Closed
Bug 1054241
Opened 10 years ago
Closed 10 years ago
Crash [@ js::jit::JitFrameIterator::operator++] with setObjectMetadataCallback
Categories
(Core :: JavaScript Engine: JIT, defect)
Tracking
()
VERIFIED
FIXED
mozilla34
Tracking | Status | |
---|---|---|
firefox33 | --- | unaffected |
firefox34 | --- | verified |
firefox-esr31 | --- | unaffected |
b2g-v1.4 | --- | unaffected |
b2g-v2.0 | --- | unaffected |
People
(Reporter: decoder, Assigned: nbp)
References
Details
(Keywords: crash, sec-moderate, testcase, Whiteboard: [jsbugmon:update])
Crash Data
Attachments
(2 files)
431 bytes,
text/plain
|
Details | |
1.51 KB,
patch
|
bhackett1024
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision c9f8cc9ce89c (run with --no-threads --fuzzing-safe --ion-eager):
setObjectMetadataCallback(true);
(function(){
for(;;) {
try{
var a = new Array(5);
throw 1;
} catch(e) {}
}
})();
Reporter | ||
Comment 1•10 years ago
|
||
Reporter | ||
Comment 2•10 years ago
|
||
Opt-crash trace:
Program received signal SIGSEGV, Segmentation fault.
js::jit::JitFrameIterator::operator++ (this=0x7fffffffb238) at js/src/jit/IonFrames.cpp:313
313 frameSize_ = prevFrameLocalSize();
#0 js::jit::JitFrameIterator::operator++ (this=0x7fffffffb238) at js/src/jit/IonFrames.cpp:313
#1 0x00000000008b2be0 in js::FrameIter::settleOnActivation (this=0x7fffffffb1e0) at js/src/vm/Stack.cpp:573
#2 0x000000000044ecf2 in ScriptFrameIter (this=0x7fffffffb1e0, savedOption=js::FrameIter::STOP_AT_SAVED, cx=0x1670a40) at js/src/vm/Stack.h:1688
#3 NonBuiltinScriptFrameIter (opt=js::FrameIter::STOP_AT_SAVED, cx=0x1670a40, this=0x7fffffffb1e0) at js/src/vm/Stack.h:1780
#4 ShellObjectMetadataCallback (cx=0x1670a40, pmetadata=0x7fffffffb730) at js/src/builtin/TestingFunctions.cpp:1174
#5 0x0000000000985c57 in callObjectMetadataCallback (obj=0x7fffffffb730, cx=0x1670a40, this=<optimized out>) at js/src/jscompartment.h:355
#6 NewObjectMetadata (pmetadata=0x7fffffffb730, cxArg=0x1670a40) at js/src/jsobjinlines.h:1064
#7 NewArray<true> (protoArg=<optimized out>, newKind=js::GenericObject, length=5, cxArg=0x1670a40) at js/src/jsarray.cpp:3209
r12 0xba1 2977
=> 0x617db9 <js::jit::JitFrameIterator::operator++()+25>: mov 0x8(%r12),%rbp
Crash doesn't look like a null-deref, marking s-s based on that until triaged.
Whiteboard: [jsbugmon:update,bisect]
Reporter | ||
Updated•10 years ago
|
status-firefox34:
--- → affected
Reporter | ||
Updated•10 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
Reporter | ||
Comment 3•10 years ago
|
||
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/9bdc7649cc78
user: Nicolas B. Pierron
date: Mon Aug 04 07:18:40 2014 -0700
summary: Bug 1040027 part 2 - IonMonkey: Recover MNewArray. r=jandem
This iteration took 648.176 seconds to run.
Reporter | ||
Comment 4•10 years ago
|
||
Needinfo from nbp based on comment 3 :)
Flags: needinfo?(nicolas.b.pierron)
Assignee | ||
Comment 5•10 years ago
|
||
This is the same issue as Bug 1006899, apparently I forgot to add it back in this patch when I fixed it in the tree.
Assignee | ||
Comment 6•10 years ago
|
||
Attachment #8474736 -
Flags: review?(bhackett1024)
Assignee | ||
Updated•10 years ago
|
Assignee: nobody → nicolas.b.pierron
Status: NEW → ASSIGNED
Flags: needinfo?(nicolas.b.pierron)
Updated•10 years ago
|
Keywords: sec-moderate
Updated•10 years ago
|
Attachment #8474736 -
Flags: review?(bhackett1024) → review+
Assignee | ||
Comment 7•10 years ago
|
||
This issue is caused by Bug 1040027 which is adding this code as part of changeset 9bdc7649cc78.
status-firefox33:
--- → unaffected
Assignee | ||
Comment 8•10 years ago
|
||
Comment 9•10 years ago
|
||
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla34
Reporter | ||
Updated•10 years ago
|
Status: RESOLVED → VERIFIED
Reporter | ||
Comment 10•10 years ago
|
||
JSBugMon: This bug has been automatically verified fixed.
Updated•10 years ago
|
Group: core-security
status-b2g-v1.4:
--- → unaffected
status-b2g-v2.0:
--- → unaffected
status-firefox-esr31:
--- → unaffected
You need to log in
before you can comment on or make changes to this bug.
Description
•