Closed
Bug 1516406
Opened 5 years ago
Closed 5 years ago
Crash [@ JSScript::bodyScope] with dumpScopeChain
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla66
Tracking | Status | |
---|---|---|
firefox-esr60 | --- | unaffected |
firefox64 | --- | wontfix |
firefox65 | --- | wontfix |
firefox66 | --- | fixed |
People
(Reporter: gkw, Assigned: jandem)
References
Details
(4 keywords, Whiteboard: [jsbugmon:update])
Crash Data
Attachments
(2 files)
The following testcase crashes on mozilla-central revision 1ff40219367b (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --no-threads --no-baseline --no-ion): // jsfunfuzz-generated valueOf = async function(){ +this; dumpScopeChain(b => 1); } // Adapted from randomly chosen tests js/src/tests/test262/built-ins/Array/prototype/splice/S15.4.4.12_A4_T2.js var x; // jsfunfuzz-generated +this; Backtrace: #0 JSScript::bodyScope (this=0x0) at js/src/vm/JSScript.h:2380 #1 DumpScopeChain (cx=0x7f1eeb718000, argc=<optimized out>, vp=<optimized out>) at js/src/shell/js.cpp:7611 #2 0x000055d4cd5ff830 in CallJSNative (cx=0x7f1eeb718000, native=0x55d4cd566160 <DumpScopeChain(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/vm/Interpreter.cpp:443 #3 0x000055d4cd5efd4d in js::InternalCallOrConstruct (cx=0x7f1eeb718000, args=..., construct=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:535 #4 0x000055d4cd5e694f in js::CallFromStack (cx=<optimized out>, args=...) at js/src/vm/Interpreter.cpp:594 #5 Interpret (cx=<optimized out>, state=...) at js/src/vm/Interpreter.cpp:3320 /snip For detailed crash information, see attachment.
Reporter | ||
Comment 1•5 years ago
|
||
Reporter | ||
Comment 2•5 years ago
|
||
Due to skipped revisions, the first bad revision could be any of: changeset: https://hg.mozilla.org/mozilla-central/rev/0ab0d909476f user: Richard Pospesel <richard> date: Wed Apr 18 13:41:00 2018 +0300 summary: Bug 859782 - Firefox cannot start without /proc (chroot) r=sphink changeset: https://hg.mozilla.org/mozilla-central/rev/363cc3b4dd41 user: André Bargull date: Thu Apr 19 10:46:49 2018 +0200 summary: Bug 1453922: Add fast path for non-negative int32 values to ToIndex. r=jandem changeset: https://hg.mozilla.org/mozilla-central/rev/ff7588bba148 user: Jan de Mooij date: Thu Apr 19 13:02:00 2018 +0200 summary: Bug 1064316 - Rewrite check_macroassembler_style.py to use os.walk instead of looking at the repo data. r=nbp changeset: https://hg.mozilla.org/mozilla-central/rev/2f7d0134b221 user: Jan de Mooij date: Thu Apr 19 13:04:46 2018 +0200 summary: Bug 1452982 part 14 - Rename 'active thread' to 'main thread'. r=jonco changeset: https://hg.mozilla.org/mozilla-central/rev/292f8e5c6336 user: Jan de Mooij date: Thu Apr 19 13:06:12 2018 +0200 summary: Bug 1452982 part 15 - Rename some constants. r=jonco changeset: https://hg.mozilla.org/mozilla-central/rev/cf2687e4e96e user: Jan de Mooij date: Thu Apr 19 13:14:18 2018 +0200 summary: Bug 1452602 - Mark some shell functions as fuzzing-safe. r=jonco changeset: https://hg.mozilla.org/mozilla-central/rev/22ed5e1657aa user: Margareta Eliza Balazs date: Thu Apr 19 14:26:20 2018 +0300 summary: Backed out changeset 0ab0d909476f (bug 859782) for bustage in builds/worker/workspace/build/src/js/src/util/NativeStack.cpp on a CLOSED TREE Jan, is bug 1452602 a likely regressor?
Blocks: 1452602
Flags: needinfo?(jdemooij)
Assignee | ||
Comment 3•5 years ago
|
||
Yeah this is just a silly bug in DumpScopeChain.
Assignee: nobody → jdemooij
Status: NEW → ASSIGNED
Flags: needinfo?(jdemooij)
Assignee | ||
Comment 4•5 years ago
|
||
Pushed by jdemooij@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/1612587e16bd Fix DumpScopeChain to propagate exceptions from JSFunction::getOrCreateScript correctly. r=iain
Comment 6•5 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/1612587e16bd
Status: ASSIGNED → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla66
Updated•5 years ago
|
status-firefox64:
--- → wontfix
status-firefox65:
--- → wontfix
status-firefox-esr60:
--- → unaffected
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•