Closed
Bug 1166993
Opened 10 years ago
Closed 10 years ago
Crash [@ js::jit::AssemblerX86Shared::jmpSrc]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
| Tracking | Status | |
|---|---|---|
| firefox40 | --- | unaffected |
| firefox41 | --- | verified |
| firefox-esr38 | --- | unaffected |
People
(Reporter: decoder, Unassigned)
Details
(Keywords: crash, regression, testcase, Whiteboard: [jsbugmon:])
Crash Data
The following testcase crashes on mozilla-central revision ac277e615f8f (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --thread-count=2):
function Thing(a, b) {
this.a = a;
}
var array = [];
for (var i = 0; i < 10000; i++)
array.push(new Thing(i, i + 1));
var proto = new Thing((/\u00e4/ ), 2);
Backtrace:
Program received signal SIGSEGV, Segmentation fault.
js::jit::AssemblerX86Shared::jmpSrc (this=0x7fffffffbb60, label=0x0) at js/src/jit/x86-shared/Assembler-x86-shared.h:831
#0 js::jit::AssemblerX86Shared::jmpSrc (this=0x7fffffffbb60, label=0x0) at js/src/jit/x86-shared/Assembler-x86-shared.h:831
#1 0x00000000009f171b in jmp (label=0x0, this=0x7fffffffbb60) at js/src/jit/x86-shared/Assembler-x86-shared.h:882
#2 jump (label=0x0, this=0x7fffffffbb60) at js/src/jit/x86-shared/MacroAssembler-x86-shared.h:658
#3 js::jit::MacroAssembler::storeUnboxedProperty<js::jit::Address> (this=this@entry=0x7fffffffbb60, address=..., type=type@entry=JSVAL_TYPE_INT32, value=..., failure=0x0) at js/src/jit/MacroAssembler.cpp:902
#4 0x0000000000929ded in GenerateSetUnboxed (checkTypeset=true, value=..., object=..., unboxedType=JSVAL_TYPE_INT32, unboxedOffset=0, id=..., obj=<optimized out>, attacher=..., masm=..., cx=0x7ffff691b4e0) at js/src/jit/IonCaches.cpp:3082
#5 js::jit::SetPropertyIC::attachSetUnboxed (this=this@entry=0x7ffff69ba210, cx=cx@entry=0x7ffff691b4e0, outerScript=..., outerScript@entry=..., ion=ion@entry=0x7ffff69ba000, obj=..., obj@entry=..., id=..., id@entry=..., unboxedOffset=0, unboxedType=JSVAL_TYPE_INT32, checkTypeset=true) at js/src/jit/IonCaches.cpp:3102
#6 0x000000000092b01e in js::jit::SetPropertyIC::update (cx=0x7ffff691b4e0, outerScript=..., cacheIndex=<optimized out>, obj=..., value=...) at js/src/jit/IonCaches.cpp:3251
#7 0x00007ffff7fea1cd in ?? ()
#8 0x00ff000000000000 in ?? ()
#9 0x00007fffffffc8d8 in ?? ()
#10 0x0000000000000000 in ?? ()
rax 0x7fffffffba58 140737488337496
rbx 0x7fffffffbb60 140737488337760
rcx 0x0 0
rdx 0xffffffffffbf2ddc -4248100
rsi 0x0 0
rdi 0x7fffffffbb60 140737488337760
rbp 0x7fffffffb980 140737488337280
rsp 0x7fffffffb950 140737488337232
r8 0x2 2
r9 0x7fffffffb930 140737488337200
r10 0x19ebcc0 27180224
r11 0x7ffff693c168 140737330266472
r12 0x0 0
r13 0x2 2
r14 0x0 0
r15 0x7fffffffbaa0 140737488337568
rip 0x59c8f3 <js::jit::AssemblerX86Shared::jmpSrc(js::jit::Label*)+19>
=> 0x59c8f3 <js::jit::AssemblerX86Shared::jmpSrc(js::jit::Label*)+19>: cmpb $0x0,0x3(%rsi)
0x59c8f7 <js::jit::AssemblerX86Shared::jmpSrc(js::jit::Label*)+23>: js 0x59c9e0 <js::jit::AssemblerX86Shared::jmpSrc(js::jit::Label*)+256>
Marking s-s because this is a crash in the assembler. If this is the only way this can crash/turn out, then it's probably safe.
|
Reporter | |
Updated•10 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
|
|
Reporter | |
Comment 1•10 years ago
|
||
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/c112db453761
user: Brian Hackett
date: Thu May 14 16:36:37 2015 -0600
summary: Bug 1162199 - Use unboxed objects by default, r=jandem.
This iteration took 191.759 seconds to run.
|
|
Reporter | |
Updated•10 years ago
|
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
|
|
Reporter | |
Comment 2•10 years ago
|
||
JSBugMon: The testcase found in this bug no longer reproduces (tried revision b9424d63fe35).
|
||
Comment 3•10 years ago
|
||
This is likely a duplicate of Bug 1166700
|
|
Reporter | |
Comment 4•10 years ago
|
||
Bisecting fix to confirm comment 3.
Whiteboard: [jsbugmon:update,ignore] → [jsbugmon:bisectfix]
|
|
Reporter | |
Updated•10 years ago
|
Whiteboard: [jsbugmon:bisectfix] → [jsbugmon:]
|
|
Reporter | |
Comment 6•10 years ago
|
||
JSBugMon: Fix Bisection requested, result:
autoBisect shows this is probably related to the following changeset:
The first good revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/99362f37ebc3
user: Brian Hackett
date: Wed May 20 10:07:30 2015 -0600
summary: Bug 1166700 - Tolerate null failures targets when storing to an unboxed object must fail, r=jandem.
This iteration took 182.584 seconds to run.
|
||
Updated•10 years ago
|
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
|
|
Reporter | |
Updated•10 years ago
|
Status: RESOLVED → VERIFIED
|
|
Reporter | |
Comment 7•10 years ago
|
||
JSBugMon: This bug has been automatically verified fixed.
|
||
Updated•10 years ago
|
Group: core-security → core-security-release
|
|
||
Updated•10 years ago
|
status-firefox40:
--- → unaffected
status-firefox-esr38:
--- → unaffected
|
|
Reporter | |
Updated•10 years ago
|
Flags: needinfo?(choller)
|
||
Updated•10 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•