcd8a000, obj=..., obj@entry=..., id=..., id@entry=..., vp=vp@entry=...) at js/src/jsobj.cpp:2982 #18 0x00000000009da7a5 in JS::OrdinaryToPrimitive (cx=cx@entry=0x7fffdcd8a000, obj=obj@entry=..., hint=hint@entry=JSTYPE_NUMBER, vp=..., vp@entry=...) at js/src/jsobj.cpp:3065 #19 0x00000000009dac95 in js::ToPrimitiveSlow (cx=cx@entry=0x7fffdcd8a000, preferredType=preferredType@entry=JSTYPE_NUMBER, vp=..., vp@entry=...) at js/src/jsobj.cpp:3113 #20 0x0000000000990fc2 in js::ToPrimitive (vp=..., preferredType=JSTYPE_NUMBER, cx=0x7fffdcd8a000) at js/src/jsobj.h:1063 #21 js::ToNumberSlow (cx=cx@entry=0x7fffdcd8a000, v_=..., out=out@entry=0x7fffdbdfd060) at js/src/jsnum.cpp:1584 #22 0x0000000000991a96 in js::ToInt32Slow (cx=cx@entry=0x7fffdcd8a000, v=..., out=out@entry=0x7fffdbdfd0dc) at js/src/jsnum.cpp:1718 #23 0x00000000005395b2 in JS::ToInt32 (cx=cx@entry=0x7fffdcd8a000, v=..., v@entry=..., out=out@entry=0x7fffdbdfd0dc) at dist/include/js/Conversions.h:167 #24 0x0000000000809232 in js::BitLsh (out=<synthetic pointer>, rhs=..., lhs=..., cx=0x7fffdcd8a000) at js/src/vm/Interpreter-inl.h:777 #25 js::jit::DoBinaryArithFallback (cx=0x7fffdcd8a000, payload=<optimized out>, stub_=<optimized out>, lhs=..., rhs=..., ret=...) at js/src/jit/SharedIC.cpp:751 #26 0x0000188a95e10634 in ?? () [...] #56 0x0000000000000000 in ?? () rax 0x0 0 rbx 0x7ffff699b000 140737330655232 rcx 0x7ffff6c28a2d 140737333332525 rdx 0x0 0 rsi 0x7ffff6ef7770 140737336276848 rdi 0x7ffff6ef6540 140737336272192 rbp 0x7fffdbdfc840 140736882264128 rsp 0x7fffdbdfc830 140736882264112 r8 0x7ffff6ef7770 140737336276848 r9 0x7fffdbdff700 140736882276096 r10 0x58 88 r11 0x7ffff6b9f750 140737332770640 r12 0x7fffdbdfc8f0 140736882264304 r13 0x7fffdbdfca10 140736882264592 r14 0x7fffdbdfc910 140736882264336 r15 0x7fffdcd8a000 140736898572288 rip 0x4f93f8 <js::gc::TenuredCell::zone() const+344> => 0x4f93f8 <js::gc::TenuredCell::zone() const+344>: movl $0x0,0x0 0x4f9403 <js::gc::TenuredCell::zone() const+355>: ud2 This is the same assert as bug 1342101 but I'm not sure if this is the same bug as the stacks seem to be different. The test also seems to be fairly stable compared to the other bug.
Reporter | ||
Comment 1•7 years ago
|
||
Updated•7 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:bisect]
Comment 2•7 years ago
|
||
JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.
Updated•7 years ago
|
Whiteboard: [jsbugmon:bisect] → [jsbugmon:]
Comment 3•7 years ago
|
||
Yes this looks like bug 1342101.
Comment 4•7 years ago
|
||
Jan, should we mark this bug as a duplicate? If not, please say why and mark it as a blocke. We'll wait for bug 1342101 to be fixed until we retest then.
Flags: needinfo?(jdemooij)
Comment 5•7 years ago
|
||
Yup this is the same issue as bug 1342101.
Status: NEW → RESOLVED
Closed: 7 years ago
Flags: needinfo?(jdemooij)
Resolution: --- → DUPLICATE
Comment 6•7 years ago
|
||
FF54 was fixed in bug 1342101. Mark 54 fixed here.
Comment 7•7 years ago
|
||
(In reply to Gerry Chang [:gchang] from comment #6) > FF54 was fixed in bug 1342101. Mark 54 fixed here. Actually, Firefox 53 was, not 54.
status-firefox53:
--- → fixed
status-firefox54:
fixed → ---
Updated•7 years ago
|
Group: javascript-core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•