Closed
Bug 1141175
Opened 9 years ago
Closed 9 years ago
Crash [@ js::jit::AssertValidObjectPtr] (compartment mismatch)
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1139368
Tracking | Status | |
---|---|---|
firefox39 | --- | affected |
People
(Reporter: decoder, Unassigned)
Details
(4 keywords, Whiteboard: [jsbugmon:update,ignore])
Crash Data
The following testcase crashes on mozilla-central revision eab4a81e4457 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --enable-debug, run with --fuzzing-safe --ion-eager --no-threads): function C(c) {} function makeArray(n) { var arr = C() && this; for (var i = 0; i < n; i++) { arr.push(new classes[i % 3](i % 3)); } } makeArray(30000); Backtrace: Program received signal SIGSEGV, Segmentation fault. js::jit::AssertValidObjectPtr (cx=0x1a367c0, obj=0x0) at js/src/jit/VMFunctions.cpp:1144 1144 MOZ_ASSERT(obj->compartment() == cx->compartment()); #0 js::jit::AssertValidObjectPtr (cx=0x1a367c0, obj=0x0) at js/src/jit/VMFunctions.cpp:1144 #1 0x00007ffff7fdc79b in ?? () #2 0x00007fffffffbb20 in ?? () #3 0x00007fffffffba08 in ?? () #4 0xfff8800000000000 in ?? () #5 0xfff8800000000000 in ?? () #6 0xfff9000000000000 in ?? () #7 0x0000000000000000 in ?? () rax 0x9b2ac0 10169024 rbx 0xfff8800000000000 -2111062325329920 rcx 0x1a367c0 27486144 rdx 0xfff9000000000000 -1970324836974592 rsi 0x0 0 rdi 0x1a367c0 27486144 rbp 0x7fffffffb9e0 140737488337376 rsp 0x7fffffffb9c0 140737488337344 r8 0x1b2e7f0 28502000 r9 0x7ffff6d0d4a5 140737334269093 r10 0x8011 32785 r11 0xfff9000000000000 -1970324836974592 r12 0x1a367c0 27486144 r13 0x7fffffffca30 140737488341552 r14 0x203 515 r15 0x7fffffffcc20 140737488342048 rip 0x9b2adb <js::jit::AssertValidObjectPtr(JSContext*, JSObject*)+27> => 0x9b2adb <js::jit::AssertValidObjectPtr(JSContext*, JSObject*)+27>: mov (%rsi),%rax 0x9b2ade <js::jit::AssertValidObjectPtr(JSContext*, JSObject*)+30>: mov (%rdi),%rdi Marking s-s because this looks like a compartment mismatch.
Reporter | ||
Updated•9 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
Reporter | ||
Comment 1•9 years ago
|
||
JSBugMon: Bisection requested, result: === Treeherder Build Bisection Results by autoBisect === The "good" changeset has the timestamp "20150206142428" and the hash "cab70edfe933". The "bad" changeset has the timestamp "20150309092404" and the hash "8572d3e909a3". Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=cab70edfe933&tochange=8572d3e909a3
Reporter | ||
Updated•9 years ago
|
Whiteboard: [jsbugmon:update] → [jsbugmon:update,bisect,bisect-force-compile]
Reporter | ||
Updated•9 years ago
|
Whiteboard: [jsbugmon:update,bisect,bisect-force-compile] → [jsbugmon:update]
Reporter | ||
Comment 2•9 years ago
|
||
JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/1fb224ec0020 user: Jan de Mooij date: Tue Mar 03 09:37:46 2015 +0100 summary: Bug 1136837 part 2 - Improve |this| types when inlining after a CALLPROP/CALLELEM. r=h4writer This iteration took 187.165 seconds to run.
Reporter | ||
Updated•9 years ago
|
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
Reporter | ||
Comment 4•9 years ago
|
||
JSBugMon: The testcase found in this bug no longer reproduces (tried revision a9aff724afc7).
Updated•9 years ago
|
Status: NEW → RESOLVED
Closed: 9 years ago
Flags: needinfo?(jdemooij)
Resolution: --- → DUPLICATE
Updated•9 years ago
|
Group: core-security → core-security-release
Updated•8 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•