Closed
Bug 1175010
Opened 9 years ago
Closed 9 years ago
Assertion failure: v.isUndefined(), at jsnum.cpp
Categories
(Core :: JavaScript Engine: JIT, defect)
Tracking
()
RESOLVED
FIXED
mozilla41
Tracking | Status | |
---|---|---|
firefox40 | --- | unaffected |
firefox41 | --- | fixed |
firefox-esr31 | --- | unaffected |
firefox-esr38 | --- | unaffected |
People
(Reporter: gkw, Unassigned)
References
Details
(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:])
Attachments
(1 file)
2.34 KB,
text/plain
|
Details |
f = function() {
var Float64ArrayView = new Float64Array();
function f() {
Math.abs() + 1 > (objectEmulatingUndefined | !{});
return Float64ArrayView[0];
}
return f;
}();
for (var j = 0; j < 9999; ++j) {
f();
}
asserts js debug shell on m-c changeset cd0d976e5f5c with --fuzzing-safe --no-threads --baseline-eager at Assertion failure: v.isUndefined(), at jsnum.cpp.
Configure options:
LD=ld CROSS_COMPILE=1 CC="clang -Qunused-arguments -msse2 -mfpmath=sse -arch i386" RANLIB=ranlib CXX="clang++ -Qunused-arguments -msse2 -mfpmath=sse -arch i386" AS=$CC AR=ar STRIP="strip -x -S" HOST_CC="clang -Qunused-arguments -msse2 -mfpmath=sse" AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 HOST_CXX="clang++ -Qunused-arguments -msse2 -mfpmath=sse" sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=i386-apple-darwin9.2.0 --enable-macos-target=10.5 --enable-debug --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests
python -u ~/fuzzing/js/compileShell.py -b "--enable-debug --enable-more-deterministic --enable-nspr-build --32" -r cd0d976e5f5c
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/e51492b08d25
user: Nicolas B. Pierron
date: Thu Jun 11 14:30:29 2015 +0200
summary: Bug 1165348 - Move Scalar Replacement after GVN. r=jandem
Setting s-s first because this seems to involve ArrayBuffers.
Nicolas, is bug 1165348 a likely regressor?
Flags: needinfo?(nicolas.b.pierron)
Reporter | ||
Comment 1•9 years ago
|
||
(lldb) bt 5
* thread #1: tid = 0x2e2c49, 0x008a5630 js-dbg-32-dm-nsprBuild-darwin-cd0d976e5f5c`js::ToNumberSlow(cx=<unavailable>, v=<unavailable>, out=<unavailable>) + 656 at jsnum.cpp:1525, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
* frame #0: 0x008a5630 js-dbg-32-dm-nsprBuild-darwin-cd0d976e5f5c`js::ToNumberSlow(cx=<unavailable>, v=<unavailable>, out=<unavailable>) + 656 at jsnum.cpp:1525
frame #1: 0x008a571d js-dbg-32-dm-nsprBuild-darwin-cd0d976e5f5c`js::ToNumberSlow(cx=0x01e92040, v=<unavailable>, out=0xbfffea70) + 45 at jsnum.cpp:1548
frame #2: 0x00764fbe js-dbg-32-dm-nsprBuild-darwin-cd0d976e5f5c`js::jit::GreaterThan(JSContext*, JS::MutableHandle<JS::Value>, JS::MutableHandle<JS::Value>, bool*) [inlined] JS::ToNumber(out=<unavailable>) + 462 at Conversions.h:126
frame #3: 0x00764f65 js-dbg-32-dm-nsprBuild-darwin-cd0d976e5f5c`js::jit::GreaterThan(JSContext*, JS::MutableHandle<JS::Value>, JS::MutableHandle<JS::Value>, bool*) + 336 at Interpreter-inl.h:720
frame #4: 0x00764e15 js-dbg-32-dm-nsprBuild-darwin-cd0d976e5f5c`js::jit::GreaterThan(cx=0x01e92040, lhs=JS::MutableHandleValue at 0xbfffeab4, rhs=JS::MutableHandleValue at 0xbfffeab8, res=<unavailable>) + 37 at VMFunctions.cpp:231
(lldb)
Updated•9 years ago
|
Whiteboard: [jsbugmon:update] → [jsbugmon:]
Comment 3•9 years ago
|
||
JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.
Comment 4•9 years ago
|
||
What does this assertion mean in terms of security? Is it a correctness assertion or a potential security bug?
status-firefox40:
--- → unaffected
status-firefox-esr31:
--- → unaffected
status-firefox-esr38:
--- → unaffected
Reporter | ||
Comment 5•9 years ago
|
||
=== Treeherder Build Bisection Results by autoBisect ===
The "bad" changeset has the timestamp "20150617192341" and the hash "65703a2dc548".
The "good" changeset has the timestamp "20150617192541" and the hash "a8e0bde30bd4".
Likely fix window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=65703a2dc548&tochange=a8e0bde30bd4
Shu-yu, is bug 1175397 a likely fix?
Flags: needinfo?(shu)
Comment 6•9 years ago
|
||
(In reply to Gary Kwong [:gkw] [:nth10sd] from comment #0)
> changeset: https://hg.mozilla.org/mozilla-central/rev/e51492b08d25
> summary: Bug 1165348 - Move Scalar Replacement after GVN. r=jandem
>
> Nicolas, is bug 1165348 a likely regressor?
Yes. But Bug 1165348 is backout for the moment.
(In reply to Gary Kwong [:gkw] [:nth10sd] from comment #5)
> Likely fix window:
> https://hg.mozilla.org/integration/mozilla-inbound/
> pushloghtml?fromchange=65703a2dc548&tochange=a8e0bde30bd4
>
> Shu-yu, is bug 1175397 a likely fix?
likely.
Flags: needinfo?(nicolas.b.pierron)
Reporter | ||
Comment 7•9 years ago
|
||
Resolving FIXED by bug 1175397 as per comment 6.
Status: NEW → RESOLVED
Closed: 9 years ago
Flags: needinfo?(shu)
Resolution: --- → FIXED
Target Milestone: --- → mozilla41
Reporter | ||
Updated•9 years ago
|
Flags: in-testsuite?
Reporter | ||
Updated•9 years ago
|
Component: JavaScript Engine → JavaScript Engine: JIT
Updated•9 years ago
|
Group: core-security → core-security-release
Updated•9 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•