Closed
Bug 1054241
Opened 9 years ago
Closed 9 years ago
Crash [@ js::jit::JitFrameIterator::operator++] with setObjectMetadataCallback
Categories
(Core :: JavaScript Engine: JIT, defect)
Tracking
()
VERIFIED
FIXED
mozilla34
Tracking | Status | |
---|---|---|
firefox33 | --- | unaffected |
firefox34 | --- | verified |
firefox-esr31 | --- | unaffected |
b2g-v1.4 | --- | unaffected |
b2g-v2.0 | --- | unaffected |
People
(Reporter: decoder, Assigned: nbp)
References
Details
(Keywords: crash, sec-moderate, testcase, Whiteboard: [jsbugmon:update])
Crash Data
Attachments
(2 files)
431 bytes,
text/plain
|
Details | |
1.51 KB,
patch
|
bhackett1024
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision c9f8cc9ce89c (run with --no-threads --fuzzing-safe --ion-eager): setObjectMetadataCallback(true); (function(){ for(;;) { try{ var a = new Array(5); throw 1; } catch(e) {} } })();
Reporter | ||
Comment 1•9 years ago
|
||
Reporter | ||
Comment 2•9 years ago
|
||
Opt-crash trace: Program received signal SIGSEGV, Segmentation fault. js::jit::JitFrameIterator::operator++ (this=0x7fffffffb238) at js/src/jit/IonFrames.cpp:313 313 frameSize_ = prevFrameLocalSize(); #0 js::jit::JitFrameIterator::operator++ (this=0x7fffffffb238) at js/src/jit/IonFrames.cpp:313 #1 0x00000000008b2be0 in js::FrameIter::settleOnActivation (this=0x7fffffffb1e0) at js/src/vm/Stack.cpp:573 #2 0x000000000044ecf2 in ScriptFrameIter (this=0x7fffffffb1e0, savedOption=js::FrameIter::STOP_AT_SAVED, cx=0x1670a40) at js/src/vm/Stack.h:1688 #3 NonBuiltinScriptFrameIter (opt=js::FrameIter::STOP_AT_SAVED, cx=0x1670a40, this=0x7fffffffb1e0) at js/src/vm/Stack.h:1780 #4 ShellObjectMetadataCallback (cx=0x1670a40, pmetadata=0x7fffffffb730) at js/src/builtin/TestingFunctions.cpp:1174 #5 0x0000000000985c57 in callObjectMetadataCallback (obj=0x7fffffffb730, cx=0x1670a40, this=<optimized out>) at js/src/jscompartment.h:355 #6 NewObjectMetadata (pmetadata=0x7fffffffb730, cxArg=0x1670a40) at js/src/jsobjinlines.h:1064 #7 NewArray<true> (protoArg=<optimized out>, newKind=js::GenericObject, length=5, cxArg=0x1670a40) at js/src/jsarray.cpp:3209 r12 0xba1 2977 => 0x617db9 <js::jit::JitFrameIterator::operator++()+25>: mov 0x8(%r12),%rbp Crash doesn't look like a null-deref, marking s-s based on that until triaged.
Whiteboard: [jsbugmon:update,bisect]
Reporter | ||
Updated•9 years ago
|
status-firefox34:
--- → affected
Reporter | ||
Updated•9 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
Reporter | ||
Comment 3•9 years ago
|
||
JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/9bdc7649cc78 user: Nicolas B. Pierron date: Mon Aug 04 07:18:40 2014 -0700 summary: Bug 1040027 part 2 - IonMonkey: Recover MNewArray. r=jandem This iteration took 648.176 seconds to run.
Reporter | ||
Comment 4•9 years ago
|
||
Needinfo from nbp based on comment 3 :)
Flags: needinfo?(nicolas.b.pierron)
Assignee | ||
Comment 5•9 years ago
|
||
This is the same issue as Bug 1006899, apparently I forgot to add it back in this patch when I fixed it in the tree.
Assignee | ||
Comment 6•9 years ago
|
||
Attachment #8474736 -
Flags: review?(bhackett1024)
Assignee | ||
Updated•9 years ago
|
Assignee: nobody → nicolas.b.pierron
Status: NEW → ASSIGNED
Flags: needinfo?(nicolas.b.pierron)
Updated•9 years ago
|
Keywords: sec-moderate
Updated•9 years ago
|
Attachment #8474736 -
Flags: review?(bhackett1024) → review+
Assignee | ||
Comment 7•9 years ago
|
||
This issue is caused by Bug 1040027 which is adding this code as part of changeset 9bdc7649cc78.
status-firefox33:
--- → unaffected
Assignee | ||
Comment 8•9 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/fb294a66c8ac
Comment 9•9 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/fb294a66c8ac
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla34
Reporter | ||
Updated•9 years ago
|
Status: RESOLVED → VERIFIED
Reporter | ||
Comment 10•9 years ago
|
||
JSBugMon: This bug has been automatically verified fixed.
Updated•9 years ago
|
Group: core-security
status-b2g-v1.4:
--- → unaffected
status-b2g-v2.0:
--- → unaffected
status-firefox-esr31:
--- → unaffected
You need to log in
before you can comment on or make changes to this bug.
Description
•