Closed
Bug 1096255
Opened 10 years ago
Closed 9 years ago
Assertion failure: pred->isLoopBackedge(), at c:\Users\mozilla\debug-builds\mozilla-central\js\src\jit/IonAnalysis.cpp:1918
Categories
(Core :: JavaScript Engine: JIT, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1118894
People
(Reporter: cbook, Unassigned)
References
()
Details
(Keywords: assertion)
Attachments
(1 file)
8.70 KB,
text/plain
|
Details |
found via bughunter on http://wallpaperswide.com/tom_clancys_splinter_cell_conviction-wallpapers.html Steps to reproduce: -> Load http://wallpaperswide.com/tom_clancys_splinter_cell_conviction-wallpapers.html in a Windows 7 Trunk Debug Build as example ---> Asssertion failure filing as sec bug just in case. Exploitable failed here: !exploitable 1.6.0.0 Exploitability Classification: UNKNOWN Recommended Bug Title: Possible Stack Corruption starting at xul!AssertReversePostorder+0x000000000000014e (Hash=0x5943b9bc.0x09a6d749) The stack trace contains one or more locations for which no symbol or module could be found. This may be a sign of stack corruption.
Updated•10 years ago
|
Component: JavaScript Engine → JavaScript Engine: JIT
Comment 1•10 years ago
|
||
Jan, can you look at this? It would be good to get somebody to investigate before the page changes. Also, how bad of an assertion is this?
Flags: needinfo?(jdemooij)
Comment 2•10 years ago
|
||
(In reply to Andrew McCreight [:mccr8] from comment #1) > Jan, can you look at this? It would be good to get somebody to investigate > before the page changes. Also, how bad of an assertion is this? I could reproduce it once with a m-c debug build from last week (Nov 10), but it no longer crashes with the same build, new profile etc. Tomcat had the same issue and suggested it may depend on a particular ad or something. I'll keep trying. CC'ing more people, it'd be great if somebody could repro this reliably...
Comment 3•10 years ago
|
||
According to the attachment, it asserts under AssertExtendedGraphCoherency after the MakeLoopsContiguous phase. The previous AssertExtendedGraphCoherency call after DCE apparently didn't assert. Forwarding so sunfish based on that...
Flags: needinfo?(jdemooij) → needinfo?(sunfish)
Comment 4•10 years ago
|
||
I am also unable to repro.
Comment 6•9 years ago
|
||
Looks like the fuzzers just found this too, bug 1118894 :)
Comment 7•9 years ago
|
||
I'm going to optimistically dupe this to the newer bug with a testcase. Although "worksforme" or "incomplete" might be equally valid destinations for this bug.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → DUPLICATE
Updated•9 years ago
|
Flags: needinfo?(sunfish)
Reporter | ||
Updated•9 years ago
|
Flags: needinfo?(cbook)
Updated•9 years ago
|
Group: core-security → core-security-release
Updated•8 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•