Closed Bug 677963 Opened 13 years ago Closed 8 years ago

Assertion failure: hasfp(), at ../vm/Stack.h:1470 // Crash [@ js::StackSegment::fp]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: decoder, Unassigned)

Details

(Keywords: assertion, crash, testcase, Whiteboard: [jsbugmon:update,verify-branch=mozilla-aurora;mozilla-beta;mozilla-release,ignore])

Crash Data

The following code asserts on mozilla-inbound (revision 609f37c36bd7, options -j -m):


gczeal(2);
function testInt8Array(L) {
    var f = new function() {
        return f;
    }(8);
    f[0] = 0;
}
for (var i = 0; i < 86; i++) {
    testInt8Array(0);
}


Stepping through the assert crashes with a null-pointer deref.
Crash Signature: [@ js::StackSegment::fp] → [@ js::StackSegment::fp] [@ js::TraceRecorder::snapshot]
This reproduces on release/beta branches but not on aurora (where TI landed). Is this a TM specific bug that is obsolete with TI landing?
Keywords: crash
Christian, can you verify that this no longer reproduces on anything we care about?
Whiteboard: js-triage-needed → [jsbugmon:update,reconfirm,bisectfix]
Crash Signature: [@ js::StackSegment::fp] [@ js::TraceRecorder::snapshot] → [@ js::StackSegment::fp] [@ js::TraceRecorder::snapshot]
Whiteboard: [jsbugmon:update,reconfirm,bisectfix] → [jsbugmon:update,reconfirm,ignore]
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 90857937b601).
JSBugMon: Fix Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first good revision is:
changeset:   76118:1f767f82d1c3
parent:      76117:3a7425b96230
parent:      74257:f262c389193e
user:        Brian Hackett
date:        Fri Aug 12 07:20:08 2011 -0700
summary:     Merge MC -> JM

This iteration took 1.956 seconds to run.

Oops! We didn't test rev 3a7425b96230, a parent of the blamed revision! Let's do that now.
We did not test rev 3a7425b96230 because it is not a descendant of either 609f37c36bd7 or 90857937b601.
Rev 3a7425b96230: Found cached shell...    Testing... [Uninteresting] It didn't crash. (0.205 seconds)
good (not interesting) 
Bisect lied to us! Parent rev 3a7425b96230 was also good!

Oops! We didn't test rev f262c389193e, a parent of the blamed revision! Let's do that now.
Rev f262c389193e: Updating... Compiling... Testing... Exit status: CRASHED signal 6 (SIGABRT) (0.300 seconds)
bad (interesting) 
As expected, the parent's label is the opposite of the blamed rev's label.

Perhaps we should expand the search to include the common ancestor of the blamed changeset's parents.
The common ancestor of 3a7425b96230 and f262c389193e is a0e3c589c8fa.
Rev a0e3c589c8fa: Found cached shell...    Testing... Exit status: CRASHED signal 6 (SIGABRT) (0.304 seconds)
bad (interesting) 
The following line is still under testing:
Try setting -s to a0e3c589c8fa, and -e to 90857937b601, and re-run autoBisect.
Crash Signature: [@ js::StackSegment::fp] [@ js::TraceRecorder::snapshot] → [@ js::StackSegment::fp] [@ js::TraceRecorder::snapshot]
Whiteboard: [jsbugmon:update,reconfirm,ignore] → [jsbugmon:update,verify-branch=mozilla-aurora;mozilla-beta;mozilla-release]
Crash Signature: [@ js::StackSegment::fp] [@ js::TraceRecorder::snapshot] → [@ js::StackSegment::fp] [@ js::TraceRecorder::snapshot]
Whiteboard: [jsbugmon:update,verify-branch=mozilla-aurora;mozilla-beta;mozilla-release] → [jsbugmon:update,verify-branch=mozilla-aurora;mozilla-beta;mozilla-release,ignore]
JSBugMon: The testcase found in this bug does not reproduce on branch mozilla-aurora (tried revision 8ee98cea0f22).
JSBugMon: The testcase found in this bug does not reproduce on branch mozilla-beta (tried revision 31675d03cc9b).
JSBugMon: The testcase found in this bug does not reproduce on branch mozilla-release (tried revision 07a1a7543c6e).
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 90857937b601).
Assignee: general → nobody
5 years old, the simple test WFM.
Status: NEW → RESOLVED
Crash Signature: [@ js::StackSegment::fp] [@ js::TraceRecorder::snapshot] → [@ js::StackSegment::fp] [@ js::TraceRecorder::snapshot]
Closed: 8 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.