Closed
Bug 743706
Opened 12 years ago
Closed 12 years ago
Crash [@ JSC::MacroAssemblerCodePtr::executableAddress]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 743088
People
(Reporter: decoder, Unassigned)
Details
(Keywords: crash, testcase, Whiteboard: js-triage-needed)
Crash Data
The following test crashes on mozilla-central revision d0430a04d92a (options -m -n) with a chance of 10-30%: var now = "now"; function MyDate() { addTestCase() || this, this; } function UTCDateFromTime(t) { return ( MyDateFromTime(t) ); } function MyDateFromTime( t ) { var d = new MyDate(); } function addTestCase( startTime, setTime ) { var UTCDate = UTCDateFromTime ( Number(setTime) ); (let ( offs = setTime.SECTION(TITLE.addTestCase + 3) ) test [ 1 ] ); } addTestCase( now, -2208988800000 ); The crash does not reproduce in GDB or Valgrind for me, here is a crash trace from a core dump: Program terminated with signal 11, Segmentation fault. #0 0x000000000069301e in JSC::MacroAssemblerCodePtr::executableAddress (this=0x0) at ../assembler/assembler/MacroAssemblerCodeRef.h:150 150 return m_value; (gdb) bt #0 0x000000000069301e in JSC::MacroAssemblerCodePtr::executableAddress (this=0x0) at ../assembler/assembler/MacroAssemblerCodeRef.h:150 #1 0x00000000006a673c in JSC::RepatchBuffer::RepatchBuffer (this=0x7fff93f31d40, ref=...) at ../assembler/assembler/RepatchBuffer.h:54 #2 0x00000000006a6b34 in js::mjit::ic::Repatcher::Repatcher (this=0x7fff93f31d40, js=0x0) at ../methodjit/ICRepatcher.h:64 #3 0x0000000000741e54 in CallCompiler::disable (this=0x7fff93f31e40) at /home/ownhero/homes/mozilla/repos/mozilla-central/js/src/methodjit/MonoIC.cpp:583 #4 0x0000000000743e31 in CallCompiler::update (this=0x7fff93f31e40) at /home/ownhero/homes/mozilla/repos/mozilla-central/js/src/methodjit/MonoIC.cpp:971 #5 0x00000000007440cf in js::mjit::ic::Call (f=..., ic=0x1fe65c8) at /home/ownhero/homes/mozilla/repos/mozilla-central/js/src/methodjit/MonoIC.cpp:1017 #6 0x00000000006a5dfc in JaegerTrampolineReturn () #7 0x00000000006a72a1 in js::mjit::EnterMethodJIT (cx=0x1fd7a80, fp=0x7fceeb17ee80, code=0x7fcef24c5eb8, stackLimit=0x7fceeb54b000, partial=true) at /home/ownhero/homes/mozilla/repos/mozilla-central/js/src/methodjit/MethodJIT.cpp:1052 #8 0x00000000006a751f in CheckStackAndEnterMethodJIT (cx=0x1fd7a80, fp=0x7fceeb17ee80, code=0x7fcef24c5eb8, partial=true) at /home/ownhero/homes/mozilla/repos/mozilla-central/js/src/methodjit/MethodJIT.cpp:1111 #9 0x00000000006a75e3 in js::mjit::JaegerShot (cx=0x1fd7a80, partial=true) at /home/ownhero/homes/mozilla/repos/mozilla-central/js/src/methodjit/MethodJIT.cpp:1123 #10 0x000000000050c2fd in js::Interpret (cx=0x1fd7a80, entryFrame=0x7fceeb17edf0, interpMode=js::JSINTERP_NORMAL) at /home/ownhero/homes/mozilla/repos/mozilla-central/js/src/jsinterp.cpp:2780 #11 0x000000000075bcfc in UncachedInlineCall (f=..., initial=js::INITIAL_NONE, pret=0x7fff93f32fe8, unjittable=0x7fff93f32ff0, argc=0) at /home/ownhero/homes/mozilla/repos/mozilla-central/js/src/methodjit/InvokeHelpers.cpp:375 #12 0x000000000075c215 in js::mjit::stubs::UncachedCallHelper (f=..., argc=0, lowered=false, ucr=0x7fff93f32fe0) at /home/ownhero/homes/mozilla/repos/mozilla-central/js/src/methodjit/InvokeHelpers.cpp:458 #13 0x0000000000743dfb in CallCompiler::update (this=0x7fff93f33070) at /home/ownhero/homes/mozilla/repos/mozilla-central/js/src/methodjit/MonoIC.cpp:959 #14 0x00000000007440cf in js::mjit::ic::Call (f=..., ic=0x1fe65c8) at /home/ownhero/homes/mozilla/repos/mozilla-central/js/src/methodjit/MonoIC.cpp:1017 #15 0x00007fcef24c5db2 in ?? () #16 0x00007fcef24c5eb8 in ?? () #17 0x0000000000000001 in ?? () #18 0x00007fff93f342e0 in ?? () #19 0x0000000000000000 in ?? () Marking this s-s because the bug is unstable (possible memory corruption) and also the crash signature is known for security problems.
Reporter | ||
Updated•12 years ago
|
Crash Signature: [@ JSC::MacroAssemblerCodePtr::executableAddress]
Comment 1•12 years ago
|
||
Based on the stack, this is bug 743088, which is crashing trunk on tinderbox every 10 or so builds.
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → DUPLICATE
Updated•10 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•