Closed
Bug 1102547
Opened 10 years ago
Closed 9 years ago
CompactingGC: Crash [@ ??] (Instruction testl $0x3f,...)
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1101576
People
(Reporter: decoder, Unassigned)
References
Details
(Keywords: crash, testcase, Whiteboard: [jsbugmon:ignore])
Crash Data
The following testcase crashes on mozilla-central revision aa72ddfe9f93 (build with --enable-gccompacting --disable-debug --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal, run with --fuzzing-safe --thread-count=2 --ion-regalloc=backtracking --ion-eager --ion-offthread-compile=off): function strings() { var a = [], b = -1; var s = "abcdefghij", s2 = "a"; for (var i = 0; i < 10; i++) { a[i] = (s.substring(i, i+1) + s[i] + String.fromCharCode(s2.charCodeAt(0) + i)).concat(i) + i; } } assertEq(strings(), "aaa00,bbb11,ccc22,ddd33,eee44,fff55,ggg66,hhh77,iii88,jjj991019100"); Backtrace: Program terminated with signal SIGSEGV, Segmentation fault. #0 0x00007f849e43b078 in ?? () To enable execution of this file add add-auto-load-safe-path js/src/shell/js-gdb.gdb line to your configuration file "/home/decoder/.gdbinit". To completely disable this security protection add set auto-load safe-path / line to your configuration file "/home/decoder/.gdbinit". For more information about this security protection see the "Auto-loading safe path" section in the GDB manual. E.g., run from the shell: info "(gdb)Auto-loading safe path" #0 0x00007f849e43b078 in ?? () [...] #28 0x0000000000000000 in ?? () rax 0x9e30f140 140207566418240 rbx 0x9e30e033 140207566413875 rcx 0x3 3 rdx 0x2 2 rsi 0x9e30f149 140207566418249 rdi 0x63 99 rbp 0x0 0 rsp 0x8d613d08 140735565348104 r8 0x1 1 r9 0x2 2 r10 0x0 0 r11 0x1fff1 131057 r12 0x2 2 r13 0x0 -2111062325329920 r14 0x2 -2111062325329918 r15 0x1 -2111062325329919 rip 0x9e43b078 140207567646840 => 0x7f849e43b078: testl $0x3f,(%rdi) 0x7f849e43b07e: je 0x7f849e43b7d4 Not s-s because compacting GC is not enabled yet in any builds.
Comment 1•10 years ago
|
||
Not sure if this still reproduces, but since this is compacting GC, moving on to :jonco.
Flags: needinfo?(jcoppeard)
Comment 2•10 years ago
|
||
This testcase doesn't trigger compacting GC, so I don't think this is related (also we don't compact strings). Dan, could this be related to use of the backtracking allocator?
Flags: needinfo?(jcoppeard) → needinfo?(sunfish)
Comment 3•10 years ago
|
||
It looks related to LSubstr codegen, and it looks like it may have been fixed by bug 1101576, though I don't currently have access to that bug. Specifically, patch 43aceb996c3b appears to have either the fix or something closely related.
Group: core-security
Flags: needinfo?(sunfish)
Comment 4•9 years ago
|
||
I've verified that this crash was fixed by changeset 43aceb996c3b.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → DUPLICATE
Updated•9 years ago
|
Group: core-security → core-security-release
Updated•8 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•