Closed
Bug 1126032
Opened 9 years ago
Closed 9 years ago
Crash at SIGTRAP or Assertion failure: Integer input should be lower or equal than Upperbound., at jit/MacroAssembler.cpp
Categories
(Core :: JavaScript Engine: JIT, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1124651
Tracking | Status | |
---|---|---|
firefox38 | --- | affected |
People
(Reporter: gkw, Unassigned)
References
Details
(5 keywords)
Attachments
(1 file)
7.49 KB,
text/plain
|
Details |
s = newGlobal() try { evalcx("\ x = (new Set).delete();\ b = x;\ b = (x = []).__proto__ = function () {}\ ", s) evalcx("gcslice();", s) evalcx("x", s) } catch (e) {} asserts js debug shell on m-c changeset 95c76c3b0172 with --fuzzing-safe --no-threads --ion-eager --ion-check-range-analysis at Assertion failure: Integer input should be lower or equal than Upperbound., at jit/MacroAssembler.cpp and crashes js opt shell at SIGTRAP. My configure flags are: CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --enable-optimize --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/5cec093aeadc user: Brian Hackett date: Wed Jan 14 08:00:28 2015 -0700 summary: Bug 1116017 - Don't scan all type sets in compartments on type mutations, r=jandem. Brian, is bug 1116017 a likely regressor?
Flags: needinfo?(bhackett1024)
Reporter | ||
Comment 1•9 years ago
|
||
(lldb) bt 5 * thread #1: tid = 0x7122d, 0x00000001040004d2, queue = 'com.apple.main-thread', stop reason = EXC_BREAKPOINT (code=EXC_I386_BPT, subcode=0x0) * frame #0: 0x00000001040004d2 frame #1: 0x00000001002f1e23 js-dbg-opt-64-dm-nsprBuild-darwin-95c76c3b0172`js::jit::IonCannon(JSContext*, js::RunState&) [inlined] EnterIon(data=0x0000000104000010) + 24 at Ion.cpp:2238 frame #2: 0x00000001002f1e0b js-dbg-opt-64-dm-nsprBuild-darwin-95c76c3b0172`js::jit::IonCannon(cx=0x0000000101d02040, state=0x00007fff5fbfdbc0) + 619 at Ion.cpp:2320 frame #3: 0x000000010076b204 js-dbg-opt-64-dm-nsprBuild-darwin-95c76c3b0172`js::RunScript(cx=0x0000000101d02040, state=0x00007fff5fbfdb78) + 244 at Interpreter.cpp:428 frame #4: 0x0000000100781eba js-dbg-opt-64-dm-nsprBuild-darwin-95c76c3b0172`js::ExecuteKernel(cx=0x0000000101d02040, scopeChainArg=0x0000000101f77060, thisv=<unavailable>, type=<unavailable>, result=<unavailable>, script=<unavailable>, evalInFrame=<unavailable>) + 970 at Interpreter.cpp:657 (lldb)
Reporter | ||
Comment 2•9 years ago
|
||
Let's lock this until we know what's going on here: (lldb) dis -p -> 0x1021e503c: movabsq $-0x6800000000000, %rcx
Group: core-security
Comment 3•9 years ago
|
||
If this is hitting a breakpoint in opt builds too does that make it relatively safe?
Comment 4•9 years ago
|
||
I can reproduce this on the original revision, but not after bug 1124651 landed. The testcase also has __proto__ mutation and GC timing stuff, which are likely to trigger bug 1124651.
Status: NEW → RESOLVED
Closed: 9 years ago
Flags: needinfo?(bhackett1024)
Resolution: --- → DUPLICATE
Updated•9 years ago
|
Group: core-security → core-security-release
Updated•8 years ago
|
Group: core-security-release
Keywords: sec-critical
You need to log in
before you can comment on or make changes to this bug.
Description
•