Closed
Bug 1037672
Opened 8 years ago
Closed 8 years ago
Assertion failure: strcmp((const char*) stack_[*size_].label(), str) == 0, at vm/SPSProfiler.cpp:199 or Crash on Heap
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1026485
Tracking | Status | |
---|---|---|
firefox33 | --- | affected |
People
(Reporter: decoder, Assigned: djvj)
Details
(4 keywords, Whiteboard: [jsbugmon:ignore])
Attachments
(1 file)
576 bytes,
text/plain
|
Details |
The following testcase asserts on mozilla-central revision e1a037c085d1 (run with --fuzzing-safe): var summary = ''; var actual = ''; function TestCase(n, d, e, a) this.expect = e; for (var optionName in options.initvalues) {} var lfcode = new Array(); lfcode.push(""); lfcode.push(""); lfcode.push(""); lfcode.push("4"); lfcode.push("enableSPSProfiling()"); lfcode.push(""); lfcode.push("\ function reportCompare(expected, actual, description) {}\ expect = 1;\ function test(... e5) {\ try {\ p = [1].some(function (y) test()) ? 4 : 0x0041\ } catch(e) {}\ reportCompare(expect, actual, summary)\ }\ test();\ TestCase();\ test()\ "); lfcode.push(""); while (true) { var file = lfcode.shift(); if (file == undefined) { break; } loadFile(file) } function loadFile(lfVarx) { try { if (lfVarx.substr(-3) != ".js" && lfVarx.length != 1) { switch (lfRunTypeId) { default: evaluate(lfVarx, { noScriptRval : true, compileAndGo : true }); break; } } else if (!isNaN(lfVarx)) { lfRunTypeId = parseInt(lfVarx); } } catch (lfVare) {} }
Reporter | ||
Comment 1•8 years ago
|
||
The test might require multiple runs to reproduce, so automated bisection won't work. Needinfo from djvj because this seems to be related to profiling.
status-firefox33:
--- → affected
Flags: needinfo?(kvijayan)
Keywords: crash
Whiteboard: [jsbugmon:ignore]
Reporter | ||
Comment 2•8 years ago
|
||
Comment 3•8 years ago
|
||
(In reply to Christian Holler (:decoder) from comment #1) > The test might require multiple runs to reproduce, so automated bisection > won't work. Needinfo from djvj because this seems to be related to profiling. Maybe rr can help here.
Assignee | ||
Comment 4•8 years ago
|
||
Managed to replicate this. Yet another "strange sequence of stack manipulations leading to stack mismatch". I'm working on this in-between other bugs since it's a profiler-only issue.
Assignee: nobody → kvijayan
Flags: needinfo?(kvijayan)
Assignee | ||
Comment 5•8 years ago
|
||
Reduced testcase that still fails: var summary = ''; var actual = ''; function TestCase(n, d, e, a) this.expect = e; for (var optionName in options.initvalues) {} var lfcode = new Array(); lfcode.push("4"); lfcode.push("enableSPSProfilingWithSlowAssertions()"); lfcode.push("\ function reportCompare(expected, actual, description) {}\ expect = 1;\ function test(... e5) {\ try {\ p = [1].some(function (y) test()) ? 4 : 0x0041\ } catch(e) {}\ reportCompare(expect, actual, summary)\ }\ test();\ TestCase();\ test()\ "); while (true) { var file = lfcode.shift(); if (file == undefined) { break; } loadFile(file) } function loadFile(lfVarx) { try { if (lfVarx.substr(-3) != ".js" && lfVarx.length != 1) { evaluate(lfVarx, { noScriptRval : true, compileAndGo : true }); } else if (!isNaN(lfVarx)) { lfRunTypeId = parseInt(lfVarx); } } catch (lfVare) {} }
Comment 6•8 years ago
|
||
sec-moderate because a malicious page can't trigger the profiler themselves.
Keywords: sec-moderate
Assignee | ||
Comment 7•8 years ago
|
||
This is a dup of bug 1026485 - for which the fix landed 1 day after the revision where this bug report manifests: https://hg.mozilla.org/integration/mozilla-inbound/rev/394a87a6450f
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1026485
Updated•7 years ago
|
Group: core-security → core-security-release
Updated•6 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•