Closed
Bug 1102629
Opened 10 years ago
Closed 10 years ago
Crash [@ FromExecutable] or Crash with glibc-abort with TypedObject
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1102608
| Tracking | Status | |
|---|---|---|
| firefox36 | --- | affected |
People
(Reporter: decoder, Unassigned)
Details
(Keywords: crash, sec-critical, testcase, Whiteboard: [jsbugmon:update,ignore])
Crash Data
The following testcase crashes on mozilla-central revision 134d1cfc5c9c (build with --disable-debug --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal, run with --fuzzing-safe --thread-count=2 --ion-eager):
var { uint8, uint32 } = TypedObject;
function test() {
var Uints = uint32.array(2000, 0, 1, 0, 0, 0, 0);
var Uint8s = uint8.array(1024);
var uint32s = new Uints();
(function(m) Uint8s.fromPar(uint32s, function(e) e + 1))();
}
test();
Backtrace:
Program terminated with signal SIGSEGV, Segmentation fault.
#0 FromExecutable (buffer=<optimized out>)
at js/src/jit/IonCode.h:130
130 JitCode *code = *(JitCode **)(buffer - sizeof(JitCode *));
#0 FromExecutable (buffer=<optimized out>) at js/src/jit/IonCode.h:130
#1 jitCode (this=<optimized out>) at js/src/jit/BaselineIC.h:756
#2 markCode (name=0xae1d6b "baseline-stub-jitcode", trc=0x2c8ead0, this=this@entry=0x3361d68) at js/src/jit/BaselineIC.cpp:151
#3 js::jit::ICStub::trace (this=this@entry=0x3361d68, trc=trc@entry=0x2c8ead0) at js/src/jit/BaselineIC.cpp:168
#4 0x00000000005737db in js::jit::BaselineScript::trace (this=0x3362040, trc=0x2c8ead0) at js/src/jit/BaselineJIT.cpp:409
#5 0x000000000057382e in js::jit::BaselineScript::Trace (trc=<optimized out>, script=<optimized out>) at js/src/jit/BaselineJIT.cpp:426
#6 0x00000000005e49d6 in js::jit::TraceIonScripts (trc=<optimized out>, script=<optimized out>) at js/src/jit/Ion.cpp:3179
#7 0x00000000007578df in JSScript::markChildren (this=<optimized out>, trc=<optimized out>) at js/src/jsscript.cpp:3457
This test also crashes with glibc aborts (double-free/memory corruption), so assuming s-s and sec-critical.
|
Reporter | |
Updated•10 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update,ignore]
|
|
Reporter | |
Comment 1•10 years ago
|
||
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 6309710dd71d). JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/cdfa7492569f user: Tim Taubert date: Fri Nov 07 14:56:30 2014 +0100 summary: Bug 1077652 - Simplify about:newtab page update mechanism and correct behavior to work better with preloading r=gijs This iteration took 286.226 seconds to run.
|
|
Reporter | |
Comment 2•10 years ago
|
||
Bisection is probably broken because this test is intermittent. Needinfo from bhackett because it might be related to one of the other failures we've been seeing with TypedObject.
Flags: needinfo?(bhackett1024)
|
||
Updated•10 years ago
|
Status: NEW → RESOLVED
Closed: 10 years ago
Flags: needinfo?(bhackett1024)
Resolution: --- → DUPLICATE
|
||
Updated•9 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•