Closed
Bug 1037672
Opened 11 years ago
Closed 11 years ago
Assertion failure: strcmp((const char*) stack_[*size_].label(), str) == 0, at vm/SPSProfiler.cpp:199 or Crash on Heap
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1026485
Tracking | Status | |
---|---|---|
firefox33 | --- | affected |
People
(Reporter: decoder, Assigned: djvj)
Details
(4 keywords, Whiteboard: [jsbugmon:ignore])
Attachments
(1 file)
576 bytes,
text/plain
|
Details |
The following testcase asserts on mozilla-central revision e1a037c085d1 (run with --fuzzing-safe):
var summary = '';
var actual = '';
function TestCase(n, d, e, a)
this.expect = e;
for (var optionName in options.initvalues) {}
var lfcode = new Array();
lfcode.push("");
lfcode.push("");
lfcode.push("");
lfcode.push("4");
lfcode.push("enableSPSProfiling()");
lfcode.push("");
lfcode.push("\
function reportCompare(expected, actual, description) {}\
expect = 1;\
function test(... e5) {\
try {\
p = [1].some(function (y) test()) ? 4 : 0x0041\
} catch(e) {}\
reportCompare(expect, actual, summary)\
}\
test();\
TestCase();\
test()\
");
lfcode.push("");
while (true) {
var file = lfcode.shift(); if (file == undefined) { break; }
loadFile(file)
}
function loadFile(lfVarx) {
try {
if (lfVarx.substr(-3) != ".js" && lfVarx.length != 1) {
switch (lfRunTypeId) {
default: evaluate(lfVarx, { noScriptRval : true, compileAndGo : true }); break;
}
} else if (!isNaN(lfVarx)) {
lfRunTypeId = parseInt(lfVarx);
}
} catch (lfVare) {}
}
Reporter | ||
Comment 1•11 years ago
|
||
The test might require multiple runs to reproduce, so automated bisection won't work. Needinfo from djvj because this seems to be related to profiling.
status-firefox33:
--- → affected
Flags: needinfo?(kvijayan)
Keywords: crash
Whiteboard: [jsbugmon:ignore]
Reporter | ||
Comment 2•11 years ago
|
||
Comment 3•11 years ago
|
||
(In reply to Christian Holler (:decoder) from comment #1)
> The test might require multiple runs to reproduce, so automated bisection
> won't work. Needinfo from djvj because this seems to be related to profiling.
Maybe rr can help here.
Assignee | ||
Comment 4•11 years ago
|
||
Managed to replicate this. Yet another "strange sequence of stack manipulations leading to stack mismatch".
I'm working on this in-between other bugs since it's a profiler-only issue.
Assignee: nobody → kvijayan
Flags: needinfo?(kvijayan)
Assignee | ||
Comment 5•11 years ago
|
||
Reduced testcase that still fails:
var summary = '';
var actual = '';
function TestCase(n, d, e, a)
this.expect = e;
for (var optionName in options.initvalues) {}
var lfcode = new Array();
lfcode.push("4");
lfcode.push("enableSPSProfilingWithSlowAssertions()");
lfcode.push("\
function reportCompare(expected, actual, description) {}\
expect = 1;\
function test(... e5) {\
try {\
p = [1].some(function (y) test()) ? 4 : 0x0041\
} catch(e) {}\
reportCompare(expect, actual, summary)\
}\
test();\
TestCase();\
test()\
");
while (true) {
var file = lfcode.shift(); if (file == undefined) { break; }
loadFile(file)
}
function loadFile(lfVarx) {
try {
if (lfVarx.substr(-3) != ".js" && lfVarx.length != 1) {
evaluate(lfVarx, { noScriptRval : true, compileAndGo : true });
} else if (!isNaN(lfVarx)) {
lfRunTypeId = parseInt(lfVarx);
}
} catch (lfVare) {}
}
Comment 6•11 years ago
|
||
sec-moderate because a malicious page can't trigger the profiler themselves.
Keywords: sec-moderate
Assignee | ||
Comment 7•11 years ago
|
||
This is a dup of bug 1026485 - for which the fix landed 1 day after the revision where this bug report manifests:
https://hg.mozilla.org/integration/mozilla-inbound/rev/394a87a6450f
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → DUPLICATE
Updated•10 years ago
|
Group: core-security → core-security-release
Updated•9 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•