Closed
Bug 1233158
Opened 9 years ago
Closed 9 years ago
Assertion failure: bi->aliased(), at js/src/jsscript.cpp:176 or Crash [@ js::CloseIterator] or Crash [@ js::ObjectGroup::sweep] with parseModule
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
| Tracking | Status | |
|---|---|---|
| firefox46 | --- | wontfix |
People
(Reporter: decoder, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: assertion, regression, testcase, Whiteboard: [fuzzblocker][jsbugmon:update])
The following testcase crashes on mozilla-central revision 749f9328dd76 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --thread-count=2):
parseModule("for (let b in []) for (var k ; ; k);")
Backtrace:
Program received signal SIGSEGV, Segmentation fault.
0x0000000000977562 in js::Bindings::initWithTemporaryStorage (cx=cx@entry=0x7ffff6907400, self=..., self@entry=..., numArgs=<optimized out>, numVars=<optimized out>, numBodyLevelLexicals=<optimized out>, numBlockScoped=<optimized out>, numUnaliasedVars=1, numUnaliasedBodyLevelLexicals=0, bindingArray=bindingArray@entry=0x7ffff69cf418, isModule=true) at js/src/jsscript.cpp:176
#0 0x0000000000977562 in js::Bindings::initWithTemporaryStorage (cx=cx@entry=0x7ffff6907400, self=..., self@entry=..., numArgs=<optimized out>, numVars=<optimized out>, numBodyLevelLexicals=<optimized out>, numBlockScoped=<optimized out>, numUnaliasedVars=1, numUnaliasedBodyLevelLexicals=0, bindingArray=bindingArray@entry=0x7ffff69cf418, isModule=true) at js/src/jsscript.cpp:176
#1 0x00000000004ebac5 in js::frontend::ParseContext<js::frontend::FullParseHandler>::generateBindings (this=this@entry=0x7fffffffb2f0, cx=0x7ffff6907400, ts=..., alloc=..., bindings=bindings@entry=...) at js/src/frontend/Parser.cpp:564
#2 0x00000000005096e1 in js::frontend::Parser<js::frontend::FullParseHandler>::standaloneModule (this=this@entry=0x7fffffffc180, module=..., module@entry=...) at js/src/frontend/Parser.cpp:988
#3 0x0000000000ba4030 in BytecodeCompiler::compileModule (this=this@entry=0x7fffffffbb10) at js/src/frontend/BytecodeCompiler.cpp:579
#4 0x0000000000ba461e in js::frontend::CompileModule (cx=cx@entry=0x7ffff6907400, obj=..., obj@entry=..., optionsInput=..., srcBuf=...) at js/src/frontend/BytecodeCompiler.cpp:775
#5 0x0000000000490181 in ParseModule (cx=0x7ffff6907400, argc=<optimized out>, vp=0x7ffff46710a0) at js/src/shell/js.cpp:3341
#6 0x0000000000a7d572 in js::CallJSNative (cx=0x7ffff6907400, native=0x48fe60 <ParseModule(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235
[...]
#18 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:6877
rax 0x0 0
rbx 0x7ffff6907400 140737330050048
rcx 0x7ffff6ca53cd 140737333842893
rdx 0x0 0
rsi 0x7ffff6f7a9d0 140737336814032
rdi 0x7ffff6f791c0 140737336807872
rbp 0x7fffffffb1b0 140737488335280
rsp 0x7fffffffb010 140737488334864
r8 0x7ffff7fe0780 140737354008448
r9 0x6372732f736a2f6c 7165916604736876396
r10 0x7fffffffadd0 140737488334288
r11 0x7ffff6c27960 140737333328224
r12 0x7fffffffb060 140737488334944
r13 0x7fffffffb0e0 140737488335072
r14 0x1 1
r15 0x7fffffffb120 140737488335136
rip 0x977562 <js::Bindings::initWithTemporaryStorage(js::ExclusiveContext*, JS::MutableHandle<js::Bindings>, unsigned int, unsigned int, unsigned int, unsigned int, unsigned int, unsigned int, js::Binding const*, bool)+1858>
=> 0x977562 <js::Bindings::initWithTemporaryStorage(js::ExclusiveContext*, JS::MutableHandle<js::Bindings>, unsigned int, unsigned int, unsigned int, unsigned int, unsigned int, unsigned int, js::Binding const*, bool)+1858>: movl $0xb0,0x0
0x97756d <js::Bindings::initWithTemporaryStorage(js::ExclusiveContext*, JS::MutableHandle<js::Bindings>, unsigned int, unsigned int, unsigned int, unsigned int, unsigned int, unsigned int, js::Binding const*, bool)+1869>: callq 0x4a3db0 <abort()>
|
||
Updated•9 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
|
|
||
Comment 1•9 years ago
|
||
JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/0773712473c9 user: Jon Coppeard date: Mon Aug 24 15:58:36 2015 +0100 summary: Bug 930414 - Hook up module environements, alising everything at top level for now r=shu This iteration took 200.686 seconds to run.
Jon, is bug 930414 a likely regressor?
Blocks: 930414
Flags: needinfo?(jcoppeard)
|
||
Comment 3•9 years ago
|
||
This will be fixed by the patches in bug 1233109.
Depends on: 1233109
Flags: needinfo?(jcoppeard)
|
Reporter | |
Updated•9 years ago
|
Summary: Assertion failure: bi->aliased(), at js/src/jsscript.cpp:176 with parseModule → Assertion failure: bi->aliased(), at js/src/jsscript.cpp:176 or Crash [@ js::CloseIterator] with parseModule
|
|
Reporter | |
Comment 4•9 years ago
|
||
Marking fuzzblocker. This bug seems to have many signatures.
Summary: Assertion failure: bi->aliased(), at js/src/jsscript.cpp:176 or Crash [@ js::CloseIterator] with parseModule → Assertion failure: bi->aliased(), at js/src/jsscript.cpp:176 or Crash [@ js::CloseIterator] or Crash [@ js::ObjectGroup::sweep] with parseModule
Whiteboard: [jsbugmon:update] → [jsbugmon:update][fuzzblocker]
|
|
||
Updated•9 years ago
|
Whiteboard: [jsbugmon:update][fuzzblocker] → [fuzzblocker] [jsbugmon:update,ignore]
|
|
||
Comment 5•9 years ago
|
||
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 9d6ffc7a08b6).
|
||
Updated•9 years ago
|
Whiteboard: [fuzzblocker] [jsbugmon:update,ignore] → [fuzzblocker] [jsbugmon:bisectfix]
|
|
||
Updated•9 years ago
|
Whiteboard: [fuzzblocker] [jsbugmon:bisectfix] → [fuzzblocker][jsbugmon:bisectfix]
|
|
||
Updated•9 years ago
|
Whiteboard: [fuzzblocker][jsbugmon:bisectfix] → [fuzzblocker] [jsbugmon:]
|
|
||
Comment 6•9 years ago
|
||
JSBugMon: Fix Bisection requested, result: === Treeherder Build Bisection Results by autoBisect === The "bad" changeset has the timestamp "20160105064937" and the hash "f18072a8592581df42c0be4f669151334757565c". The "good" changeset has the timestamp "20160105073330" and the hash "a110885c2b5b808c78cb695a2202d481dcb559fb". Likely fix window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=f18072a8592581df42c0be4f669151334757565c&tochange=a110885c2b5b808c78cb695a2202d481dcb559fb
Jon, is bug 1233109 a likely fix?
Flags: needinfo?(jcoppeard)
|
|
||
Comment 8•9 years ago
|
||
No longer fail. The assert was remove by bug 1233109.
Status: NEW → RESOLVED
Closed: 9 years ago
Flags: needinfo?(jcoppeard)
Resolution: --- → WORKSFORME
Setting FIXED by bug 1233109 since the fix is known.
Resolution: WORKSFORME → FIXED
Whiteboard: [fuzzblocker] [jsbugmon:] → [fuzzblocker][jsbugmon:update]
Too late for assertion fixes in 46.
You need to log in
before you can comment on or make changes to this bug.
Description
•