Closed Bug 1298570 Opened 9 years ago Closed 9 years ago

Crash [@ js::Sprinter::putString]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla51
Tracking Flags:
Tracking Status
firefox51 --- fixed

People

(Reporter: gkw, Unassigned)

References

Details

(Keywords: bugmon, crash, testcase, Whiteboard: [jsbugmon:update])

Crash Data

Attachments

(2 files)

Detailed Crash Information
27.92 KB, text/plain
Details
Check result of getArg when decompiling.
831 bytes, patch
efaust
: review+
Details | Diff | Splinter Review
The following testcase crashes on mozilla-central revision a551f534773c (build with --enable-debug --32, run with --fuzzing-safe --no-threads --no-baseline --no-ion): oomTest(function([]){}) Backtrace: 0 js-dbg-32-clang-darwin-a551f534773c 0x00aa31b0 js::Sprinter::putString(JSString*) + 32 (String.h:331) 1 js-dbg-32-clang-darwin-a551f534773c 0x008705fb (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*) + 2923 (jsopcode.cpp:1309) 2 js-dbg-32-clang-darwin-a551f534773c 0x00848807 js::DecompileValueGenerator(JSContext*, int, JS::Handle<JS::Value>, JS::Handle<JSString*>, int) + 1319 (jsopcode.cpp:1458) 3 js-dbg-32-clang-darwin-a551f534773c 0x0079d60a js::ReportIsNullOrUndefined(JSContext*, int, JS::Handle<JS::Value>, JS::Handle<JSString*>) + 74 (jscntxt.cpp:805) 4 js-dbg-32-clang-darwin-a551f534773c 0x0085b05d js::ToObjectSlow(JSContext*, JS::Handle<JS::Value>, bool) + 109 (jsobj.cpp:3195) 5 js-dbg-32-clang-darwin-a551f534773c 0x00a56393 js::GetElementOperation(JSContext*, JSOp, JS::MutableHandle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) + 403 (RootingAPI.h:687) /snip For detailed crash information, see attachment.
Due to skipped revisions, the first bad revision could be any of: changeset: https://hg.mozilla.org/mozilla-central/rev/cb6fc6d38f8d user: Shu-yu Guo date: Thu Aug 25 01:28:47 2016 -0700 summary: Bug 1263355 - Rewrite the frontend: bindings. (r=jorendorff,Waldo) changeset: https://hg.mozilla.org/mozilla-central/rev/18bec78f348e user: Shu-yu Guo date: Thu Aug 25 01:28:47 2016 -0700 summary: Bug 1263355 - Report memory metrics for Scopes. (r=njn) Shu-yu, is bug 1263355 a likely regressor?
Blocks: 1263355
Flags: needinfo?(shu)
Flags: needinfo?(shu)
Comment on attachment 8785533 [details] [diff] [review] Check result of getArg when decompiling. Review of attachment 8785533 [details] [diff] [review]: ----------------------------------------------------------------- No objections to this. I could also imagine making it a common property name, so that we didn't have to atomize. Shu is right, though, that this should be "fairly uncommon".
Attachment #8785533 - Flags: review?(efaustbmo) → review+
Pushed by shu@rfrn.org: https://hg.mozilla.org/integration/mozilla-inbound/rev/6c65ad93a66d Check result of getArg when decompiling. (r=efaust)
https://hg.mozilla.org/mozilla-central/rev/6c65ad93a66d
Status: NEW → RESOLVED
Closed: 9 years ago
status-firefox51: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla51
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: