Closed Bug 1359215 Opened 8 years ago Closed 8 years ago

jsapi-tests testGCAllocator crashes in cls_testGCAllocator::mapMemoryAt

Categories

(Core :: JavaScript Engine, defect)

Other
FreeBSD
defect
Not set
normal

Tracking

()

RESOLVED DUPLICATE of bug 1357874
Tracking Status
firefox53 --- affected
firefox54 --- affected
firefox55 --- unaffected

People

(Reporter: jbeich, Unassigned)

Details

(Keywords: crash)

$ obj-aarch64-unknown-freebsd11.0/dist/bin/jsapi-tests testGCAllocator
testGCAllocator
Segmentation fault

(lldb) bt
jsapi-tests was compiled with optimization - stepping may behave oddly; variables may not be available.
* thread #1: tid = 101021, 0x00000000004764ac jsapi-tests`cls_testGCAllocator::mapMemoryAt(this=0x00000000018cf850, desired=0x0000070000200000, length=8388608) + 36 at testGCAllocator.cpp:318, stop reason = signal SIGSEGV: invalid address (fault address: 0x0)
    frame #0: 0x00000000004764ac jsapi-tests`cls_testGCAllocator::mapMemoryAt(this=0x00000000018cf850, desired=0x0000070000200000, length=8388608) + 36 at testGCAllocator.cpp:318 [opt]
(lldb) bt
* thread #1: tid = 101021, 0x00000000004764ac jsapi-tests`cls_testGCAllocator::mapMemoryAt(this=0x00000000018cf850, desired=0x0000070000200000, length=8388608) + 36 at testGCAllocator.cpp:318, stop reason = signal SIGSEGV: invalid address (fault address: 0x0)
  * frame #0: 0x00000000004764ac jsapi-tests`cls_testGCAllocator::mapMemoryAt(this=0x00000000018cf850, desired=0x0000070000200000, length=8388608) + 36 at testGCAllocator.cpp:318 [opt]
    frame #1: 0x00000000004762ec jsapi-tests`cls_testGCAllocator::testGCAllocatorUp(this=0x00000000018cf850, PageSize=<unavailable>) + 128 at testGCAllocator.cpp:131 [opt]
    frame #2: 0x0000000000475a80 jsapi-tests`cls_testGCAllocator::run(this=0x00000000018cf850, global=<unavailable>) + 84 at testGCAllocator.cpp:57 [opt]
    frame #3: 0x000000000051c52c jsapi-tests`main(argc=<unavailable>, argv=<unavailable>) + 220 at tests.cpp:128 [opt]
    frame #4: 0x000000000042ad20 jsapi-tests`__start + 360
    frame #5: 0x0000000040df1630 ld-elf.so.1 at rtld_start.S:41
(lldb) re r
General Purpose Registers:
        x0 = 0x00000000018cf850  jsapi-tests`cls_testGCAllocator_instance
        x1 = 0x0000070000200000
        x2 = 0x0000000000800000  jsapi-tests`js::jit::ValueNumberer::ValueNumberer(js::jit::MIRGenerator*, js::jit::MIRGraph&) + 4 [inlined] js::jit::MIRGraph::alloc() const at ValueNumbering.cpp:1206
  jsapi-tests`js::jit::ValueNumberer::ValueNumberer(js::jit::MIRGenerator*, js::jit::MIRGraph&) + 4 at ValueNumbering.cpp:1206
        x3 = 0x0000000000001002
        x4 = 0x00000000ffffffff
        x5 = 0x0000000000000000
        x6 = 0x0000000000000000
        x7 = 0x0000000000000000
        x8 = 0x0000000000000000
        x9 = 0x00000000018d48e8  jsapi-tests`gMozCrashReason
       x10 = 0x0000000000d20bd4
       x11 = 0x000000000000013e
       x12 = 0x0000000000000004
       x13 = 0x0000000000000427
       x14 = 0x0000ffffffffe564
       x15 = 0x0000000000000000
       x16 = 0x0000000000e65a50  jsapi-tests`symbol stub for: munmap
       x17 = 0x00000000410d6d34  libc.so.7`munmap
       x18 = 0x0000000048239fc0
       x19 = 0x00000000018cf850  jsapi-tests`cls_testGCAllocator_instance
       x20 = 0x00000000008ff000  jsapi-tests`js::Proxy::className(JSContext*, JS::Handle<JSObject*>)+ 180 [inlined] js::BaseProxyHandler::className(JSContext*, JS::Handle<JSObject*>) const + 20 at Proxy.cpp:557
  jsapi-tests`js::Proxy::className(JSContext*, JS::Handle<JSObject*>) + 160 at Proxy.cpp:557
       x21 = 0x0000000000000000
       x22 = 0x00000000018cf850  jsapi-tests`cls_testGCAllocator_instance
       x23 = 0x0000000000d28e03
       x24 = 0x0000000000d28e18
       x25 = 0x0000000000d28dd0
       x26 = 0x0000000000d20b60
       x27 = 0x0000000000000000
       x28 = 0x0000000000000000
        fp = 0x0000ffffffffea60
        lr = 0x00000000004762ec  jsapi-tests`cls_testGCAllocator::testGCAllocatorUp(unsigned long) +128 [inlined] AnnotateMozCrashReason(char const*) at testGCAllocator.cpp:379
  jsapi-tests`cls_testGCAllocator::testGCAllocatorUp(unsigned long) + 128 [inlined] cls_testGCAllocator::unmapPages(void*, unsigned long) at testGCAllocator.cpp:125
  jsapi-tests`cls_testGCAllocator::testGCAllocatorUp(unsigned long) + 128 at testGCAllocator.cpp:125
        sp = 0x0000ffffffffea60
        pc = 0x00000000004764ac  jsapi-tests`cls_testGCAllocator::mapMemoryAt(void*, unsigned long) + 36 at testGCAllocator.cpp:318
      cpsr = 0x40000000
--disable-ion fails to build, so relation to bug 1323115 is unknown.
Component: JavaScript Engine: JIT → JavaScript Engine
Hmm, I cannot reproduce on Firefox 55 anymore.

$ .../jsapi-tests testGCAllocator
testGCAllocator
TEST-PASS | testGCAllocator | ok

Passed: ran 1 tests.
Bisecting first good is mozilla-central changeset 042d975f9355, parentheses in testGCAllocator.cpp to be specific.
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.