Closed
Bug 1062612
Opened 7 years ago
Closed 7 years ago
Crash [@ mozilla::VectorBase] or [@ js::jit::RangeAnalysis::truncate]
Categories
(Core :: JavaScript Engine: JIT, defect)
Tracking
()
VERIFIED
FIXED
mozilla35
People
(Reporter: gkw, Assigned: sunfish)
References
Details
(Keywords: crash, regression, testcase, Whiteboard: [fuzzblocker][jsbugmon:update])
Crash Data
Attachments
(2 files, 1 obsolete file)
9.79 KB,
text/plain
|
Details | |
1.38 KB,
patch
|
nbp
:
review+
lmandel
:
approval-mozilla-aurora+
lmandel
:
approval-mozilla-beta+
|
Details | Diff | Splinter Review |
x = [0] for (var j = 0; j < 1; ++j) { (x[j] ? 0 : ~undefined >>> 0) >>> 0 } crashes js debug shell on m-c changeset acbdce59da2f with --no-threads --ion-eager at mozilla::VectorBase and crashes js opt shell at js::jit::RangeAnalysis::truncate. Debug configure flags: CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --enable-optimize --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests Opt configure flags: CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --disable-debug --enable-optimize --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/61f05ae95aa4 user: Dan Gohman date: Tue Sep 02 13:01:31 2014 -0700 summary: Bug 1054972 - IonMonkey: Truncation for phis r=nbp Setting s-s to be safe (though seems to be a null-deref), and needinfo? from :sunfish. This has blown up the fuzzers.
Flags: needinfo?(sunfish)
![]() |
Reporter | |
Comment 1•7 years ago
|
||
Assignee | ||
Comment 2•7 years ago
|
||
Here's the fix. I'll try to craft a reasonable testcase for this before submitting for review.
Assignee: nobody → sunfish
Flags: needinfo?(sunfish)
Assignee | ||
Comment 3•7 years ago
|
||
This patch fixes an obvious thinko in my earlier patch. It's surprising that no tests caught this. I added a simple testcase to the patch.
Attachment #8483849 -
Attachment is obsolete: true
Attachment #8483879 -
Flags: review?(nicolas.b.pierron)
Updated•7 years ago
|
Attachment #8483879 -
Flags: review?(nicolas.b.pierron) → review+
Assignee | ||
Comment 4•7 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/36461117c5aa
Crash Signature: [@ js::jit::RangeAnalysis::truncate]
[@ mozilla::VectorBase] → [@ js::jit::RangeAnalysis::truncate]
[@ mozilla::VectorBase]
https://hg.mozilla.org/mozilla-central/rev/36461117c5aa
Target Milestone: --- → mozilla35
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Updated•7 years ago
|
Status: RESOLVED → VERIFIED
Crash Signature: [@ js::jit::RangeAnalysis::truncate]
[@ mozilla::VectorBase] → [@ js::jit::RangeAnalysis::truncate]
[@ mozilla::VectorBase]
Comment 6•7 years ago
|
||
JSBugMon: This bug has been automatically verified fixed.
![]() |
||
Comment 8•7 years ago
|
||
Given this is fixed in current nightlies and has never existed outside nightlies, I think this doesn't need to be marked security-sensitive.
Crash Signature: [@ js::jit::RangeAnalysis::truncate]
[@ mozilla::VectorBase] → [@ js::jit::RangeAnalysis::truncate]
[@ mozilla::VectorBase]
![]() |
Reporter | |
Updated•7 years ago
|
Group: core-security
![]() |
||
Updated•7 years ago
|
Crash Signature: [@ js::jit::RangeAnalysis::truncate]
[@ mozilla::VectorBase] → [@ js::jit::RangeAnalysis::truncate]
[@ mozilla::VectorBase]
[@ AdjustTruncatedInputs]
Updated•7 years ago
|
Crash Signature: [@ js::jit::RangeAnalysis::truncate]
[@ mozilla::VectorBase]
[@ AdjustTruncatedInputs] → [@ js::jit::RangeAnalysis::truncate]
[@ mozilla::VectorBase]
[@ AdjustTruncatedInputs]
[@ js::jit::RangeAnalysis::truncate() ]
Assignee | ||
Comment 13•6 years ago
|
||
Comment on attachment 8483879 [details] [diff] [review] block.patch Approval Request Comment [Feature/regressing bug #]: bug 1054972 [User impact if declined]: Null-pointer dereferences [Describe test coverage new/current, TBPL]: TBPL, on mozilla-central [Risks and why]: This patch is an extremely simple and obvious fix for a mistake in the patch for bug 1054972 [String/UUID change made/needed]: None
Attachment #8483879 -
Flags: approval-mozilla-beta?
Attachment #8483879 -
Flags: approval-mozilla-aurora?
Updated•6 years ago
|
status-firefox32:
--- → wontfix
status-firefox33:
--- → affected
status-firefox34:
--- → affected
tracking-firefox33:
--- → +
tracking-firefox34:
--- → +
Comment 14•6 years ago
|
||
Comment on attachment 8483879 [details] [diff] [review] block.patch Beta+ Aurora+
Attachment #8483879 -
Flags: approval-mozilla-beta?
Attachment #8483879 -
Flags: approval-mozilla-beta+
Attachment #8483879 -
Flags: approval-mozilla-aurora?
Attachment #8483879 -
Flags: approval-mozilla-aurora+
Comment 15•6 years ago
|
||
https://hg.mozilla.org/releases/mozilla-aurora/rev/6aa082239a61 https://hg.mozilla.org/releases/mozilla-beta/rev/c5ee54bc44f8
You need to log in
before you can comment on or make changes to this bug.
Description
•