Closed
Bug 1141175
Opened 9 years ago
Closed 9 years ago
Crash [@ js::jit::AssertValidObjectPtr] (compartment mismatch)
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1139368
| Tracking | Status | |
|---|---|---|
| firefox39 | --- | affected |
People
(Reporter: decoder, Unassigned)
Details
(4 keywords, Whiteboard: [jsbugmon:update,ignore])
Crash Data
The following testcase crashes on mozilla-central revision eab4a81e4457 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --enable-debug, run with --fuzzing-safe --ion-eager --no-threads):
function C(c) {}
function makeArray(n) {
var arr = C() && this;
for (var i = 0; i < n; i++) {
arr.push(new classes[i % 3](i % 3));
}
}
makeArray(30000);
Backtrace:
Program received signal SIGSEGV, Segmentation fault.
js::jit::AssertValidObjectPtr (cx=0x1a367c0, obj=0x0) at js/src/jit/VMFunctions.cpp:1144
1144 MOZ_ASSERT(obj->compartment() == cx->compartment());
#0 js::jit::AssertValidObjectPtr (cx=0x1a367c0, obj=0x0) at js/src/jit/VMFunctions.cpp:1144
#1 0x00007ffff7fdc79b in ?? ()
#2 0x00007fffffffbb20 in ?? ()
#3 0x00007fffffffba08 in ?? ()
#4 0xfff8800000000000 in ?? ()
#5 0xfff8800000000000 in ?? ()
#6 0xfff9000000000000 in ?? ()
#7 0x0000000000000000 in ?? ()
rax 0x9b2ac0 10169024
rbx 0xfff8800000000000 -2111062325329920
rcx 0x1a367c0 27486144
rdx 0xfff9000000000000 -1970324836974592
rsi 0x0 0
rdi 0x1a367c0 27486144
rbp 0x7fffffffb9e0 140737488337376
rsp 0x7fffffffb9c0 140737488337344
r8 0x1b2e7f0 28502000
r9 0x7ffff6d0d4a5 140737334269093
r10 0x8011 32785
r11 0xfff9000000000000 -1970324836974592
r12 0x1a367c0 27486144
r13 0x7fffffffca30 140737488341552
r14 0x203 515
r15 0x7fffffffcc20 140737488342048
rip 0x9b2adb <js::jit::AssertValidObjectPtr(JSContext*, JSObject*)+27>
=> 0x9b2adb <js::jit::AssertValidObjectPtr(JSContext*, JSObject*)+27>: mov (%rsi),%rax
0x9b2ade <js::jit::AssertValidObjectPtr(JSContext*, JSObject*)+30>: mov (%rdi),%rdi
Marking s-s because this looks like a compartment mismatch.
|
Reporter | |
Updated•9 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
|
|
Reporter | |
Comment 1•9 years ago
|
||
JSBugMon: Bisection requested, result: === Treeherder Build Bisection Results by autoBisect === The "good" changeset has the timestamp "20150206142428" and the hash "cab70edfe933". The "bad" changeset has the timestamp "20150309092404" and the hash "8572d3e909a3". Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=cab70edfe933&tochange=8572d3e909a3
|
|
Reporter | |
Updated•9 years ago
|
Whiteboard: [jsbugmon:update] → [jsbugmon:update,bisect,bisect-force-compile]
|
|
Reporter | |
Updated•9 years ago
|
Whiteboard: [jsbugmon:update,bisect,bisect-force-compile] → [jsbugmon:update]
|
|
Reporter | |
Comment 2•9 years ago
|
||
JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/1fb224ec0020 user: Jan de Mooij date: Tue Mar 03 09:37:46 2015 +0100 summary: Bug 1136837 part 2 - Improve |this| types when inlining after a CALLPROP/CALLELEM. r=h4writer This iteration took 187.165 seconds to run.
|
|
Reporter | |
Updated•9 years ago
|
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
|
|
Reporter | |
Comment 4•9 years ago
|
||
JSBugMon: The testcase found in this bug no longer reproduces (tried revision a9aff724afc7).
|
||
Updated•9 years ago
|
Status: NEW → RESOLVED
Closed: 9 years ago
Flags: needinfo?(jdemooij)
Resolution: --- → DUPLICATE
|
||
Updated•9 years ago
|
Group: core-security → core-security-release
|
||
Updated•8 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•