Closed
Bug 1139368
Opened 9 years ago
Closed 9 years ago
Crash [@ ??] with RegExp
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
mozilla39
Tracking | Status | |
---|---|---|
firefox37 | --- | unaffected |
firefox38 | --- | unaffected |
firefox39 | --- | verified |
firefox-esr31 | --- | unaffected |
b2g-v1.4 | --- | unaffected |
b2g-v2.0 | --- | unaffected |
b2g-v2.0M | --- | unaffected |
b2g-v2.1 | --- | unaffected |
b2g-v2.1S | --- | unaffected |
b2g-v2.2 | --- | unaffected |
b2g-master | --- | fixed |
People
(Reporter: decoder, Assigned: jandem)
References
Details
(4 keywords, Whiteboard: [jsbugmon:update])
Crash Data
Attachments
(1 file)
1.37 KB,
patch
|
h4writer
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision c5b90c003be8 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --enable-debug, run with --ion-offthread-compile=off --ion-eager --no-threads): function test() { for(var foo; i<2; i++) { var a = /a/; } for(var i=0; i<2; i++) { a.exec("aaa"); } } test(); Backtrace: Program received signal SIGSEGV, Segmentation fault. 0x00007ffff7fdc831 in ?? () #0 0x00007ffff7fdc831 in ?? () #1 0x0000000000000000 in ?? () rax 0x1b33a10 28523024 rbx 0xfff9000000000000 -1970324836974592 rcx 0x0 0 rdx 0x1fff1 131057 rsi 0x7fffffffbbe8 140737488337896 rdi 0x7fffffffbbe8 140737488337896 rbp 0xfff9000000000000 18444773748872577024 rsp 0x7fffffffbbe8 140737488337896 r8 0x0 0 r9 0x0 0 r10 0x7fffffffbbe0 140737488337888 r11 0x7ffff7e50d00 140737352371456 r12 0x8 8 r13 0x7fffffffca80 140737488341632 r14 0x203 515 r15 0x7fffffffcc70 140737488342128 rip 0x7ffff7fdc831 140737353992241 => 0x7ffff7fdc831: mov (%rcx),%rax 0x7ffff7fdc834: movabs $0x7ffff7e57760,%r11 The crash address is 0x0 but since this is a crash on the heap, I'm marking this s-s until investigated.
Reporter | ||
Updated•9 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
Reporter | ||
Comment 1•9 years ago
|
||
JSBugMon: Bisection requested, result: === Treeherder Build Bisection Results by autoBisect === The "good" changeset has the timestamp "20150303001933" and the hash "074919869975". The "bad" changeset has the timestamp "20150303003949" and the hash "1fb224ec0020". Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=074919869975&tochange=1fb224ec0020
Jan, is bug 1136837 (or the other one) a likely regressor?
Flags: needinfo?(jdemooij)
Assignee | ||
Comment 3•9 years ago
|
||
JSBugMon is right, this is a regression from bug 1136837. The problem is that MFilterTypeSet's TypePolicy would add an Unbox(object), and we'd hoist this unbox above the actual getprop operation. This is wrong because we can only guarantee the value is an object if we executed the getprop operation first. This patch uses setDependency because that's what FilterTypeSet uses elsewhere. Hannes, it might be nice to make Unboxes added in FilterTypeSetPolicy::adjustInputs non-movable, and remove the setDependency calls. What do you think?
Assignee: nobody → jdemooij
Status: NEW → ASSIGNED
Flags: needinfo?(jdemooij)
Attachment #8574303 -
Flags: review?(hv1989)
Updated•9 years ago
|
Attachment #8574303 -
Flags: review?(hv1989) → review+
Comment 5•9 years ago
|
||
(In reply to Jan de Mooij [:jandem] from comment #3) > This patch uses setDependency because that's what FilterTypeSet uses > elsewhere. Hannes, it might be nice to make Unboxes added in > FilterTypeSetPolicy::adjustInputs non-movable, and remove the setDependency > calls. What do you think? I would prefer not to do that, since that could possibly disable e.g. loop hoisting: > for () { > if (x) { // independent from loop > // do things with X that is independent from loop > > } > } If MFilterTypeSet is non-movable, all the instructions depending on it cannot get moved either ... Though I could adjust the constructor of MFilterTypeSet to take a "dependency" argument. Making sure that there is always a dependency set when using MFilterTypeSet ?? (Note: I've said this before, but I think we should improve and allow more uses of the "dependency" property next to AA.)
Assignee | ||
Comment 6•9 years ago
|
||
(In reply to Hannes Verschore [:h4writer] from comment #5) > If MFilterTypeSet is non-movable, all the instructions depending on it > cannot get moved either ... MFilterTypeSet *is* non-movable. > Though I could adjust the constructor of MFilterTypeSet to take a > "dependency" argument. Making sure that there is always a dependency set > when using MFilterTypeSet ?? That may help yes..
Assignee | ||
Comment 7•9 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/9fdbd96edb91
Updated•9 years ago
|
status-firefox38:
--- → unaffected
status-firefox-esr31:
--- → unaffected
https://hg.mozilla.org/mozilla-central/rev/9fdbd96edb91
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla39
Reporter | ||
Updated•9 years ago
|
Status: RESOLVED → VERIFIED
Reporter | ||
Comment 9•9 years ago
|
||
JSBugMon: This bug has been automatically verified fixed.
Updated•9 years ago
|
status-b2g-v1.4:
--- → unaffected
status-b2g-v2.0:
--- → unaffected
status-b2g-v2.0M:
--- → unaffected
status-b2g-v2.1:
--- → unaffected
status-b2g-v2.1S:
--- → unaffected
status-b2g-v2.2:
--- → unaffected
status-b2g-master:
--- → fixed
status-firefox37:
--- → unaffected
Updated•9 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•