Closed
Bug 1111327
Opened 10 years ago
Closed 10 years ago
Assertion failure: aIndex < mLength, at dist/include/mozilla/Vector.h
Categories
(Core :: JavaScript Engine: JIT, defect)
Tracking
()
VERIFIED
FIXED
mozilla37
Tracking | Status | |
---|---|---|
firefox34 | --- | wontfix |
firefox35 | --- | wontfix |
firefox36 | --- | wontfix |
firefox37 | --- | verified |
firefox-esr31 | --- | unaffected |
People
(Reporter: gkw, Assigned: luke)
References
Details
(4 keywords, Whiteboard: [adv-main37+])
Attachments
(2 files)
7.52 KB,
text/plain
|
Details | |
3.30 KB,
patch
|
dougc
:
review+
|
Details | Diff | Splinter Review |
// Randomly chosen test: js/src/jit-test/tests/basic/bug908915.js
enableSPSProfilingWithSlowAssertions();
enableSingleStepProfiling();
// Randomly chosen test: js/src/jit-test/tests/asm.js/testResize.js
function a() {
f = Function.apply(null, arguments);
}
function b() {
return f.apply(null, Array.slice(arguments, 1));
}
var m = a("\
\"use asm\"; \
function f() {}\
return f\
")
assertEq(b(m, this)(), undefined);
b(m, this)()
asserts js debug 32-bit ARM-simulator shell on m-c changeset f14dcd1c8c0b with --fuzzing-safe --no-threads --ion-eager at Assertion failure: aIndex < mLength, at dist/include/mozilla/Vector.h.
Debug configure options:
LD=ld CROSS_COMPILE=1 CC="clang -Qunused-arguments -msse2 -mfpmath=sse -arch i386" RANLIB=ranlib CXX="clang++ -Qunused-arguments -msse2 -mfpmath=sse -arch i386" AS=$CC AR=ar STRIP="strip -x -S" HOST_CC="clang -Qunused-arguments -msse2 -mfpmath=sse" AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 HOST_CXX="clang++ -Qunused-arguments -msse2 -mfpmath=sse" sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=i386-apple-darwin9.2.0 --enable-macos-target=10.5 --enable-arm-simulator --enable-debug --enable-optimize --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests
This was found by combining random js tests together with jsfunfuzz, the specific file(s) is/are:
http://hg.mozilla.org/mozilla-central/file/f14dcd1c8c0b/js/src/jit-test/tests/basic/bug908915.js
http://hg.mozilla.org/mozilla-central/file/f14dcd1c8c0b/js/src/jit-test/tests/asm.js/testResize.js
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/7797ecb20e4b
user: Luke Wagner
date: Tue Jul 29 09:56:21 2014 -0500
summary: Bug 1040390 - Replace ad hoc methods with JS::ProfilingFrameIterator::label() (r=dougc)
Setting s-s because this seems to involve the SPS profiler.
Luke, is bug 1040390 a likely regressor?
Flags: needinfo?(luke)
Reporter | ||
Comment 1•10 years ago
|
||
(lldb) bt 5
* thread #1: tid = 0x310581, 0x0014883c js-dbg-opt-32-dm-nsprBuild-armSim-darwin-f14dcd1c8c0b`mozilla::VectorBase<mozilla::UniquePtr<char, JS::FreePolicy>, 0ul, js::SystemAllocPolicy, js::Vector<mozilla::UniquePtr<char, JS::FreePolicy>, 0ul, js::SystemAllocPolicy> >::operator[](this=<unavailable>, aIndex=<unavailable>) const + 156 at Vector.h:415, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
* frame #0: 0x0014883c js-dbg-opt-32-dm-nsprBuild-armSim-darwin-f14dcd1c8c0b`mozilla::VectorBase<mozilla::UniquePtr<char, JS::FreePolicy>, 0ul, js::SystemAllocPolicy, js::Vector<mozilla::UniquePtr<char, JS::FreePolicy>, 0ul, js::SystemAllocPolicy> >::operator[](this=<unavailable>, aIndex=<unavailable>) const + 156 at Vector.h:415
frame #1: 0x0009014d js-dbg-opt-32-dm-nsprBuild-armSim-darwin-f14dcd1c8c0b`js::AsmJSProfilingFrameIterator::label() const [inlined] js::AsmJSModule::CodeRange::functionProfilingLabel(js::AsmJSModule const&) const + 29 at AsmJSModule.h:609
frame #2: 0x00090130 js-dbg-opt-32-dm-nsprBuild-armSim-darwin-f14dcd1c8c0b`js::AsmJSProfilingFrameIterator::label(this=0xbfffe344) const + 80 at AsmJSFrameIterator.cpp:725
frame #3: 0x0077fdd7 js-dbg-opt-32-dm-nsprBuild-armSim-darwin-f14dcd1c8c0b`JS::ProfilingFrameIterator::label(this=<unavailable>) const + 39 at Stack.cpp:1749
frame #4: 0x00016f82 js-dbg-opt-32-dm-nsprBuild-armSim-darwin-f14dcd1c8c0b`SingleStepCallback(arg=0x02041400, sim=0x0280a800, pc=0x04110000) + 194 at js.cpp:4096
(lldb)
Assignee | ||
Comment 2•10 years ago
|
||
Oops; the profilingEnabled_ state gets copied over when cloning modules (it must, b/c the machine code has been patched to match profilingEnabled_) but profilingLabels_ was not duplicated into the destination module.
If functionality was available by default, it'd be s-s, but, as is, it can only be hit when the user has enabled profiling. I'm not sure whether that qualifies, but probably best to leave hidden.
Assignee: nobody → luke
Status: NEW → ASSIGNED
Flags: needinfo?(luke)
Attachment #8536939 -
Flags: review?(dtc-moz)
Updated•10 years ago
|
Attachment #8536939 -
Flags: review?(dtc-moz) → review+
Assignee | ||
Comment 3•10 years ago
|
||
Updated•10 years ago
|
Keywords: sec-moderate
Comment 4•10 years ago
|
||
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla37
Updated•10 years ago
|
Status: RESOLVED → VERIFIED
Comment 5•10 years ago
|
||
JSBugMon: This bug has been automatically verified fixed.
Updated•10 years ago
|
status-firefox34:
--- → wontfix
status-firefox35:
--- → wontfix
status-firefox36:
--- → affected
status-firefox-esr31:
--- → unaffected
Updated•10 years ago
|
Updated•10 years ago
|
Whiteboard: [adv-main37+]
Updated•9 years ago
|
Group: core-security → core-security-release
Updated•9 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•