Closed
Bug 1115665
Opened 10 years ago
Closed 9 years ago
Crash at SIGTRAP or Assertion failure: Incorrect range for Value., at jit/MacroAssembler.cpp
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
mozilla37
Tracking | Status | |
---|---|---|
firefox35 | --- | unaffected |
firefox36 | --- | unaffected |
firefox37 | --- | verified |
firefox-esr31 | --- | unaffected |
b2g-v1.4 | --- | unaffected |
b2g-v2.0 | --- | unaffected |
b2g-v2.0M | --- | unaffected |
b2g-v2.1 | --- | unaffected |
b2g-v2.2 | --- | fixed |
People
(Reporter: gkw, Assigned: h4writer)
References
Details
(4 keywords, Whiteboard: [fuzzblocker][jsbugmon:update])
Attachments
(2 files)
683 bytes,
text/plain
|
Details | |
962 bytes,
patch
|
jandem
:
review+
|
Details | Diff | Splinter Review |
// Randomly chosen test: js/src/jit-test/tests/ion/bug836705.js Object.prototype[3] = 3 // Randomly chosen test: js/src/jit-test/tests/jaeger/loops/bug658290.js x = Array() function f() { for (i = 0; i < 9; i++) { if (Object[x++] != 0) {} } } f() asserts js debug shell on m-c changeset 986ef444a8bb with --fuzzing-safe --no-threads --ion-eager --ion-check-range-analysis at Assertion failure: Incorrect range for Value., at jit/MacroAssembler.cpp. Debug configure options: CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --enable-optimize --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests This was found by combining random js tests together with jsfunfuzz, the specific file(s) is/are: http://hg.mozilla.org/mozilla-central/file/986ef444a8bb/js/src/jit-test/tests/ion/bug836705.js http://hg.mozilla.org/mozilla-central/file/986ef444a8bb/js/src/jit-test/tests/jaeger/loops/bug658290.js autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/0b155176f4eb user: Hannes Verschore date: Wed Dec 24 15:01:03 2014 +0100 summary: Bug 1107328 - IonMonkey: Also check for boxed constants when checking for constants, r=jandem (Setting s-s because this causes a SIGTRAP and fuzzblocker because it crashes in optimized builds without any signature, which makes it hard to ignore) Hannes, is bug 1107328 a likely regressor?
Flags: needinfo?(hv1989)
Reporter | ||
Comment 1•10 years ago
|
||
The attachment shows the stack for debug builds, while the following is for opt builds: Process 628 stopped * thread #1: tid = 0x82523, 0x00000001016dd08a, queue = 'com.apple.main-thread', stop reason = EXC_BREAKPOINT (code=EXC_I386_BPT, subcode=0x0) frame #0: 0x00000001016dd08a -> 0x1016dd08a: movabsq $0x10235e060, %rax 0x1016dd094: movq 0x10(%rax), %rax 0x1016dd098: movl 0x9a0(%rax), %ecx 0x1016dd09e: addl $0x1, %ecx (lldb) bt * thread #1: tid = 0x82523, 0x00000001016dd08a, queue = 'com.apple.main-thread', stop reason = EXC_BREAKPOINT (code=EXC_I386_BPT, subcode=0x0) * frame #0: 0x00000001016dd08a (lldb)
Assignee | ||
Comment 2•10 years ago
|
||
(In reply to Gary Kwong [:gkw] [:nth10sd] from comment #0) > Hannes, is bug 1107328 a likely regressor? Very possibly. Fixed a similar issue before pushing. The codebase is too used that a constant value means we can do optimizations without doing specific checks. (Which happens to mostly work, since we would box inputs for un-optimizable cases). Taking
Assignee: nobody → hv1989
Assignee | ||
Comment 3•10 years ago
|
||
Flags: needinfo?(hv1989)
Attachment #8542140 -
Flags: review?(jdemooij)
Updated•9 years ago
|
Attachment #8542140 -
Flags: review?(jdemooij) → review+
Assignee | ||
Comment 4•9 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/0c531e14936b
https://hg.mozilla.org/mozilla-central/rev/0c531e14936b
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla37
Updated•9 years ago
|
status-b2g-v1.4:
--- → unaffected
status-b2g-v2.0:
--- → unaffected
status-b2g-v2.0M:
--- → unaffected
status-b2g-v2.1:
--- → unaffected
status-b2g-v2.2:
--- → fixed
status-firefox35:
--- → unaffected
status-firefox36:
--- → unaffected
status-firefox-esr31:
--- → unaffected
Updated•9 years ago
|
Status: RESOLVED → VERIFIED
Comment 6•9 years ago
|
||
JSBugMon: This bug has been automatically verified fixed.
Updated•9 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•