Crash [@ js::EncapsulatedPtr] or Opt-Crash [@ js::jit::Compile] with setObjectMetadataCallback

RESOLVED WORKSFORME

Status

()

Core
JavaScript Engine: JIT
--
critical
RESOLVED WORKSFORME
4 years ago
2 years ago

People

(Reporter: decoder, Unassigned)

Tracking

(Blocks: 1 bug, {crash, testcase})

Trunk
x86_64
Linux
crash, testcase
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(crash signature)

Attachments

(1 attachment)

(Reporter)

Description

4 years ago
The following testcase crashes on mozilla-central revision 23bd0deec359 (threadsafe build, run with --fuzzing-safe --thread-count=2 --ion-parallel-compile=on --ion-eager):


function callback(obj) {}
setObjectMetadataCallback(callback);
w = new callback();
(Reporter)

Comment 1

4 years ago
Created attachment 817067 [details]
[crash-signature] Machine-readable crash signature
Brian, this is a setObjectMetadataCallback issue I think.

We trigger an off-thread compilation here jit::CanEnter -> CreateThisForFunction -> fun_resolve -> ShellObjectMetadataCallback -> jit::Compile.

Then we return to jit::CanEnter and crash in Compile because script->ion == ION_COMPILING_SCRIPT...
Flags: needinfo?(bhackett1024)
This should be fixed by bug 950118.
Flags: needinfo?(bhackett1024)

Comment 4

4 years ago
(In reply to Brian Hackett (:bhackett) from comment #3)
> This should be fixed by bug 950118.

true?
Crash Signature: [@ js::EncapsulatedPtr] or Opt-Crash [@ js::jit::Compile] → [@ js::EncapsulatedPtr] [@ js::jit::Compile]
Flags: needinfo?(choller)
(Reporter)

Updated

4 years ago
Flags: needinfo?(choller)
Whiteboard: [jsbugmon:update,reconfirm,bisectfix]
(Reporter)

Updated

4 years ago
Crash Signature: [@ js::EncapsulatedPtr] [@ js::jit::Compile] → [@ js::EncapsulatedPtr] [@ js::jit::Compile]
Whiteboard: [jsbugmon:update,reconfirm,bisectfix] → [jsbugmon:reconfirm,bisectfix]
(Reporter)

Comment 5

4 years ago
JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.
(Reporter)

Comment 6

4 years ago
Haven't seen this in a while and it should be fixed according to comment 3, marking WFM.
Status: NEW → RESOLVED
Crash Signature: [@ js::EncapsulatedPtr] [@ js::jit::Compile] → [@ js::EncapsulatedPtr] [@ js::jit::Compile]
Last Resolved: 4 years ago
Resolution: --- → WORKSFORME
(Reporter)

Updated

4 years ago
Whiteboard: [jsbugmon:reconfirm,bisectfix]

Comment 7

2 years ago
¡Hola Christian!

Got this one in Nightly

Report ID 	Date Submitted
bp-a90fb719-30f9-43d2-bcad-616422151030
	10/30/2015	12:42 PM


Crashing Thread
Frame 	Module 	Signature 	Source
0 	xul.dll 	js::jit::Compile 	js/src/jit/Ion.cpp
1 	xul.dll 	js::jit::CanEnter(JSContext*, js::RunState&) 	js/src/jit/Ion.cpp
2 	xul.dll 	js::RunScript(JSContext*, js::RunState&) 	js/src/vm/Interpreter.cpp
3 	xul.dll 	js::Invoke(JSContext*, JS::CallArgs const&, js::MaybeConstruct) 	js/src/vm/Interpreter.cpp
4 	xul.dll 	js::fun_apply(JSContext*, unsigned int, JS::Value*) 	js/src/jsfun.cpp
5 		@0x18d54e42 	

Shall I reopen this bug, file a new one or just ignore the crash until I have reproducible steps?

¡Gracias!
Alex
status-firefox44: --- → affected
Flags: needinfo?(choller)
(Reporter)

Comment 8

2 years ago
Your bug is probably different to this one, the crash signature you are seeing is very generic. If you manage to find a testcase/steps to reproduce, please file a new bug. 

¡Thanks!
status-firefox44: affected → ---
Flags: needinfo?(choller)
You need to log in before you can comment on or make changes to this bug.