Closed
Bug 1163443
Opened 9 years ago
Closed 9 years ago
Crash [@ scriptSourceUnwrap]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1135707
| Tracking | Status | |
|---|---|---|
| firefox40 | --- | affected |
People
(Reporter: decoder, Unassigned)
Details
(4 keywords, Whiteboard: [jsbugmon:])
Crash Data
The following testcase crashes on mozilla-central revision 39dc888ce14c (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --target=i686-pc-linux-gnu --enable-arm-simulator --disable-debug, run with --arm-asm-nop-fill=1 --ion-eager):
x = {};
y = x;
Object.defineProperty(this, "x", {
get: function() {
Object.defineProperty(this, "y", {
get: function() {
return x(this.y)
}
});
}
})
gczeal(14, 17);
var lfGlobal = newGlobal();
for (lfLocal in this)
lfGlobal[lfLocal] = this[lfLocal];
Backtrace:
Program received signal SIGSEGV, Segmentation fault.
0x08514783 in scriptSourceUnwrap (this=0x49494949) at js/src/jsscript.cpp:1222
#0 0x08514783 in scriptSourceUnwrap (this=0x49494949) at js/src/jsscript.cpp:1222
#1 JSScript::scriptSource (this=0x49494949) at js/src/jsscript.cpp:1227
#2 0x083245ac in filename (this=<optimized out>) at js/src/jsscript.h:1466
#3 js::jit::BailoutIonToBaseline (cx=cx@entry=0xf7a6d0e0, activation=0xfffeb5e0, iter=..., invalidate=invalidate@entry=true, bailoutInfo=bailoutInfo@entry=0xf5efe368, excInfo=excInfo@entry=0x0) at js/src/jit/BaselineBailouts.cpp:1431
#4 0x08326f61 in js::jit::InvalidationBailout (sp=0xf5efe378, frameSizeOut=frameSizeOut@entry=0xf5efe370, bailoutInfo=bailoutInfo@entry=0xf5efe368) at js/src/jit/Bailouts.cpp:130
#5 0x0845f139 in js::jit::Simulator::softwareInterrupt (this=0xf7a6c000, instr=0xf7a02734) at js/src/jit/arm/Simulator-arm.cpp:2152
#6 0x0845f3bd in js::jit::Simulator::decodeType7 (this=this@entry=0xf7a6c000, instr=instr@entry=0xf7a02734) at js/src/jit/arm/Simulator-arm.cpp:3272
#7 0x0845f6fc in js::jit::Simulator::instructionDecode (this=this@entry=0xf7a6c000, instr=instr@entry=0xf7a02734) at js/src/jit/arm/Simulator-arm.cpp:4191
#8 0x08461de4 in execute<false> (this=0xf7a6c000) at js/src/jit/arm/Simulator-arm.cpp:4246
#9 js::jit::Simulator::callInternal (this=this@entry=0xf7a6c000, entry=entry@entry=0xf7fc8db0 "\377\377\377\352\360O-\351\377\377\377\352\004\320M\342\377\377\377\352\020\212-\355\377\377\377\352\r\200\240\341\377\377\377\352h\220\235\345\377\377\377\352t\240\235\345\377\377\377", <incomplete sequence \352>) at js/src/jit/arm/Simulator-arm.cpp:4334
#10 0x08461ff6 in js::jit::Simulator::call (this=<optimized out>, entry=entry@entry=0xf7fc8db0 "\377\377\377\352\360O-\351\377\377\377\352\004\320M\342\377\377\377\352\020\212-\355\377\377\377\352\r\200\240\341\377\377\377\352h\220\235\345\377\377\377\352t\240\235\345\377\377\377", <incomplete sequence \352>, argument_count=<optimized out>, argument_count@entry=8) at js/src/jit/arm/Simulator-arm.cpp:4417
#11 0x0839b039 in EnterIon (data=..., cx=0xf7a6d0e0) at js/src/jit/Ion.cpp:2389
#12 js::jit::IonCannon (cx=cx@entry=0xf7a6d0e0, state=...) at js/src/jit/Ion.cpp:2471
#13 0x081c16be in js::RunScript (cx=cx@entry=0xf7a6d0e0, state=...) at js/src/vm/Interpreter.cpp:657
#14 0x081c1806 in js::Invoke (cx=cx@entry=0xf7a6d0e0, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:746
#15 0x081c22ab in js::Invoke (cx=cx@entry=0xf7a6d0e0, thisv=..., fval=..., argc=argc@entry=0, argv=argv@entry=0x0, rval=rval@entry=...) at js/src/vm/Interpreter.cpp:783
#16 0x081c242e in js::InvokeGetter (cx=cx@entry=0xf7a6d0e0, obj=0xf5c74040, fval=..., rval=rval@entry=...) at js/src/vm/Interpreter.cpp:852
#17 0x081c24a2 in CallGetter (cx=cx@entry=0xf7a6d0e0, obj=..., obj@entry=..., receiver=receiver@entry=..., shape=shape@entry=..., vp=vp@entry=...) at js/src/vm/NativeObject.cpp:1566
#18 0x081c2b46 in GetExistingProperty<(js::AllowGC)1> (vp=..., shape=..., obj=..., receiver=..., cx=0xf7a6d0e0) at js/src/vm/NativeObject.cpp:1618
#19 NativeGetPropertyInline<(js::AllowGC)1> (vp=..., nameLookup=NotNameLookup, id=..., receiver=..., obj=..., cx=0xf7a6d0e0) at js/src/vm/NativeObject.cpp:1832
#20 js::NativeGetProperty (cx=0xf7a6d0e0, obj=..., receiver=..., id=..., vp=...) at js/src/vm/NativeObject.cpp:1866
#21 0x081d8f55 in js::GetProperty (cx=cx@entry=0xf7a6d0e0, obj=obj@entry=..., receiver=receiver@entry=..., id=id@entry=..., vp=vp@entry=...) at js/src/vm/NativeObject.h:1411
#22 0x081c3eae in GetProperty (vp=..., name=<optimized out>, receiver=..., obj=..., cx=0xf7a6d0e0) at js/src/jsobj.h:839
#23 js::GetProperty (cx=0xf7a6d0e0, v=..., v@entry=..., name=name@entry=..., vp=vp@entry=...) at js/src/vm/Interpreter.cpp:4104
#24 0x0845f2b9 in js::jit::Simulator::softwareInterrupt (this=0xf7a6c000, instr=0xf7a029c4) at js/src/jit/arm/Simulator-arm.cpp:2159
#25 0x0845f3bd in js::jit::Simulator::decodeType7 (this=this@entry=0xf7a6c000, instr=instr@entry=0xf7a029c4) at js/src/jit/arm/Simulator-arm.cpp:3272
#26 0x0845f6fc in js::jit::Simulator::instructionDecode (this=this@entry=0xf7a6c000, instr=instr@entry=0xf7a029c4) at js/src/jit/arm/Simulator-arm.cpp:4191
#27 0x08461de4 in execute<false> (this=0xf7a6c000) at js/src/jit/arm/Simulator-arm.cpp:4246
#28 js::jit::Simulator::callInternal (this=this@entry=0xf7a6c000, entry=entry@entry=0xf7fc8db0 "\377\377\377\352\360O-\351\377\377\377\352\004\320M\342\377\377\377\352\020\212-\355\377\377\377\352\r\200\240\341\377\377\377\352h\220\235\345\377\377\377\352t\240\235\345\377\377\377", <incomplete sequence \352>) at js/src/jit/arm/Simulator-arm.cpp:4334
#29 0x08461ff6 in js::jit::Simulator::call (this=<optimized out>, entry=entry@entry=0xf7fc8db0 "\377\377\377\352\360O-\351\377\377\377\352\004\320M\342\377\377\377\352\020\212-\355\377\377\377\352\r\200\240\341\377\377\377\352h\220\235\345\377\377\377\352t\240\235\345\377\377\377", <incomplete sequence \352>, argument_count=<optimized out>, argument_count@entry=8) at js/src/jit/arm/Simulator-arm.cpp:4417
#30 0x0839b039 in EnterIon (data=..., cx=0xf7a6d0e0) at js/src/jit/Ion.cpp:2389
#31 js::jit::IonCannon (cx=cx@entry=0xf7a6d0e0, state=...) at js/src/jit/Ion.cpp:2471
#32 0x081c16be in js::RunScript (cx=cx@entry=0xf7a6d0e0, state=...) at js/src/vm/Interpreter.cpp:657
#33 0x081c1806 in js::Invoke (cx=cx@entry=0xf7a6d0e0, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:746
#34 0x081c22ab in js::Invoke (cx=cx@entry=0xf7a6d0e0, thisv=..., fval=..., argc=argc@entry=0, argv=argv@entry=0x0, rval=rval@entry=...) at js/src/vm/Interpreter.cpp:783
#35 0x081c242e in js::InvokeGetter (cx=cx@entry=0xf7a6d0e0, obj=0xf5c74040, fval=..., rval=rval@entry=...) at js/src/vm/Interpreter.cpp:852
#36 0x081c24a2 in CallGetter (cx=cx@entry=0xf7a6d0e0, obj=..., obj@entry=..., receiver=receiver@entry=..., shape=shape@entry=..., vp=vp@entry=...) at js/src/vm/NativeObject.cpp:1566
#37 0x081c2b46 in GetExistingProperty<(js::AllowGC)1> (vp=..., shape=..., obj=..., receiver=..., cx=0xf7a6d0e0) at js/src/vm/NativeObject.cpp:1618
#38 NativeGetPropertyInline<(js::AllowGC)1> (vp=..., nameLookup=NotNameLookup, id=..., receiver=..., obj=..., cx=0xf7a6d0e0) at js/src/vm/NativeObject.cpp:1832
#39 js::NativeGetProperty (cx=0xf7a6d0e0, obj=..., receiver=..., id=..., vp=...) at js/src/vm/NativeObject.cpp:1866
#40 0x082ded2d in GetProperty (vp=..., id=..., receiver=..., obj=..., cx=0xf7a6d0e0) at js/src/vm/NativeObject.h:1411
#41 js::jit::ComputeGetPropResult (cx=cx@entry=0xf7a6d0e0, frame=frame@entry=0xf5efe770, op=op@entry=JSOP_GETPROP, name=name@entry=..., val=val@entry=..., res=res@entry=...) at js/src/jit/BaselineIC.cpp:7582
#42 0x08339599 in js::jit::DoGetPropFallback (cx=<optimized out>, frame=frame@entry=0xf5efe770, stub_=stub_@entry=0xf7a220a0, val=val@entry=..., res=res@entry=...) at js/src/jit/BaselineIC.cpp:7647
#43 0x0845ecc9 in js::jit::Simulator::softwareInterrupt (this=0xf7a6c000, instr=0xf7a02f94) at js/src/jit/arm/Simulator-arm.cpp:2166
#44 0x0845f3bd in js::jit::Simulator::decodeType7 (this=this@entry=0xf7a6c000, instr=instr@entry=0xf7a02f94) at js/src/jit/arm/Simulator-arm.cpp:3272
#45 0x0845f6fc in js::jit::Simulator::instructionDecode (this=this@entry=0xf7a6c000, instr=instr@entry=0xf7a02f94) at js/src/jit/arm/Simulator-arm.cpp:4191
#46 0x08461de4 in execute<false> (this=0xf7a6c000) at js/src/jit/arm/Simulator-arm.cpp:4246
#47 js::jit::Simulator::callInternal (this=this@entry=0xf7a6c000, entry=entry@entry=0xf7fc8eb8 "\377\377\377\352\360O-\351\377\377\377\352\004\320M\342\377\377\377\352\020\212-\355\377\377\377\352\r\200\240\341\377\377\377\352h\220\235\345\377\377\377\352\r\260\240\341\377\377\377\352t\240\235\345\377\377\377", <incomplete sequence \352>) at js/src/jit/arm/Simulator-arm.cpp:4334
#48 0x08461ff6 in js::jit::Simulator::call (this=<optimized out>, entry=entry@entry=0xf7fc8eb8 "\377\377\377\352\360O-\351\377\377\377\352\004\320M\342\377\377\377\352\020\212-\355\377\377\377\352\r\200\240\341\377\377\377\352h\220\235\345\377\377\377\352\r\260\240\341\377\377\377\352t\240\235\345\377\377\377", <incomplete sequence \352>, argument_count=<optimized out>, argument_count@entry=8) at js/src/jit/arm/Simulator-arm.cpp:4417
#49 0x082c68da in EnterBaseline (cx=cx@entry=0xf7a6d0e0, data=...) at js/src/jit/BaselineJIT.cpp:124
#50 0x082f2589 in js::jit::EnterBaselineMethod (cx=cx@entry=0xf7a6d0e0, state=...) at js/src/jit/BaselineJIT.cpp:156
#51 0x081c13c5 in js::RunScript (cx=cx@entry=0xf7a6d0e0, state=...) at js/src/vm/Interpreter.cpp:667
#52 0x081c1806 in js::Invoke (cx=cx@entry=0xf7a6d0e0, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:746
#53 0x081c22ab in js::Invoke (cx=cx@entry=0xf7a6d0e0, thisv=..., fval=..., argc=argc@entry=0, argv=argv@entry=0x0, rval=rval@entry=...) at js/src/vm/Interpreter.cpp:783
#54 0x081c242e in js::InvokeGetter (cx=cx@entry=0xf7a6d0e0, obj=0xf5c74040, fval=..., rval=rval@entry=...) at js/src/vm/Interpreter.cpp:852
#55 0x081c24a2 in CallGetter (cx=cx@entry=0xf7a6d0e0, obj=..., obj@entry=..., receiver=receiver@entry=..., shape=shape@entry=..., vp=vp@entry=...) at js/src/vm/NativeObject.cpp:1566
#56 0x081c2b46 in GetExistingProperty<(js::AllowGC)1> (vp=..., shape=..., obj=..., receiver=..., cx=0xf7a6d0e0) at js/src/vm/NativeObject.cpp:1618
#57 NativeGetPropertyInline<(js::AllowGC)1> (vp=..., nameLookup=NotNameLookup, id=..., receiver=..., obj=..., cx=0xf7a6d0e0) at js/src/vm/NativeObject.cpp:1832
#58 js::NativeGetProperty (cx=0xf7a6d0e0, obj=..., receiver=..., id=..., vp=...) at js/src/vm/NativeObject.cpp:1866
#59 0x082ded2d in GetProperty (vp=..., id=..., receiver=..., obj=..., cx=0xf7a6d0e0) at js/src/vm/NativeObject.h:1411
#60 js::jit::ComputeGetPropResult (cx=cx@entry=0xf7a6d0e0, frame=frame@entry=0xf5efe880, op=op@entry=JSOP_GETPROP, name=name@entry=..., val=val@entry=..., res=res@entry=...) at js/src/jit/BaselineIC.cpp:7582
#61 0x08339599 in js::jit::DoGetPropFallback (cx=<optimized out>, frame=frame@entry=0xf5efe880, stub_=stub_@entry=0xf7a220a0, val=val@entry=..., res=res@entry=...) at js/src/jit/BaselineIC.cpp:7647
#62 0x0845ecc9 in js::jit::Simulator::softwareInterrupt (this=0xf7a6c000, instr=0xf7a02f94) at js/src/jit/arm/Simulator-arm.cpp:2166
#63 0x0845f3bd in js::jit::Simulator::decodeType7 (this=this@entry=0xf7a6c000, instr=instr@entry=0xf7a02f94) at js/src/jit/arm/Simulator-arm.cpp:3272
#64 0x0845f6fc in js::jit::Simulator::instructionDecode (this=this@entry=0xf7a6c000, instr=instr@entry=0xf7a02f94) at js/src/jit/arm/Simulator-arm.cpp:4191
#65 0x08461de4 in execute<false> (this=0xf7a6c000) at js/src/jit/arm/Simulator-arm.cpp:4246
#66 js::jit::Simulator::callInternal (this=this@entry=0xf7a6c000, entry=entry@entry=0xf7fc8eb8 "\377\377\377\352\360O-\351\377\377\377\352\004\320M\342\377\377\377\352\020\212-\355\377\377\377\352\r\200\240\341\377\377\377\352h\220\235\345\377\377\377\352\r\260\240\341\377\377\377\352t\240\235\345\377\377\377", <incomplete sequence \352>) at js/src/jit/arm/Simulator-arm.cpp:4334
#67 0x08461ff6 in js::jit::Simulator::call (this=<optimized out>, entry=entry@entry=0xf7fc8eb8 "\377\377\377\352\360O-\351\377\377\377\352\004\320M\342\377\377\377\352\020\212-\355\377\377\377\352\r\200\240\341\377\377\377\352h\220\235\345\377\377\377\352\r\260\240\341\377\377\377\352t\240\235\345\377\377\377", <incomplete sequence \352>, argument_count=<optimized out>, argument_count@entry=8) at js/src/jit/arm/Simulator-arm.cpp:4417
#68 0x082c68da in EnterBaseline (cx=cx@entry=0xf7a6d0e0, data=...) at js/src/jit/BaselineJIT.cpp:124
#69 0x082f2589 in js::jit::EnterBaselineMethod (cx=cx@entry=0xf7a6d0e0, state=...) at js/src/jit/BaselineJIT.cpp:156
#70 0x081c13c5 in js::RunScript (cx=cx@entry=0xf7a6d0e0, state=...) at js/src/vm/Interpreter.cpp:667
#71 0x081c1806 in js::Invoke (cx=cx@entry=0xf7a6d0e0, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:746
#72 0x081c22ab in js::Invoke (cx=cx@entry=0xf7a6d0e0, thisv=..., fval=..., argc=argc@entry=0, argv=argv@entry=0x0, rval=rval@entry=...) at js/src/vm/Interpreter.cpp:783
#73 0x081c242e in js::InvokeGetter (cx=cx@entry=0xf7a6d0e0, obj=0xf5c74040, fval=..., rval=rval@entry=...) at js/src/vm/Interpreter.cpp:852
#74 0x081c24a2 in CallGetter (cx=cx@entry=0xf7a6d0e0, obj=..., obj@entry=..., receiver=receiver@entry=..., shape=shape@entry=..., vp=vp@entry=...) at js/src/vm/NativeObject.cpp:1566
#75 0x081c2b46 in GetExistingProperty<(js::AllowGC)1> (vp=..., shape=..., obj=..., receiver=..., cx=0xf7a6d0e0) at js/src/vm/NativeObject.cpp:1618
#76 NativeGetPropertyInline<(js::AllowGC)1> (vp=..., nameLookup=NotNameLookup, id=..., receiver=..., obj=..., cx=0xf7a6d0e0) at js/src/vm/NativeObject.cpp:1832
#77 js::NativeGetProperty (cx=0xf7a6d0e0, obj=..., receiver=..., id=..., vp=...) at js/src/vm/NativeObject.cpp:1866
#78 0x082ded2d in GetProperty (vp=..., id=..., receiver=..., obj=..., cx=0xf7a6d0e0) at js/src/vm/NativeObject.h:1411
#79 js::jit::ComputeGetPropResult (cx=cx@entry=0xf7a6d0e0, frame=frame@entry=0xf5efe990, op=op@entry=JSOP_GETPROP, name=name@entry=..., val=val@entry=..., res=res@entry=...) at js/src/jit/BaselineIC.cpp:7582
#80 0x08339599 in js::jit::DoGetPropFallback (cx=<optimized out>, frame=frame@entry=0xf5efe990, stub_=stub_@entry=0xf7a220a0, val=val@entry=..., res=res@entry=...) at js/src/jit/BaselineIC.cpp:7647
#81 0x0845ecc9 in js::jit::Simulator::softwareInterrupt (this=0xf7a6c000, instr=0xf7a02f94) at js/src/jit/arm/Simulator-arm.cpp:2166
#82 0x0845f3bd in js::jit::Simulator::decodeType7 (this=this@entry=0xf7a6c000, instr=instr@entry=0xf7a02f94) at js/src/jit/arm/Simulator-arm.cpp:3272
#83 0x0845f6fc in js::jit::Simulator::instructionDecode (this=this@entry=0xf7a6c000, instr=instr@entry=0xf7a02f94) at js/src/jit/arm/Simulator-arm.cpp:4191
#84 0x08461de4 in execute<false> (this=0xf7a6c000) at js/src/jit/arm/Simulator-arm.cpp:4246
#85 js::jit::Simulator::callInternal (this=this@entry=0xf7a6c000, entry=entry@entry=0xf7fc8db0 "\377\377\377\352\360O-\351\377\377\377\352\004\320M\342\377\377\377\352\020\212-\355\377\377\377\352\r\200\240\341\377\377\377\352h\220\235\345\377\377\377\352t\240\235\345\377\377\377", <incomplete sequence \352>) at js/src/jit/arm/Simulator-arm.cpp:4334
#86 0x08461ff6 in js::jit::Simulator::call (this=<optimized out>, entry=entry@entry=0xf7fc8db0 "\377\377\377\352\360O-\351\377\377\377\352\004\320M\342\377\377\377\352\020\212-\355\377\377\377\352\r\200\240\341\377\377\377\352h\220\235\345\377\377\377\352t\240\235\345\377\377\377", <incomplete sequence \352>, argument_count=<optimized out>, argument_count@entry=8) at js/src/jit/arm/Simulator-arm.cpp:4417
#87 0x0839b039 in EnterIon (data=..., cx=0xf7a6d0e0) at js/src/jit/Ion.cpp:2389
#88 js::jit::IonCannon (cx=cx@entry=0xf7a6d0e0, state=...) at js/src/jit/Ion.cpp:2471
#89 0x081c16be in js::RunScript (cx=cx@entry=0xf7a6d0e0, state=...) at js/src/vm/Interpreter.cpp:657
#90 0x081c1806 in js::Invoke (cx=cx@entry=0xf7a6d0e0, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:746
#91 0x081c22ab in js::Invoke (cx=cx@entry=0xf7a6d0e0, thisv=..., fval=..., argc=argc@entry=0, argv=argv@entry=0x0, rval=rval@entry=...) at js/src/vm/Interpreter.cpp:783
#92 0x081c242e in js::InvokeGetter (cx=cx@entry=0xf7a6d0e0, obj=0xf5c98040, fval=..., rval=rval@entry=...) at js/src/vm/Interpreter.cpp:852
#93 0x081c24a2 in CallGetter (cx=cx@entry=0xf7a6d0e0, obj=..., obj@entry=..., receiver=receiver@entry=..., shape=shape@entry=..., vp=vp@entry=...) at js/src/vm/NativeObject.cpp:1566
#94 0x081c2b46 in GetExistingProperty<(js::AllowGC)1> (vp=..., shape=..., obj=..., receiver=..., cx=0xf7a6d0e0) at js/src/vm/NativeObject.cpp:1618
#95 NativeGetPropertyInline<(js::AllowGC)1> (vp=..., nameLookup=NotNameLookup, id=..., receiver=..., obj=..., cx=0xf7a6d0e0) at js/src/vm/NativeObject.cpp:1832
#96 js::NativeGetProperty (cx=0xf7a6d0e0, obj=..., receiver=..., id=..., vp=...) at js/src/vm/NativeObject.cpp:1866
#97 0x082ded2d in GetProperty (vp=..., id=..., receiver=..., obj=..., cx=0xf7a6d0e0) at js/src/vm/NativeObject.h:1411
#98 js::jit::ComputeGetPropResult (cx=cx@entry=0xf7a6d0e0, frame=frame@entry=0xf5efeaa0, op=op@entry=JSOP_GETPROP, name=name@entry=..., val=val@entry=..., res=res@entry=...) at js/src/jit/BaselineIC.cpp:7582
#99 0x08339599 in js::jit::DoGetPropFallback (cx=<optimized out>, frame=frame@entry=0xf5efeaa0, stub_=stub_@entry=0xf7a220a0, val=val@entry=..., res=res@entry=...) at js/src/jit/BaselineIC.cpp:7647
#100 0x0845ecc9 in js::jit::Simulator::softwareInterrupt (this=0xf7a6c000, instr=0xf7a02f94) at js/src/jit/arm/Simulator-arm.cpp:2166
#101 0x0845f3bd in js::jit::Simulator::decodeType7 (this=this@entry=0xf7a6c000, instr=instr@entry=0xf7a02f94) at js/src/jit/arm/Simulator-arm.cpp:3272
#102 0x0845f6fc in js::jit::Simulator::instructionDecode (this=this@entry=0xf7a6c000, instr=instr@entry=0xf7a02f94) at js/src/jit/arm/Simulator-arm.cpp:4191
#103 0x08461de4 in execute<false> (this=0xf7a6c000) at js/src/jit/arm/Simulator-arm.cpp:4246
#104 js::jit::Simulator::callInternal (this=this@entry=0xf7a6c000, entry=entry@entry=0xf7fc8eb8 "\377\377\377\352\360O-\351\377\377\377\352\004\320M\342\377\377\377\352\020\212-\355\377\377\377\352\r\200\240\341\377\377\377\352h\220\235\345\377\377\377\352\r\260\240\341\377\377\377\352t\240\235\345\377\377\377", <incomplete sequence \352>) at js/src/jit/arm/Simulator-arm.cpp:4334
#105 0x08461ff6 in js::jit::Simulator::call (this=<optimized out>, entry=entry@entry=0xf7fc8eb8 "\377\377\377\352\360O-\351\377\377\377\352\004\320M\342\377\377\377\352\020\212-\355\377\377\377\352\r\200\240\341\377\377\377\352h\220\235\345\377\377\377\352\r\260\240\341\377\377\377\352t\240\235\345\377\377\377", <incomplete sequence \352>, argument_count=<optimized out>, argument_count@entry=8) at js/src/jit/arm/Simulator-arm.cpp:4417
#106 0x082c68da in EnterBaseline (cx=cx@entry=0xf7a6d0e0, data=...) at js/src/jit/BaselineJIT.cpp:124
#107 0x082f2589 in js::jit::EnterBaselineMethod (cx=cx@entry=0xf7a6d0e0, state=...) at js/src/jit/BaselineJIT.cpp:156
#108 0x081c13c5 in js::RunScript (cx=cx@entry=0xf7a6d0e0, state=...) at js/src/vm/Interpreter.cpp:667
#109 0x081c1806 in js::Invoke (cx=cx@entry=0xf7a6d0e0, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:746
#110 0x081c22ab in js::Invoke (cx=cx@entry=0xf7a6d0e0, thisv=..., fval=..., argc=argc@entry=0, argv=argv@entry=0x0, rval=rval@entry=...) at js/src/vm/Interpreter.cpp:783
#111 0x081c242e in js::InvokeGetter (cx=cx@entry=0xf7a6d0e0, obj=0xf5c98040, fval=..., rval=rval@entry=...) at js/src/vm/Interpreter.cpp:852
#112 0x081c24a2 in CallGetter (cx=cx@entry=0xf7a6d0e0, obj=..., obj@entry=..., receiver=receiver@entry=..., shape=shape@entry=..., vp=vp@entry=...) at js/src/vm/NativeObject.cpp:1566
#113 0x081c2b46 in GetExistingProperty<(js::AllowGC)1> (vp=..., shape=..., obj=..., receiver=..., cx=0xf7a6d0e0) at js/src/vm/NativeObject.cpp:1618
#114 NativeGetPropertyInline<(js::AllowGC)1> (vp=..., nameLookup=NotNameLookup, id=..., receiver=..., obj=..., cx=0xf7a6d0e0) at js/src/vm/NativeObject.cpp:1832
#115 js::NativeGetProperty (cx=0xf7a6d0e0, obj=..., receiver=..., id=..., vp=...) at js/src/vm/NativeObject.cpp:1866
#116 0x082ded2d in GetProperty (vp=..., id=..., receiver=..., obj=..., cx=0xf7a6d0e0) at js/src/vm/NativeObject.h:1411
#117 js::jit::ComputeGetPropResult (cx=cx@entry=0xf7a6d0e0, frame=frame@entry=0xf5efebb0, op=op@entry=JSOP_GETPROP, name=name@entry=..., val=val@entry=..., res=res@entry=...) at js/src/jit/BaselineIC.cpp:7582
#118 0x08339599 in js::jit::DoGetPropFallback (cx=<optimized out>, frame=frame@entry=0xf5efebb0, stub_=stub_@entry=0xf7a220a0, val=val@entry=..., res=res@entry=...) at js/src/jit/BaselineIC.cpp:7647
#119 0x0845ecc9 in js::jit::Simulator::softwareInterrupt (this=0xf7a6c000, instr=0xf7a02f94) at js/src/jit/arm/Simulator-arm.cpp:2166
#120 0x0845f3bd in js::jit::Simulator::decodeType7 (this=this@entry=0xf7a6c000, instr=instr@entry=0xf7a02f94) at js/src/jit/arm/Simulator-arm.cpp:3272
#121 0x0845f6fc in js::jit::Simulator::instructionDecode (this=this@entry=0xf7a6c000, instr=instr@entry=0xf7a02f94) at js/src/jit/arm/Simulator-arm.cpp:4191
#122 0x08461de4 in execute<false> (this=0xf7a6c000) at js/src/jit/arm/Simulator-arm.cpp:4246
#123 js::jit::Simulator::callInternal (this=this@entry=0xf7a6c000, entry=entry@entry=0xf7fc8eb8 "\377\377\377\352\360O-\351\377\377\377\352\004\320M\342\377\377\377\352\020\212-\355\377\377\377\352\r\200\240\341\377\377\377\352h\220\235\345\377\377\377\352\r\260\240\341\377\377\377\352t\240\235\345\377\377\377", <incomplete sequence \352>) at js/src/jit/arm/Simulator-arm.cpp:4334
#124 0x08461ff6 in js::jit::Simulator::call (this=<optimized out>, entry=entry@entry=0xf7fc8eb8 "\377\377\377\352\360O-\351\377\377\377\352\004\320M\342\377\377\377\352\020\212-\355\377\377\377\352\r\200\240\341\377\377\377\352h\220\235\345\377\377\377\352\r\260\240\341\377\377\377\352t\240\235\345\377\377\377", <incomplete sequence \352>, argument_count=<optimized out>, argument_count@entry=8) at js/src/jit/arm/Simulator-arm.cpp:4417
#125 0x082c68da in EnterBaseline (cx=cx@entry=0xf7a6d0e0, data=...) at js/src/jit/BaselineJIT.cpp:124
#126 0x082f2589 in js::jit::EnterBaselineMethod (cx=cx@entry=0xf7a6d0e0, state=...) at js/src/jit/BaselineJIT.cpp:156
#127 0x081c13c5 in js::RunScript (cx=0xf7a6d0e0, state=...) at js/src/vm/Interpreter.cpp:667
eax 0x49494949 1229539657
ebx 0x933940c 154375180
ecx 0xf7a102b0 -140442960
edx 0x0 0
esi 0xfffeb5e0 -84512
edi 0xf7a014c0 -140503872
ebp 0xfffeb168 4294881640
esp 0xfffeac90 4294880400
eip 0x8514783 <JSScript::scriptSource() const+35>
=> 0x8514783 <JSScript::scriptSource() const+35>: mov 0x34(%eax),%eax
0x8514786 <JSScript::scriptSource() const+38>: mov %eax,(%esp)
Requires an optimized build, marking s-s due to the crash address looking like a poison pattern of some sort.
|
||
Comment 1•9 years ago
|
||
is 0x4949494949 some kind of new poisoning value? suspicious otherwise
Flags: needinfo?(terrence)
Keywords: sec-high
|
||
Comment 2•9 years ago
|
||
According to js/Utility.h, this is JS_MOVED_TENURED_PATTERN. Forwarding to Jon.
Flags: needinfo?(terrence) → needinfo?(jcoppeard)
|
||
Comment 3•9 years ago
|
||
decoder, I can't reproduce this one. Do you have any other similar testcases that fail like this? BTW this shares many features with bug 1135707 so I'm hopeful it's duplicate of that.
Flags: needinfo?(choller)
|
|
||
Updated•9 years ago
|
Group: javascript-core-security
|
Reporter | |
Updated•9 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
|
|
Reporter | |
Comment 4•9 years ago
|
||
JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/d96d552ff899 user: Jan de Mooij date: Wed Feb 11 14:42:01 2015 +0100 summary: Bug 1129382 - Add Ion ICs for scripted getters/setters. r=efaust,nbp,djvj This iteration took 1.000 seconds to run.
|
|
Reporter | |
Updated•9 years ago
|
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
|
|
Reporter | |
Comment 5•9 years ago
|
||
JSBugMon: The testcase found in this bug no longer reproduces (tried revision e94dc650c901).
|
|
Reporter | |
Updated•9 years ago
|
Flags: needinfo?(choller)
Whiteboard: [jsbugmon:update,ignore] → [jsbugmon:bisectfix]
|
|
Reporter | |
Updated•9 years ago
|
Whiteboard: [jsbugmon:bisectfix] → [jsbugmon:]
|
|
Reporter | |
Comment 7•9 years ago
|
||
JSBugMon: Fix Bisection requested, failed due to error (try manually).
autoBisect shows this is probably related to the following changeset: The first good revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/fa16d24d530f user: Nicolas B. Pierron date: Mon Mar 02 14:33:14 2015 -0800 summary: Bug 1010556 - Bump ASAN kTrustedScriptBuffer constant, to account for the new frame size. r=bholley Nicolas, is bug 1010556 a likely fix?
Flags: needinfo?(nicolas.b.pierron)
|
||
Comment 9•9 years ago
|
||
(In reply to Gary Kwong [:gkw] [:nth10sd] from comment #8) > autoBisect shows this is probably related to the following changeset: > > The first good revision is: > changeset: https://hg.mozilla.org/mozilla-central/rev/fa16d24d530f > user: Nicolas B. Pierron > date: Mon Mar 02 14:33:14 2015 -0800 > summary: Bug 1010556 - Bump ASAN kTrustedScriptBuffer constant, to > account for the new frame size. r=bholley > > Nicolas, is bug 1010556 a likely fix? Are you testing with the JS Shell or with the XPC shell? If this is the JS shell, then I have no idea why this patch would be the first good revision.
Flags: needinfo?(nicolas.b.pierron) → needinfo?(gary)
The js shell. The testcase might have been intermittent then.
Flags: needinfo?(gary)
|
||
Comment 11•9 years ago
|
||
Comment 4 suggests this might be related to a patch you landed. Can we close this as incomplete or does it need to be investigated further? Thanks.
Flags: needinfo?(jdemooij)
|
||
Comment 12•9 years ago
|
||
decoder are you still seeing this signature? I can try to repro at the original revision but it'd be good to know if this still happens.
Flags: needinfo?(choller)
|
|
||
Comment 13•9 years ago
|
||
(In reply to Jon Coppeard (:jonco) from comment #3) > BTW this shares many features with bug 1135707 so I'm hopeful it's duplicate > of that. Yes, I can reproduce this at the original revision so I just did a bisect: The first good revision is: changeset: 244634:9571f765357d user: Jon Coppeard <jcoppeard@mozilla.com> date: Wed May 20 10:30:46 2015 +0100 summary: Bug 1135707 - Fix interaction between Arm NOP fill and calculation of IonCache rejoin label r=jandem The other ones in this bug look bogus, probably because the crash is intermittent.
Status: NEW → RESOLVED
Closed: 9 years ago
Flags: needinfo?(jdemooij)
Resolution: --- → DUPLICATE
|
|
||
Updated•9 years ago
|
Flags: needinfo?(choller)
|
||
Updated•9 years ago
|
Group: core-security → core-security-release
|
|
||
Updated•8 years ago
|
Group: javascript-core-security, core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•