Closed
Bug 1090237
Opened 10 years ago
Closed 10 years ago
Assertion failure: script->hasBaselineScript(), at jit/BaselineBailouts.cpp:532 or Crash [@ js::jit::BaselineScript::icEntryFromPCOffset]
Categories
(Core :: JavaScript Engine: JIT, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1087948
Tracking | Status | |
---|---|---|
firefox36 | --- | affected |
People
(Reporter: decoder, Unassigned)
Details
(Keywords: assertion, testcase, Whiteboard: [jsbugmon:])
Attachments
(1 file)
1.05 KB,
text/plain
|
Details |
The following testcase asserts on mozilla-central revision a255a234946e (run with --fuzzing-safe --no-threads --ion-eager): gczeal(14 ,1); function g() {} function f() { for (var i=0; i<2; i++) { var o = { a: g() }; } } f();
Reporter | ||
Comment 1•10 years ago
|
||
Reporter | ||
Comment 2•10 years ago
|
||
Crash trace: Program received signal SIGSEGV, Segmentation fault. js::jit::BaselineScript::icEntryFromPCOffset (this=0x0, pcOffset=17) at js/src/jit/BaselineJIT.cpp:506 506 size_t top = numICEntries(); #0 js::jit::BaselineScript::icEntryFromPCOffset (this=0x0, pcOffset=17) at js/src/jit/BaselineJIT.cpp:506 #1 0x00000000005ab87f in InitFromBailout (poppedLastSPSFrameOut=0x7fffffffc2df, excInfo=<optimized out>, callPC=<synthetic pointer>, nextCallee=..., startFrameFormals=..., builder=..., iter=..., ionScript=<optimized out>, script=..., fun=..., callerPC=<optimized out>, caller=..., cx=0x16b1ca0, invalidate=<optimized out>) at js/src/jit/BaselineBailouts.cpp:935 #2 js::jit::BailoutIonToBaseline (cx=0x16b1ca0, activation=<optimized out>, iter=..., invalidate=<optimized out>, bailoutInfo=0x7fffffffc4b0, excInfo=0x0, poppedLastSPSFrameOut=0x7fffffffc2df) at js/src/jit/BaselineBailouts.cpp:1453 #3 0x000000000051ec6f in js::jit::InvalidationBailout (sp=0x7fffffffc4c0, frameSizeOut=0x7fffffffc4b8, bailoutInfo=0x7fffffffc4b0) at js/src/jit/Bailouts.cpp:123 #4 0x00007ffff7f754a7 in ?? () rdi 0x0 0 => 0x58c194 <js::jit::BaselineScript::icEntryFromPCOffset(unsigned int)+4>: mov 0x60(%rdi),%r9d Looks like a null-deref, but the test involves gczeal, therefore marking s-s until triaged.
status-firefox36:
--- → affected
Whiteboard: [jsbugmon:update,bisect]
Reporter | ||
Updated•10 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
Reporter | ||
Comment 3•10 years ago
|
||
JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/7f49fd6cc976 user: Nicolas B. Pierron date: Wed Oct 22 18:37:35 2014 +0200 summary: Bug 1083866 - No longer suppress GC for the evaluation of recover instructions. r=jandem This iteration took 556.721 seconds to run.
Reporter | ||
Updated•10 years ago
|
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
Reporter | ||
Comment 4•10 years ago
|
||
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 53d84829b2b8).
Reporter | ||
Comment 5•10 years ago
|
||
Needinfo from nbp based on comment 3.
Flags: needinfo?(nicolas.b.pierron)
Whiteboard: [jsbugmon:update,ignore] → [jsbugmon:bisectfix]
Reporter | ||
Updated•10 years ago
|
Whiteboard: [jsbugmon:bisectfix] → [jsbugmon:]
Reporter | ||
Comment 6•10 years ago
|
||
JSBugMon: Fix Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first good revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/f9fd1dde27c5 user: Nicolas B. Pierron date: Tue Oct 28 16:33:35 2014 +0100 summary: Bug 1087948 - Mark Baseline code of bailout frames as being active. r=jonco This iteration took 559.495 seconds to run.
Comment 7•10 years ago
|
||
Yes, this issue is fixed by Bug 1087948, and we have a test case in the test suite which is testing this issue as well ;)
Status: NEW → RESOLVED
Closed: 10 years ago
Flags: needinfo?(nicolas.b.pierron)
Resolution: --- → DUPLICATE
Updated•9 years ago
|
Group: core-security → core-security-release
Updated•8 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•