Crash [@ js::PutEscapedStringImpl] with findReferences

RESOLVED DUPLICATE of bug 708261

Status

()

Core
JavaScript Engine
--
critical
RESOLVED DUPLICATE of bug 708261
6 years ago
5 years ago

People

(Reporter: decoder, Unassigned)

Tracking

(Blocks: 1 bug, {crash, testcase})

Trunk
x86_64
Linux
crash, testcase
Points:
---
Bug Flags:
in-testsuite -

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: js-triage-needed, crash signature)

(Reporter)

Description

6 years ago
The following test crashes on mozilla-central revision cb70391c86d9 (options -m -n -a):


function C() {}
findReferences(C.prototype);


The first bad revision is:
changeset:   81282:e414b516fd92
user:        Brian Hackett
date:        Sat Oct 29 19:45:51 2011 -0700
summary:     Fix misuse of shape->slot() in debugging code, bug 690396.


Because findReferences is shell only and the change was in debug-only code, I assume this is not S-s.


Backtrace:

(gdb) bt
#0  0x00000000005932ae in js::PutEscapedStringImpl (buffer=0x0, bufferSize=199, fp=0x0, str=0x7ffff60069c0, quote=0) at /srv/repos/mozilla-central/js/src/jsstr.cpp:4169
#1  0x000000000041303a in js::PutEscapedString (
    buffer=0xbc2180 "\\u6040\\uF600\\u7FFF\\x00\\x01\\x00\\x00\\x00\\x00\\x07\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\u5020\\uF600\\u7FFF\\x00\\u3060\\uF600\\u7FFF\\x00\\x00\\x07\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\", size=200, str=0x7ffff60069c0, quote=0) at ../../jsstr.h:323
#2  0x00000000004bbd60 in js::gc::PrintPropertyId (
    buf=0xbc2180 "\\u6040\\uF600\\u7FFF\\x00\\x01\\x00\\x00\\x00\\x00\\x07\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\u5020\\uF600\\u7FFF\\x00\\u3060\\uF600\\u7FFF\\x00\\x00\\x07\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\", bufsize=200, propid=..., label=0x76f4d2 "getter")
    at /srv/repos/mozilla-central/js/src/jsgcmark.cpp:683
#3  0x00000000004bbea8 in js::gc::PrintPropertyGetterOrSetter (trc=0x7fffffffc840, 
    buf=0xbc2180 "\\u6040\\uF600\\u7FFF\\x00\\x01\\x00\\x00\\x00\\x00\\x07\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\u5020\\uF600\\u7FFF\\x00\\u3060\\uF600\\u7FFF\\x00\\x00\\x07\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\", bufsize=200) at /srv/repos/mozilla-central/js/src/jsgcmark.cpp:699
#4  0x000000000041a6da in HeapReverser::getEdgeDescription (this=0x7fffffffc840) at /srv/repos/mozilla-central/js/src/shell/jsheaptools.cpp:341
#5  0x000000000041a290 in HeapReverser::traverseEdge (this=0x7fffffffc840, cell=0x7ffff600a600, kind=JSTRACE_OBJECT) at /srv/repos/mozilla-central/js/src/shell/jsheaptools.cpp:278
#6  0x000000000041bfbf in HeapReverser::traverseEdgeWithThis (tracer=0x7fffffffc840, cell=0x7ffff600a600, kind=JSTRACE_OBJECT)
    at /srv/repos/mozilla-central/js/src/shell/jsheaptools.cpp:254
#7  0x00000000004bf03d in js::gc::Mark<JSObject> (trc=0x7fffffffc840, thing=0x7ffff600a600) at /srv/repos/mozilla-central/js/src/jsgcmark.cpp:141
#8  0x00000000004ba741 in js::gc::MarkObjectWithPrinterUnbarriered (trc=0x7fffffffc840, obj=0x7ffff600a600, 
    printer=0x4bbe19 <js::gc::PrintPropertyGetterOrSetter(JSTracer*, char*, size_t)>, arg=0x7ffff6001a18, index=0) at /srv/repos/mozilla-central/js/src/jsgcmark.cpp:194
#9  0x00000000004bcc35 in js::gc::MarkChildren (trc=0x7fffffffc840, base=0x7ffff6001a18) at /srv/repos/mozilla-central/js/src/jsgcmark.cpp:959
#10 0x00000000004bd33b in js::TraceChildren (trc=0x7fffffffc840, thing=0x7ffff6001a18, kind=JSTRACE_BASE_SHAPE) at /srv/repos/mozilla-central/js/src/jsgcmark.cpp:1101
#11 0x000000000043507d in JS_TraceChildren (trc=0x7fffffffc840, thing=0x7ffff6001a18, kind=JSTRACE_BASE_SHAPE) at /srv/repos/mozilla-central/js/src/jsapi.cpp:2324
#12 0x000000000041a57c in HeapReverser::reverseHeap (this=0x7fffffffc840) at /srv/repos/mozilla-central/js/src/shell/jsheaptools.cpp:315
#13 0x000000000041aeed in FindReferences (cx=0xb2b930, argc=1, vp=0x7ffff63fb090) at /srv/repos/mozilla-central/js/src/shell/jsheaptools.cpp:598
#14 0x0000000000502883 in js::CallJSNative (cx=0xb2b930, native=0x41adbf <FindReferences(JSContext*, uintN, jsval*)>, args=...) at ../jscntxtinlines.h:297

Updated

6 years ago
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 708261
(Reporter)

Comment 2

5 years ago
A testcase for this bug was already added in the original bug (bug 708261).
Flags: in-testsuite-
You need to log in before you can comment on or make changes to this bug.