Closed
Bug 1492103
Opened 6 years ago
Closed 6 years ago
Crash [@ js::TypeZone::setSweepingTypes] or Assertion failure: sweepingTypes != sweeping, at js/src/vm/TypeInference.h:1479
Categories
(Core :: JavaScript: GC, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1491530
Tracking | Status | |
---|---|---|
firefox64 | --- | fixed |
People
(Reporter: decoder, Unassigned)
Details
(5 keywords, Whiteboard: [jsbugmon:update,ignore][adv-main64-])
Crash Data
The following testcase crashes on mozilla-central revision 7ac2e2fc613b (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --disable-debug --enable-optimize, run with --fuzzing-safe --cpu-count=2):
gczeal(20, 2);
eval(`
function complex(aReal, aImag) {
this.r = aReal;
this.square = function() {}
}
function mandelbrotValueOO (aC, aIterMax) {
let Z = new complex(0.0, 0.0);
for (var iter = 0; iter < aIterMax; iter++) {
if (Z.r * Z.r + Z.i * Z.i > 256) { break; }
}
}
const width = 60;
const height = 60;
const max_iters = 50;
for (let img_x = 0; img_x < width; img_x++) {
for (let img_y = 0; img_y < height; img_y++) {
let C = new complex(-2 + (img_x / width) * 3);
var res = mandelbrotValueOO(C, max_iters);
}
}
`)
Backtrace:
received signal SIGSEGV, Segmentation fault.
js::TypeZone::setSweepingTypes (sweeping=<optimized out>, this=<optimized out>) at js/src/vm/TypeInference.h:1479
#0 js::TypeZone::setSweepingTypes (sweeping=<optimized out>, this=<optimized out>) at js/src/vm/TypeInference.h:1479
#1 js::AutoClearTypeInferenceStateOnOOM::AutoClearTypeInferenceStateOnOOM (this=<optimized out>, zone=0x7ffff57b8000) at js/src/vm/TypeInference.cpp:5028
#2 0x00005555557e3504 in js::AutoSweepObjectGroup::AutoSweepObjectGroup (this=0x7fffffffa7b4, group=0x7ffff59ac040) at js/src/vm/TypeInference-inl.h:1288
#3 0x0000555555ca32ea in js::TypeSet::addType (this=0x7ffff55424d8, type=..., alloc=0x7ffff57b84d8) at js/src/vm/TypeInference.cpp:719
#4 0x0000555555ca348a in js::ConstraintTypeSet::addType (this=0x7ffff55424d8, sweep=..., cx=0x7ffff5f27800, type=...) at js/src/vm/TypeInference.cpp:794
#5 0x0000555555caba16 in js::AddTypePropertyId (cx=cx@entry=0x7ffff5f27800, group=group@entry=0x7ffff59ca070, obj=obj@entry=0x0, id=id@entry=..., type=...) at js/src/vm/TypeInference.cpp:3124
#6 0x0000555555d00f70 in PropagatePropertyTypes (newGroup=0x7ffff59ca070, oldGroup=0x7ffff59ac070, id=..., cx=0x7ffff5f27800) at js/src/vm/UnboxedObject.cpp:552
#7 js::UnboxedLayout::makeNativeGroup (cx=cx@entry=0x7ffff5f27800, group=<optimized out>) at js/src/vm/UnboxedObject.cpp:692
#8 0x0000555555d074f8 in js::UnboxedPlainObject::convertToNative (cx=cx@entry=0x7ffff5f27800, obj=obj@entry=0x7ffff5a00040) at js/src/vm/UnboxedObject.cpp:734
#9 0x0000555555c98784 in js::TypeNewScript::rollbackPartiallyInitializedObjects (this=this@entry=0x7ffff5f73fd0, cx=cx@entry=0x7ffff5f27800, group=group@entry=0x7ffff59ac070) at js/src/vm/TypeInference.cpp:4423
#10 0x0000555555ca9a7e in js::ObjectGroup::clearNewScript (this=this@entry=0x7ffff59ac070, cx=cx@entry=0x7ffff5f27800, replacement=0x7ffff59ca040) at js/src/vm/TypeInference.cpp:3388
#11 0x0000555555d00838 in js::UnboxedLayout::makeNativeGroup (cx=cx@entry=0x7ffff5f27800, group=0x7ffff59ac070) at js/src/vm/UnboxedObject.cpp:624
#12 0x0000555555d074f8 in js::UnboxedPlainObject::convertToNative (cx=cx@entry=0x7ffff5f27800, obj=0x7ffff5a00040) at js/src/vm/UnboxedObject.cpp:734
#13 0x0000555555d07f4b in js::UnboxedPlainObject::obj_setProperty (cx=0x7ffff5f27800, obj=..., id=..., v=..., receiver=..., result=...) at js/src/vm/UnboxedObject.cpp:1070
#14 0x0000555555867ed0 in js::jit::DoSetPropFallback (cx=0x7ffff5f27800, frame=0x7fffffffbc68, stub_=0x7ffff5f660f8, stack=0x7fffffffbc50, lhs=..., rhs=...) at js/src/jit/BaselineIC.cpp:2993
#15 0x00003d959af9839a in ?? ()
[...]
#65 0x0000000000000000 in ?? ()
rax 0x555556ef0020 93825019084832
rbx 0x7ffff57b8000 140737311899648
rcx 0x55555612b8c0 93825004648640
rdx 0x7ffff5f27800 140737319696384
rsi 0x7ffff57b8000 140737311899648
rdi 0x7ffff5f1a000 140737319641088
rbp 0x7ffff59ac040 140737313947712
rsp 0x7fffffffa760 140737488332640
r8 0x7ffff55424d8 140737309320408
r9 0x7ffff55424d8 140737309320408
r10 0x0 0
r11 0x8935bb4 143874996
r12 0x7fffffffa7b4 140737488332724
r13 0x7fffffffa7b4 140737488332724
r14 0x7ffff59ac040 140737313947712
r15 0x0 0
rip 0x555555c98c21 <js::AutoClearTypeInferenceStateOnOOM::AutoClearTypeInferenceStateOnOOM(JS::Zone*)+97>
=> 0x555555c98c21 <js::AutoClearTypeInferenceStateOnOOM::AutoClearTypeInferenceStateOnOOM(JS::Zone*)+97>: movl $0x0,0x0
0x555555c98c2c <js::AutoClearTypeInferenceStateOnOOM::AutoClearTypeInferenceStateOnOOM(JS::Zone*)+108>: ud2
Marking s-s because GC and TypeInference is involved.
Comment 1•6 years ago
|
||
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 85b4d2bf888a).
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/aa3c5d257b1e
user: Jon Coppeard
date: Thu Sep 13 16:46:51 2018 +0100
summary: Bug 1490042 - Only allow a single AutoClearTypeInferenceStateOnOOM to be active at once r=jandem r=sfink
This iteration took 235.426 seconds to run.
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update,ignore]
Comment 2•6 years ago
|
||
This is the same stack as bug 1491530, so should have been fixed by the backout of bug 1490042.
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → DUPLICATE
Updated•6 years ago
|
Updated•6 years ago
|
Whiteboard: [jsbugmon:update,ignore] → [jsbugmon:update,ignore][adv-main64-]
Updated•5 years ago
|
Group: javascript-core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•