Closed
Bug 783421
Opened 12 years ago
Closed 12 years ago
Crash [@ js::mjit::JITScript::chunkIndex] or [@ js::mjit::Recompiler::patchFrame] or "Assertion failure: found,"
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
mozilla17
| Tracking | Status | |
|---|---|---|
| firefox14 | --- | unaffected |
| firefox15 | --- | unaffected |
| firefox16 | --- | unaffected |
| firefox17 | --- | fixed |
| firefox-esr10 | --- | unaffected |
People
(Reporter: gkw, Assigned: billm)
References
Details
(Keywords: crash, regression, testcase, Whiteboard: [fuzzblocker][jsbugmon:update,reconfirm] qa-)
Attachments
(3 files)
gc()
var p = n
function m() {
return function(f, code, t) {
try {
evalcx(code, newGlobal())
} catch (e) {}
}
}
function n() {
f()
}
function h(code) {
f = Function(code)
p(f, code, true)
}
h("\
p=m();\
gcPreserveCode();\
gcslice(7);\
")
h("\"\"")
h("")
h("gc()")
h("")
h("")
h("gczeal(4,2)")
asserts js debug shell on m-c changeset 50e4ff05741e with -m, -n and -a at Assertion failure: found, when the testcase is passed in as a CLI argument, and a variant crashes at js::mjit::JITScript::chunkIndex with js::mjit::Recompiler::patchFrame on the stack
s-s because this involves gc but inspection of the registers seems to indicate that this is a null crash.
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: 102448:07f21ec5d516
user: Bill McCloskey
date: Wed Aug 15 10:39:48 2012 -0700
summary: Bug 781390 - Make barrier verifier testing work better with the methodjit (r=bhackett)
|
Assignee | |
Updated•12 years ago
|
Assignee: general → wmccloskey
|
Reporter | |
Comment 1•12 years ago
|
||
Setting [fuzzblocker] because this is happening very very often.
p = n
function m(sandboxType) {
switch (sandboxType) {
default:
a = newGlobal()
}
return function(f, code, t) {
try {
evalcx(code, a)
} catch (e) {}
}
}
function n() {
f()
}
function h(code) {
f = Function(code)
p(f, code, true)
}
h("p=m()")
h("f=function(){};delete[\"\"]")
h("this+''")
h("''")
h("(1 in f)")
h("gczeal(4)")
is the other testcase that crashes instead.|
|
Reporter | |
Comment 2•12 years ago
|
||
Other assertions like: Assertion failure: thing, Assertion failure: thing->compartment(), Assertion failure: bi->aliased(), I'm going to temporarily assume that this is the same bug because this is overflowing my logs...
|
|
Reporter | |
Comment 3•12 years ago
|
||
Assertion failure: bi->aliased(), is actually bug 783441.
status-firefox-esr10:
--- → unaffected
status-firefox14:
--- → unaffected
status-firefox15:
--- → unaffected
status-firefox16:
--- → unaffected
status-firefox17:
--- → affected
|
||
Comment 4•12 years ago
|
||
Also seeing this with varying signatures, would be very nice to have this fixed quickly for fuzzing.
Whiteboard: [fuzzblocker] → [fuzzblocker][jsbugmon:update]
|
|
Assignee | |
Comment 5•12 years ago
|
||
Sorry, stupid bug. I forgot that ClearAllFrames looks at the current needsBarrier()/compileBarriers() value. And the value of compileBarriers() is affected by the GC zeal. So we need to ClearAllFrames before updating the zeal or else it will try to purge the wrong stuff.
Attachment #652830 -
Flags: review?(dvander)
|
|
||
Updated•12 years ago
|
Attachment #652830 -
Flags: review?(dvander) → review+
|
|
Assignee | |
Comment 6•12 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/26c1570f162a
Group: core-security
|
||
Comment 7•12 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/26c1570f162a
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla17
|
||
Updated•12 years ago
|
Since this has a testcase, nominating it for in-testsuite.
Flags: in-testsuite?
|
||
Comment 9•12 years ago
|
||
I've tried several times, but I couldn't reproduce this bug. I will try on a different machine.
|
|
||
Updated•12 years ago
|
Whiteboard: [fuzzblocker][jsbugmon:update] → [fuzzblocker][jsbugmon:update,reconfirm]
|
|
||
Comment 10•12 years ago
|
||
Setting this to "qa?" and removing "verifyme" for the time being. Could I get some more info on how to reproduce this bug please?
Keywords: verifyme
Whiteboard: [fuzzblocker][jsbugmon:update,reconfirm] → [fuzzblocker][jsbugmon:update,reconfirm] qa?
|
|
Reporter | |
Comment 11•12 years ago
|
||
You'll have to compile a shell from m-c changeset 50e4ff05741e in comment 0 with the shell flags specified. If you cannot reproduce with a 64-bit shell, try using the configure options in bug 781343 comment 2 to get a 32-bit shell to get it to reproduce.
|
|
||
Comment 12•12 years ago
|
||
While trying to build Firefox on Ubuntu 12.04 (which is up-to-date), I get the following error: http://pastebin.mozilla.org/1929133 Could you please help me solve this?
|
|
Reporter | |
Comment 13•12 years ago
|
||
> Could you please help me solve this?
You need to first install "ia32-libs gcc-multilib g++-multilib" via apt-get, I think.|
|
||
Comment 14•12 years ago
|
||
Even after using the command you suggested: sudo apt-get install ia32-libs-multiarch gcc-multilib g++-multilib (only using "ia32-libs" didn't seem to work), I still receive the same error as in comment 26, when running the configure command in comment 2.
|
|
||
Comment 15•11 years ago
|
||
Automatically extracted testcase for this bug was committed: https://hg.mozilla.org/mozilla-central/rev/efaf8960a929
Flags: in-testsuite? → in-testsuite+
|
|
||
Comment 16•11 years ago
|
||
According to the automated test provided in comment 15, marking this [qa-].
Whiteboard: [fuzzblocker][jsbugmon:update,reconfirm] qa? → [fuzzblocker][jsbugmon:update,reconfirm] qa-
You need to log in
before you can comment on or make changes to this bug.
Description
•