Closed
Bug 1037672
Opened 8 years ago
Closed 8 years ago
Assertion failure: strcmp((const char*) stack_[*size_].label(), str) == 0, at vm/SPSProfiler.cpp:199 or Crash on Heap
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1026485
| Tracking | Status | |
|---|---|---|
| firefox33 | --- | affected |
People
(Reporter: decoder, Assigned: djvj)
Details
(4 keywords, Whiteboard: [jsbugmon:ignore])
Attachments
(1 file)
|
576 bytes,
text/plain
|
Details |
The following testcase asserts on mozilla-central revision e1a037c085d1 (run with --fuzzing-safe):
var summary = '';
var actual = '';
function TestCase(n, d, e, a)
this.expect = e;
for (var optionName in options.initvalues) {}
var lfcode = new Array();
lfcode.push("");
lfcode.push("");
lfcode.push("");
lfcode.push("4");
lfcode.push("enableSPSProfiling()");
lfcode.push("");
lfcode.push("\
function reportCompare(expected, actual, description) {}\
expect = 1;\
function test(... e5) {\
try {\
p = [1].some(function (y) test()) ? 4 : 0x0041\
} catch(e) {}\
reportCompare(expect, actual, summary)\
}\
test();\
TestCase();\
test()\
");
lfcode.push("");
while (true) {
var file = lfcode.shift(); if (file == undefined) { break; }
loadFile(file)
}
function loadFile(lfVarx) {
try {
if (lfVarx.substr(-3) != ".js" && lfVarx.length != 1) {
switch (lfRunTypeId) {
default: evaluate(lfVarx, { noScriptRval : true, compileAndGo : true }); break;
}
} else if (!isNaN(lfVarx)) {
lfRunTypeId = parseInt(lfVarx);
}
} catch (lfVare) {}
}
|
Reporter | |
Comment 1•8 years ago
|
||
The test might require multiple runs to reproduce, so automated bisection won't work. Needinfo from djvj because this seems to be related to profiling.
status-firefox33:
--- → affected
Flags: needinfo?(kvijayan)
Keywords: crash
Whiteboard: [jsbugmon:ignore]
|
|
Reporter | |
Comment 2•8 years ago
|
||
|
||
Comment 3•8 years ago
|
||
(In reply to Christian Holler (:decoder) from comment #1) > The test might require multiple runs to reproduce, so automated bisection > won't work. Needinfo from djvj because this seems to be related to profiling. Maybe rr can help here.
|
Assignee | |
Comment 4•8 years ago
|
||
Managed to replicate this. Yet another "strange sequence of stack manipulations leading to stack mismatch". I'm working on this in-between other bugs since it's a profiler-only issue.
Assignee: nobody → kvijayan
Flags: needinfo?(kvijayan)
|
|
Assignee | |
Comment 5•8 years ago
|
||
Reduced testcase that still fails:
var summary = '';
var actual = '';
function TestCase(n, d, e, a)
this.expect = e;
for (var optionName in options.initvalues) {}
var lfcode = new Array();
lfcode.push("4");
lfcode.push("enableSPSProfilingWithSlowAssertions()");
lfcode.push("\
function reportCompare(expected, actual, description) {}\
expect = 1;\
function test(... e5) {\
try {\
p = [1].some(function (y) test()) ? 4 : 0x0041\
} catch(e) {}\
reportCompare(expect, actual, summary)\
}\
test();\
TestCase();\
test()\
");
while (true) {
var file = lfcode.shift(); if (file == undefined) { break; }
loadFile(file)
}
function loadFile(lfVarx) {
try {
if (lfVarx.substr(-3) != ".js" && lfVarx.length != 1) {
evaluate(lfVarx, { noScriptRval : true, compileAndGo : true });
} else if (!isNaN(lfVarx)) {
lfRunTypeId = parseInt(lfVarx);
}
} catch (lfVare) {}
}
|
||
Comment 6•8 years ago
|
||
sec-moderate because a malicious page can't trigger the profiler themselves.
Keywords: sec-moderate
|
|
Assignee | |
Comment 7•8 years ago
|
||
This is a dup of bug 1026485 - for which the fix landed 1 day after the revision where this bug report manifests: https://hg.mozilla.org/integration/mozilla-inbound/rev/394a87a6450f
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1026485
|
||
Updated•7 years ago
|
Group: core-security → core-security-release
|
|
||
Updated•6 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•