Closed
Bug 1164532
Opened 10 years ago
Closed 10 years ago
Assertion failure: !isInList(), at js/src/jsweakmap.cpp:42 with OOM
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1165966
Tracking | Status | |
---|---|---|
firefox41 | --- | affected |
People
(Reporter: decoder, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update])
The following testcase crashes on mozilla-central revision 62d9b117c688 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --thread-count=2):
var g = newGlobal("ar-u-nu-arab", this);
function attach(g, i) {
var dbg = Debugger(g);
oomAfterAllocations(10);
}
for (var i = 0; i < 3; i++)
attach(g, i);
Backtrace:
Program received signal SIGSEGV, Segmentation fault.
0x0000000000b99098 in js::WeakMapBase::~WeakMapBase (this=0x7ffff695db40, __in_chrg=<optimized out>) at js/src/jsweakmap.cpp:42
#0 0x0000000000b99098 in js::WeakMapBase::~WeakMapBase (this=0x7ffff695db40, __in_chrg=<optimized out>) at js/src/jsweakmap.cpp:42
#1 0x0000000000644e4e in ~WeakMap (this=0x7ffff695db40, __in_chrg=<optimized out>) at js/src/jsweakmap.h:111
#2 ~DebuggerWeakMap (this=0x7ffff695db40, __in_chrg=<optimized out>) at js/src/vm/Debugger.h:65
#3 js::Debugger::~Debugger (this=0x7ffff695d800, __in_chrg=<optimized out>) at js/src/vm/Debugger.cpp:388
#4 0x00000000006524eb in js_delete<js::Debugger> (p=0x7ffff695d800) at ../../dist/include/js/Utility.h:238
#5 operator() (this=<optimized out>, ptr=0x7ffff695d800) at ../../dist/include/js/Utility.h:329
#6 reset (aPtr=0x0, this=<synthetic pointer>) at ../../dist/include/mozilla/UniquePtr.h:308
#7 ~UniquePtr (this=<synthetic pointer>, __in_chrg=<optimized out>) at ../../dist/include/mozilla/UniquePtr.h:253
#8 js::Debugger::construct (cx=0x7ffff691b4e0, argc=1, vp=0x7ffff51e9140) at js/src/vm/Debugger.cpp:3113
#9 0x000000000067a652 in js::CallJSNative (cx=0x7ffff691b4e0, native=0x652060 <js::Debugger::construct(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235
#10 0x000000000066ad73 in js::Invoke (cx=cx@entry=0x7ffff691b4e0, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:727
#11 0x0000000000664907 in Interpret (cx=cx@entry=0x7ffff691b4e0, state=...) at js/src/vm/Interpreter.cpp:2955
#12 0x000000000066a843 in js::RunScript (cx=cx@entry=0x7ffff691b4e0, state=...) at js/src/vm/Interpreter.cpp:677
#13 0x0000000000674efe in js::ExecuteKernel (cx=cx@entry=0x7ffff691b4e0, script=..., script@entry=..., scopeChainArg=..., thisv=..., type=type@entry=js::EXECUTE_GLOBAL, evalInFrame=..., evalInFrame@entry=..., result=result@entry=0x0) at js/src/vm/Interpreter.cpp:902
#14 0x0000000000677139 in js::Execute (cx=cx@entry=0x7ffff691b4e0, script=script@entry=..., scopeChainArg=..., rval=rval@entry=0x0) at js/src/vm/Interpreter.cpp:942
#15 0x0000000000a64f09 in ExecuteScript (cx=cx@entry=0x7ffff691b4e0, obj=..., scriptArg=..., rval=rval@entry=0x0) at js/src/jsapi.cpp:4160
#16 0x0000000000a650cb in JS_ExecuteScript (cx=cx@entry=0x7ffff691b4e0, scriptArg=..., scriptArg@entry=...) at js/src/jsapi.cpp:4182
#17 0x00000000004258cb in RunFile (compileOnly=false, file=0x7ffff699e400, filename=0x7fffffffdfc9 "min.js", cx=0x7ffff691b4e0) at js/src/shell/js.cpp:468
#18 Process (cx=cx@entry=0x7ffff691b4e0, filename=0x7fffffffdfc9 "min.js", forceTTY=forceTTY@entry=false) at js/src/shell/js.cpp:598
#19 0x000000000047140b in ProcessArgs (op=0x7fffffffda40, cx=0x7ffff691b4e0) at js/src/shell/js.cpp:5802
#20 Shell (envp=<optimized out>, op=0x7fffffffda40, cx=0x7ffff691b4e0) at js/src/shell/js.cpp:6071
#21 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:6393
rax 0x0 0
rbx 0x7ffff695d800 140737330403328
rcx 0x7ffff6ca53cd 140737333842893
rdx 0x0 0
rsi 0x7ffff6f7a9d0 140737336814032
rdi 0x7ffff6f791c0 140737336807872
rbp 0x7fffffffc390 140737488339856
rsp 0x7fffffffc300 140737488339712
r8 0x7ffff7fe0780 140737354008448
r9 0x6372732f736a2f6c 7165916604736876396
r10 0x7fffffffc0c0 140737488339136
r11 0x7ffff6c27960 140737333328224
r12 0x7ffff695d800 140737330403328
r13 0x7ffff695db40 140737330404160
r14 0x0 0
r15 0x7ffff51e9158 140737305809240
rip 0xb99098 <js::WeakMapBase::~WeakMapBase()+856>
=> 0xb99098 <js::WeakMapBase::~WeakMapBase()+856>: movl $0x2a,0x0
0xb990a3 <js::WeakMapBase::~WeakMapBase()+867>: callq 0x48ec30 <abort()>
Comment 1•10 years ago
|
||
Sorry for another NI request but according to decoder this one also blocks OOM testing, and I don't know who else is familiar with weakmaps.
Here Debugger::init() OOms, so we call ~Debugger -> ... -> ~WeakMapBase, where we assert the weakmap is not in the list.
The Debugger object has various weakmaps and I think Debugger::init() will add them to the list, but I'm not sure how this unlinking is supposed to work... Is that usually done in WeakMapBase::sweepCompartment? Or somewhere else?
Should we unlink the debugger's weakmaps in ~Debugger?
Flags: needinfo?(terrence)
Flags: needinfo?(jcoppeard)
Reporter | ||
Updated•10 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
Reporter | ||
Comment 2•10 years ago
|
||
JSBugMon: Bisection requested, result:
Due to skipped revisions, the first bad revision could be any of:
changeset: https://hg.mozilla.org/mozilla-central/rev/a0dd5a83ba36
user: Jan de Mooij
date: Thu Jul 24 11:56:43 2014 +0200
summary: Bug 1031529 part 2 - Remove JS_THREADSAFE #ifdefs everywhere. r=bhackett
changeset: https://hg.mozilla.org/mozilla-central/rev/6426fef52f51
user: Jan de Mooij
date: Thu Jul 24 11:56:45 2014 +0200
summary: Bug 1031529 part 3 - Step defining JS_THREADSAFE, remove --disable-threadsafe. r=glandium
This iteration took 72.604 seconds to run.
Comment 3•10 years ago
|
||
This is fixed by the patch in bug 1165966.
Status: NEW → RESOLVED
Closed: 10 years ago
Flags: needinfo?(terrence)
Flags: needinfo?(jcoppeard)
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•