Closed
Bug 1003694
Opened 10 years ago
Closed 10 years ago
Assertion failure: snapshot_.numAllocationsRead() == numAllocations(), at jit/JitFrameIterator.h or Crash [@ js::jit::InlineFrameIteratorMaybeGC<(js::AllowGC)1>::findNextFrame]
Categories
(Core :: JavaScript Engine: JIT, defect)
Tracking
()
VERIFIED
FIXED
mozilla32
Tracking | Status | |
---|---|---|
firefox31 | --- | unaffected |
firefox32 | --- | verified |
firefox-esr24 | --- | unaffected |
People
(Reporter: gkw, Assigned: nbp)
References
Details
(5 keywords, Whiteboard: [fuzzblocker] [jsbugmon:update])
Crash Data
Attachments
(4 files)
(function() { function f(i) { var d = 3 + Math.abs() i ? 0 : f() } return f }())() asserts js debug shell on m-c changeset e19812f56952 with --ion-parallel-compile=off --ion-eager --ion-inlining=off at Assertion failure: snapshot_.numAllocationsRead() == numAllocations(), at jit/JitFrameIterator.h My configure flags are: CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-optimize --enable-debug --enable-profiling --enable-gczeal --enable-debug-symbols --disable-tests --with-ccache --enable-threadsafe <other NSPR options>
Reporter | ||
Comment 1•10 years ago
|
||
This is flooding jsfunfuzz results.
Whiteboard: [jsbugmon:update,bisect] → [fuzzblocker][jsbugmon:update,bisect]
Updated•10 years ago
|
Whiteboard: [fuzzblocker][jsbugmon:update,bisect] → [fuzzblocker] [jsbugmon:update]
Comment 2•10 years ago
|
||
JSBugMon: Bisection requested, result: === Tinderbox Build Bisection Results by autoBisect === The "good" changeset has the timestamp "20140429192012" and the hash "c0d658d3f739". The "bad" changeset has the timestamp "20140429210107" and the hash "429d4d1f49e1". Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=c0d658d3f739&tochange=429d4d1f49e1
Assignee | ||
Comment 3•10 years ago
|
||
I am not sure about the above regression range, but I am able to reproduce it after the landing of Bug 990106 patches, which is by the way adding this assertion.
Assignee | ||
Comment 4•10 years ago
|
||
Attachment #8415067 -
Flags: review?(hv1989)
Updated•10 years ago
|
Attachment #8415067 -
Flags: review?(hv1989) → review+
Assignee | ||
Comment 5•10 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/e0679448fd3b
Comment 6•10 years ago
|
||
Looks like a security bug to me. I'm getting various crashes [@ js::jit::InlineFrameIteratorMaybeGC<(js::AllowGC)1>::findNextFrame] with bad reads.
Group: core-security
Crash Signature: [@ js::jit::InlineFrameIteratorMaybeGC<(js::AllowGC)1>::findNextFrame]
Summary: Assertion failure: snapshot_.numAllocationsRead() == numAllocations(), at jit/JitFrameIterator.h → Assertion failure: snapshot_.numAllocationsRead() == numAllocations(), at jit/JitFrameIterator.h or Crash [@ js::jit::InlineFrameIteratorMaybeGC<(js::AllowGC)1>::findNextFrame]
Comment 7•10 years ago
|
||
Assignee | ||
Updated•10 years ago
|
status-firefox31:
--- → unaffected
status-firefox32:
--- → affected
Comment 8•10 years ago
|
||
Reporter | ||
Comment 9•10 years ago
|
||
(In reply to Nicolas B. Pierron [:nbp] from comment #3) > I am not sure about the above regression range, but I am able to reproduce > it after the landing of Bug 990106 patches, which is by the way adding this > assertion. Yes, that sounds right: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: 180713:8a3e7ed0c4c1 user: Nicolas B. Pierron date: Tue Apr 29 10:17:52 2014 -0700 summary: Bug 990106 part 4 - Recover Add and DCE unused additions. r=h4writer,jandem
Comment 10•10 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/e0679448fd3b
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla32
Updated•10 years ago
|
Status: RESOLVED → VERIFIED
Comment 11•10 years ago
|
||
JSBugMon: This bug has been automatically verified fixed.
Updated•10 years ago
|
status-firefox-esr24:
--- → unaffected
Updated•10 years ago
|
Comment 12•10 years ago
|
||
JSBugMon: This bug has been automatically verified fixed on Fx32
Updated•10 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•