Closed
Bug 1207413
Opened 9 years ago
Closed 9 years ago
Crash [@ js::TypeSet::unionSets]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla44
| Tracking | Status | |
|---|---|---|
| firefox44 | --- | fixed |
People
(Reporter: decoder, Assigned: bbouvier)
References
(Blocks 1 open bug)
Details
(Keywords: crash, regression, testcase, Whiteboard: [jsbugmon:update,ignore])
Crash Data
Attachments
(1 file)
|
(deleted),
patch
|
h4writer
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision f61c3cc0eb8b (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --ion-offthread-compile=off --ion-eager):
function first(a) {
return a[0];
}
first([function() {}]);
first([function() {}]);
oomAfterAllocations(50);
first([function() {}]);
Backtrace:
Program received signal SIGSEGV, Segmentation fault.
js::TypeSet::unionSets (a=a@entry=0x0, b=0x7ffff3e1a1a8, alloc=alloc@entry=0x7ffff3d20c40) at js/src/vm/TypeInference.cpp:876
#0 js::TypeSet::unionSets (a=a@entry=0x0, b=0x7ffff3e1a1a8, alloc=alloc@entry=0x7ffff3d20c40) at js/src/vm/TypeInference.cpp:876
#1 0x000000000097ceb0 in js::jit::IonBuilder::computeHeapType (this=this@entry=0x7ffff3e021a8, objTypes=objTypes@entry=0x7ffff3e03248, id=...) at js/src/jit/IonBuilder.cpp:8772
#2 0x000000000097d70d in js::jit::IonBuilder::jsop_getelem_dense (this=0x7ffff3e021a8, obj=<optimized out>, index=<optimized out>, unboxedType=<optimized out>) at js/src/jit/IonBuilder.cpp:8830
#3 0x000000000097d9b9 in js::jit::IonBuilder::getElemTryDense (this=this@entry=0x7ffff3e021a8, emitted=emitted@entry=0x7fffffffcbd0, obj=obj@entry=0x7ffff3e031b0, index=index@entry=0x7ffff3e03440) at js/src/jit/IonBuilder.cpp:8434
#4 0x000000000098b9a9 in js::jit::IonBuilder::jsop_getelem (this=0x7ffff3e021a8) at js/src/jit/IonBuilder.cpp:8014
#5 0x00000000009a77e5 in js::jit::IonBuilder::inspectOpcode (this=this@entry=0x7ffff3e021a8, op=op@entry=JSOP_GETELEM) at js/src/jit/IonBuilder.cpp:1926
#6 0x00000000009a8920 in js::jit::IonBuilder::traverseBytecode (this=this@entry=0x7ffff3e021a8) at js/src/jit/IonBuilder.cpp:1506
#7 0x00000000009a8d65 in js::jit::IonBuilder::build (this=0x7ffff3e021a8) at js/src/jit/IonBuilder.cpp:905
#8 0x00000000009ab961 in js::jit::IonCompile (cx=cx@entry=0x7ffff6906800, script=script@entry=0x7ffff3f62230, baselineFrame=baselineFrame@entry=0x0, osrPc=<optimized out>, constructing=<optimized out>, recompile=<optimized out>, optimizationLevel=optimizationLevel@entry=js::jit::Optimization_Normal) at js/src/jit/Ion.cpp:2031
#9 0x00000000009b155a in js::jit::Compile (cx=cx@entry=0x7ffff6906800, script=..., script@entry=..., osrFrame=osrFrame@entry=0x0, osrPc=osrPc@entry=0x0, constructing=<optimized out>, forceRecompile=forceRecompile@entry=false) at js/src/jit/Ion.cpp:2262
#10 0x00000000009b177e in js::jit::CanEnter (cx=cx@entry=0x7ffff6906800, state=...) at js/src/jit/Ion.cpp:2421
#11 0x00000000006b4f5d in js::RunScript (cx=cx@entry=0x7ffff6906800, state=...) at js/src/vm/Interpreter.cpp:680
#12 0x00000000006b5794 in js::Invoke (cx=cx@entry=0x7ffff6906800, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:781
#13 0x00000000006b76b6 in js::Invoke (cx=cx@entry=0x7ffff6906800, thisv=..., fval=..., argc=argc@entry=1, argv=argv@entry=0x7fffffffd958, rval=..., rval@entry=...) at js/src/vm/Interpreter.cpp:818
#14 0x00000000008ffcda in js::jit::DoCallFallback (cx=0x7ffff6906800, frame=0x7fffffffd998, stub_=<optimized out>, argc=<optimized out>, vp=0x7fffffffd948, res=...) at js/src/jit/BaselineIC.cpp:9361
#15 0x00007ffff7e54edf in ?? ()
[...]
#37 0x0000000000000000 in ?? ()
rax 0x7fffffffca68 140737488341608
rbx 0x2 2
rcx 0x2 2
rdx 0x7ffff3d20c40 140737284017216
rsi 0x7ffff3e1a1a8 140737285038504
rdi 0x0 0
rbp 0x7fffffffc9b0 140737488341424
rsp 0x7fffffffc970 140737488341360
r8 0xffffffffffb53694 -4901228
r9 0x0 0
r10 0x1 1
r11 0x1 1
r12 0x7ffff3d20c40 140737284017216
r13 0x0 0
r14 0x7ffff3e1a1a8 140737285038504
r15 0x7ffff3f5b700 140737286354688
rip 0x79d92a <js::TypeSet::unionSets(js::TypeSet*, js::TypeSet*, js::LifoAlloc*)+26>
=> 0x79d92a <js::TypeSet::unionSets(js::TypeSet*, js::TypeSet*, js::LifoAlloc*)+26>: mov (%rdi),%r15d
0x79d92d <js::TypeSet::unionSets(js::TypeSet*, js::TypeSet*, js::LifoAlloc*)+29>: or (%rsi),%r15d
|
Assignee | |
Comment 1•9 years ago
|
||
Two callers of TypeSet::unionSet didn't check the returned values.
|
||
Comment 2•9 years ago
|
||
Comment on attachment 8664741 [details] [diff] [review]
1207413.patch
Review of attachment 8664741 [details] [diff] [review]:
-----------------------------------------------------------------
Good find
Attachment #8664741 -
Flags: review?(hv1989) → review+
|
||
Updated•9 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
|
|
||
Comment 4•9 years ago
|
||
JSBugMon: Bisection requested, result:
=== Treeherder Build Bisection Results by autoBisect ===
The "bad" changeset has the timestamp "20150923081616" and the hash "4a7d755389226c95e9e53fabda254ba6586ee5dc".
The "good" changeset has the timestamp "20150923082126" and the hash "016b66704e01984b876c007722f67d5a0da24e43".
Likely fix window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=4a7d755389226c95e9e53fabda254ba6586ee5dc&tochange=016b66704e01984b876c007722f67d5a0da24e43
|
|
||
Updated•9 years ago
|
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
|
|
||
Comment 5•9 years ago
|
||
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 001942e4617b).
|
||
Comment 6•9 years ago
|
||
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla44
You need to log in
before you can comment on or make changes to this bug.
Description
•