Closed
Bug 1102595
Opened 11 years ago
Closed 11 years ago
Crash [@ ensureLinear]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1101576
| Tracking | Status | |
|---|---|---|
| firefox36 | --- | fixed |
People
(Reporter: decoder, Unassigned)
Details
(Whiteboard: [jsbugmon:][adv-main36-])
Crash Data
The following testcase crashes on mozilla-central revision aa72ddfe9f93 (build with --disable-debug --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal, run with --fuzzing-safe --thread-count=2 --ion-eager --ion-regalloc=backtracking):
while (true) {
loadFile('obj_NaN')
}
function loadFile(lfVarx) {
try {
if (lfVarx.substr(-3) != ".js" && lfVarx.length != 1) {
evaluate(lfVarx);
} else if (!isNaN(lfVarx)) {}
} catch (lfVare) { }
}
Backtrace:
Program terminated with signal SIGSEGV, Segmentation fault.
#0 ensureLinear (cx=cx@entry=0x23c7db0, this=0x4e)
at js/src/vm/String.h:1291
1291 : asRope().flatten(cx);
#0 ensureLinear (cx=cx@entry=0x23c7db0, this=0x4e) at js/src/vm/String.h:1291
#1 js::AutoStableStringChars::initTwoByte (this=this@entry=0x7fff867adf90, cx=cx@entry=0x23c7db0, s=0x4e) at js/src/vm/String.cpp:841
#2 0x0000000000421c6e in Evaluate (cx=0x23c7db0, argc=<optimized out>, vp=0x7fff867ae118) at js/src/shell/js.cpp:1256
#3 0x00007fabab5cde61 in ?? ()
rdx 0x4e 78
rip 0x883eb2 <js::AutoStableStringChars::initTwoByte(JSContext*, JSString*)+18>
=> 0x883eb2 <js::AutoStableStringChars::initTwoByte(JSContext*, JSString*)+18>: testb $0x3f,(%rdx)
0x883eb5 <js::AutoStableStringChars::initTwoByte(JSContext*, JSString*)+21>: je 0x883f20 <js::AutoStableStringChars::initTwoByte(JSContext*, JSString*)+128>
Marked s-s because I'm not entirely sure if this is a null-deref or not (this-pointer is 0x4e).
|
Reporter | |
Updated•11 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update,ignore]
|
|
Reporter | |
Comment 1•11 years ago
|
||
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 6309710dd71d).
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/34859490061a
user: Hannes Verschore
date: Tue Nov 18 15:53:58 2014 +0100
summary: Bug 1052839 - Selfhost substr/slice/substring, r=waldo,till,jonco
This iteration took 279.404 seconds to run.
|
|
Reporter | |
Comment 2•11 years ago
|
||
Needinfo from Hannes based on comment 2, also checking if this isn't fixed already.
Flags: needinfo?(hv1989)
Whiteboard: [jsbugmon:update,ignore] → [jsbugmon:bisectfix]
|
|
Reporter | |
Updated•11 years ago
|
Whiteboard: [jsbugmon:bisectfix] → [jsbugmon:]
|
|
Reporter | |
Comment 3•11 years ago
|
||
JSBugMon: Fix Bisection requested, result:
autoBisect shows this is probably related to the following changeset:
The first good revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/43aceb996c3b
user: Hannes Verschore
date: Thu Nov 20 01:48:11 2014 +0100
summary: Bug 1101576 - IonMonkey: Add fixes for LSubstr, r=efaust
This iteration took 247.002 seconds to run.
|
||
Comment 4•11 years ago
|
||
Looks like this was fixed with my LSubstr fixes.
Status: NEW → RESOLVED
Closed: 11 years ago
Flags: needinfo?(hv1989)
Resolution: --- → DUPLICATE
|
||
Updated•11 years ago
|
|
||
Updated•10 years ago
|
Whiteboard: [jsbugmon:] → [jsbugmon:][adv-main36-]
|
||
Updated•10 years ago
|
Group: core-security → core-security-release
|
||
Updated•9 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•