Closed Bug 1586165 Opened 5 years ago Closed 5 years ago

member call on null pointer of type 'js::jit::IonScriptCounts' in js/src/vm/JSScript.cpp:1504

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla71
Tracking Flags:
Tracking Status
firefox71 --- fixed

People

(Reporter: tsmith, Assigned: jandem)

References

(Blocks 1 open bug)

Details

(Keywords: csectype-undefined)

Attachments

(1 file)

Bug 1586165 - Null check ionCounts_ before calling sizeOfIncludingThis on it. r?nbp!
(deleted), text/x-phabricator-request
Details

This is triggered with an UBSan build. To enable this check add the following to your mozconfig:

ac_add_options --enable-address-sanitizer
ac_add_options --enable-undefined-sanitizer="null"
ac_add_options --disable-jemalloc

REFTEST TEST-START | file://tests/reftest/tests/dom/media/test/crashtests/1411322.html
REFTEST TEST-LOAD | file://tests/reftest/tests/dom/media/test/crashtests/1411322.html | 638 / 3833 (16%)
src/js/src/vm/JSScript.cpp:1504:22: runtime error: member call on null pointer of type 'js::jit::IonScriptCounts'
    #0 0x7f84487cc621 in js::ScriptCounts::sizeOfIncludingThis(unsigned long (*)(void const*)) src/js/src/vm/JSScript.cpp:1504:22
    #1 0x7f844919cdc1 in JS::Zone::addSizeOfIncludingThis(unsigned long (*)(void const*), unsigned long*, unsigned long*, unsigned long*, unsigned long*, unsigned long*, unsigned long*, unsigned long*, unsigned long*, unsigned long*, unsigned long*, unsigned long*, unsigned long*) src/js/src/gc/Zone.cpp:619:30
    #2 0x7f84487f417b in StatsZoneCallback(JSRuntime*, void*, JS::Zone*) src/js/src/vm/MemoryMetrics.cpp:222:9
    #3 0x7f8449165bb7 in js::IterateHeapUnbarriered(JSContext*, void*, void (*)(JSRuntime*, void*, JS::Zone*), void (*)(JSContext*, void*, JS::Handle<JS::Realm*>), void (*)(JSRuntime*, void*, js::gc::Arena*, JS::TraceKind, unsigned long), void (*)(JSRuntime*, void*, void*, JS::TraceKind, unsigned long)) src/js/src/gc/PublicIterators.cpp:56:5
    #4 0x7f84487efcd5 in CollectRuntimeStatsHelper(JSContext*, JS::RuntimeStats*, JS::ObjectPrivateVisitor*, bool, void (*)(JSRuntime*, void*, void*, JS::TraceKind, unsigned long)) src/js/src/vm/MemoryMetrics.cpp:649:3
    #5 0x7f843e7df7ec in xpc::JSReporter::CollectReports(nsDataHashtable<nsUint64HashKey, nsTString<char> >*, nsDataHashtable<nsUint64HashKey, nsTString<char> >*, nsIHandleReportCallback*, nsISupports*, bool) src/js/xpconnect/src/XPCJSRuntime.cpp:2360:8
    #6 0x7f843ff7139c in nsWindowMemoryReporter::CollectReports(nsIHandleReportCallback*, nsISupports*, bool) src/dom/base/nsWindowMemoryReporter.cpp:576:3
    #7 0x7f843caeb870 in operator() src/xpcom/base/nsMemoryReporterManager.cpp:1864:19
    #8 0x7f843caeb870 in mozilla::detail::RunnableFunction<nsMemoryReporterManager::DispatchReporter(nsIMemoryReporter*, bool, nsIHandleReportCallback*, nsISupports*, bool)::$_0>::Run() src/obj-firefox/dist/include/nsThreadUtils.h:564
    #9 0x7f843cc7779f in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1225:14
    #10 0x7f843cc80de6 in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:486:10
    #11 0x7f843ddb8c0f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:88:21
    #12 0x7f843dcd6617 in RunInternal src/ipc/chromium/src/base/message_loop.cc:315:10
    #13 0x7f843dcd6617 in RunHandler src/ipc/chromium/src/base/message_loop.cc:308
    #14 0x7f843dcd6617 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:290
    #15 0x7f844441e6e1 in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:137:27
    #16 0x7f8447fc7f7d in XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:934:20
    #17 0x7f843dcd6617 in RunInternal src/ipc/chromium/src/base/message_loop.cc:315:10
    #18 0x7f843dcd6617 in RunHandler src/ipc/chromium/src/base/message_loop.cc:308
    #19 0x7f843dcd6617 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:290
    #20 0x7f8447fc74ad in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:769:34
    #21 0x561d2f74ce79 in content_process_main(mozilla::Bootstrap*, int, char**) src/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
    #22 0x561d2f74d1b9 in main src/browser/app/nsBrowserApp.cpp:272:18
    #23 0x7f845e17682f in __libc_start_main /build/glibc-LK5gWL/glibc-2.23/csu/../csu/libc-start.c:291
    #24 0x561d2f66ee38 in _start (application/firefox/firefox+0x95e38)

IonScriptCounts::sizeOfIncludingThis is doing weird stuff. I'll fix.

Flags: needinfo?(jdemooij)
Assignee: nobody → jdemooij
Status: NEW → ASSIGNED
Flags: needinfo?(jdemooij)
Pushed by jdemooij@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/1cf96914dd19 Null check ionCounts_ before calling sizeOfIncludingThis on it. r=nbp

https://hg.mozilla.org/mozilla-central/rev/1cf96914dd19

Status: ASSIGNED → RESOLVED
Closed: 5 years ago
status-firefox71: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla71
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: