Closed
Bug 1126032
Opened 9 years ago
Closed 9 years ago
Crash at SIGTRAP or Assertion failure: Integer input should be lower or equal than Upperbound., at jit/MacroAssembler.cpp
Categories
(Core :: JavaScript Engine: JIT, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1124651
| Tracking | Status | |
|---|---|---|
| firefox38 | --- | affected |
People
(Reporter: gkw, Unassigned)
References
Details
(5 keywords)
Attachments
(1 file)
|
7.49 KB,
text/plain
|
Details |
s = newGlobal()
try {
evalcx("\
x = (new Set).delete();\
b = x;\
b = (x = []).__proto__ = function () {}\
", s)
evalcx("gcslice();", s)
evalcx("x", s)
} catch (e) {}
asserts js debug shell on m-c changeset 95c76c3b0172 with --fuzzing-safe --no-threads --ion-eager --ion-check-range-analysis at Assertion failure: Integer input should be lower or equal than Upperbound., at jit/MacroAssembler.cpp and crashes js opt shell at SIGTRAP.
My configure flags are:
CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --enable-optimize --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/5cec093aeadc
user: Brian Hackett
date: Wed Jan 14 08:00:28 2015 -0700
summary: Bug 1116017 - Don't scan all type sets in compartments on type mutations, r=jandem.
Brian, is bug 1116017 a likely regressor?Flags: needinfo?(bhackett1024)
|
Reporter | |
Comment 1•9 years ago
|
||
(lldb) bt 5
* thread #1: tid = 0x7122d, 0x00000001040004d2, queue = 'com.apple.main-thread', stop reason = EXC_BREAKPOINT (code=EXC_I386_BPT, subcode=0x0)
* frame #0: 0x00000001040004d2
frame #1: 0x00000001002f1e23 js-dbg-opt-64-dm-nsprBuild-darwin-95c76c3b0172`js::jit::IonCannon(JSContext*, js::RunState&) [inlined] EnterIon(data=0x0000000104000010) + 24 at Ion.cpp:2238
frame #2: 0x00000001002f1e0b js-dbg-opt-64-dm-nsprBuild-darwin-95c76c3b0172`js::jit::IonCannon(cx=0x0000000101d02040, state=0x00007fff5fbfdbc0) + 619 at Ion.cpp:2320
frame #3: 0x000000010076b204 js-dbg-opt-64-dm-nsprBuild-darwin-95c76c3b0172`js::RunScript(cx=0x0000000101d02040, state=0x00007fff5fbfdb78) + 244 at Interpreter.cpp:428
frame #4: 0x0000000100781eba js-dbg-opt-64-dm-nsprBuild-darwin-95c76c3b0172`js::ExecuteKernel(cx=0x0000000101d02040, scopeChainArg=0x0000000101f77060, thisv=<unavailable>, type=<unavailable>, result=<unavailable>, script=<unavailable>, evalInFrame=<unavailable>) + 970 at Interpreter.cpp:657
(lldb)|
|
Reporter | |
Comment 2•9 years ago
|
||
Let's lock this until we know what's going on here: (lldb) dis -p -> 0x1021e503c: movabsq $-0x6800000000000, %rcx
Group: core-security
|
||
Comment 3•9 years ago
|
||
If this is hitting a breakpoint in opt builds too does that make it relatively safe?
|
||
Comment 4•9 years ago
|
||
I can reproduce this on the original revision, but not after bug 1124651 landed. The testcase also has __proto__ mutation and GC timing stuff, which are likely to trigger bug 1124651.
Status: NEW → RESOLVED
Closed: 9 years ago
Flags: needinfo?(bhackett1024)
Resolution: --- → DUPLICATE
|
||
Updated•9 years ago
|
Group: core-security → core-security-release
|
|
||
Updated•8 years ago
|
Group: core-security-release
Keywords: sec-critical
You need to log in
before you can comment on or make changes to this bug.
Description
•