Closed Bug 1146410 Opened 10 years ago Closed 10 years ago

Assertion failure: Integer input should be equal or higher than Lowerbound., at js/src/jit/MacroAssembler.cpp:1694

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla39
Tracking Flags:
Tracking Status
firefox36 --- unaffected
firefox37 --- unaffected
firefox38 --- unaffected
firefox39 --- verified
firefox-esr31 --- unaffected
firefox-esr38 --- unaffected
b2g-v1.4 --- unaffected
b2g-v2.0 --- unaffected
b2g-v2.0M --- unaffected
b2g-v2.1 --- unaffected
b2g-v2.1S --- unaffected
b2g-v2.2 --- unaffected
b2g-master --- fixed

People

(Reporter: decoder, Assigned: h4writer)

References

Details

(5 keywords, Whiteboard: [jsbugmon:update])

Attachments

(2 files)

Print typeset to any fp
3.24 KB, patch
jandem
: review+
Details | Diff | Splinter Review
Patch
2.00 KB, patch
jandem
: review+
Details | Diff | Splinter Review
The following testcase crashes on mozilla-central revision 4d2d97b3ba34 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --ion-offthread-compile=off --ion-eager --ion-check-range-analysis): function foo() { var ws = new WeakSet(); ws.add({}); for (var i = 0; i < 10; i++) ws.add(WeakSet + ""); } foo(); delete Math; Backtrace: Program received signal SIGTRAP, Trace/breakpoint trap. 0x00007ffff7e598f7 in ?? () [...] #16 0x0000000000000000 in ?? () rax 0xf4f77028 4109856808 rbx 0xfffc7ffff5000120 -985162603036384 rcx 0x7ffff4f577c0 140737303115712 rdx 0xfff9800000000000 -1829587348619264 rsi 0x1 1 rdi 0x7fffffffbc98 140737488338072 rbp 0xfff8800000000000 18444633011384221696 rsp 0x7fffffffbc70 140737488338032 r8 0xfffbffffffffffff -1125899906842625 r9 0x28 40 r10 0x0 0 r11 0x7ffff6c27960 140737333328224 r12 0x8 8 r13 0x7fffffffca70 140737488341616 r14 0x203 515 r15 0x1a214b0 27399344 rip 0x7ffff7e598f7 140737352407287 => 0x7ffff7e598f7: cmp $0x1,%eax 0x7ffff7e598fa: jle 0x7ffff7e59a1c Marking s-s because this is a range analysis issue.
This sounds sketchy, so marking sec-high. Adjust as needed.
Keywords: sec-high
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result: === Treeherder Build Bisection Results by autoBisect === The "good" changeset has the timestamp "20150227161626" and the hash "928ec762c672". The "bad" changeset has the timestamp "20150227163831" and the hash "490afdad9ba1". Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=928ec762c672&tochange=490afdad9ba1
Possibly regressed by bug 994016, needinfo from h4writer based on comment 2.
Flags: needinfo?(hv1989)
I often make this change to print something to somewhere else than stderr. Can we land this. (This is not a fix!)
Assignee: nobody → hv1989
Flags: needinfo?(hv1989)
Attachment #8583697 - Flags: review?(jdemooij)
Attached patch PatchSplinter Review
Typo: ins->type() was used instead of ins->getOperand(0)->type()
Attachment #8583698 - Flags: review?(jdemooij)
Attachment #8583697 - Flags: review?(jdemooij) → review+
Comment on attachment 8583698 [details] [diff] [review] Patch Review of attachment 8583698 [details] [diff] [review]: ----------------------------------------------------------------- Which branches does this affect? If it's only 39, can you add the test?
Attachment #8583698 - Flags: review?(jdemooij) → review+
Status: RESOLVED → VERIFIED
status-firefox39: fixedverified
JSBugMon: This bug has been automatically verified fixed.
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: