Closed
Bug 1216132
Opened 9 years ago
Closed 9 years ago
Crash [@ js::jit::BaselineInspector::expectedPropertyAccessInputType] or Assertion failure: curEntry->pcOffset() == pcOffset && curEntry->isForOp(), at jit/BaselineJIT.cpp:649
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1215992
Tracking | Status | |
---|---|---|
firefox44 | --- | affected |
People
(Reporter: decoder, Unassigned)
Details
(4 keywords, Whiteboard: [jsbugmon:update])
Crash Data
The following testcase crashes on mozilla-central revision d1a89632277f (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-debug, run with --fuzzing-safe --ion-eager): try { const SIZE_64_ARRAY = 8; each: while (SIZE_64_ARRAY < SIMD.length && bpe < SIZE_8_ARRAY) bpe *= SIMD[SIZE_64_ARRAY++]; } catch (exc0) {} Backtrace: Program received signal SIGSEGV, Segmentation fault. js::jit::BaselineInspector::expectedPropertyAccessInputType (this=0x7ffff32f8100, pc=<optimized out>) at js/src/jit/BaselineInspector.cpp:726 #0 js::jit::BaselineInspector::expectedPropertyAccessInputType (this=0x7ffff32f8100, pc=<optimized out>) at js/src/jit/BaselineInspector.cpp:726 #1 0x0000000000562557 in js::jit::IonBuilder::maybeUnboxForPropertyAccess (this=this@entry=0x7ffff32f8188, def=def@entry=0x7ffff32fc5a0) at js/src/jit/IonBuilder.cpp:10725 #2 0x00000000005772d8 in maybeUnboxForPropertyAccess (def=0x7ffff32fc5a0, this=0x7ffff32f8188) at js/src/jit/IonBuilder.cpp:10722 #3 js::jit::IonBuilder::jsop_getelem (this=0x7ffff32f8188) at js/src/jit/IonBuilder.cpp:8368 #4 0x000000000057996a in js::jit::IonBuilder::inspectOpcode (this=this@entry=0x7ffff32f8188, op=op@entry=JSOP_GETELEM) at js/src/jit/IonBuilder.cpp:1961 #5 0x000000000057aa44 in js::jit::IonBuilder::traverseBytecode (this=this@entry=0x7ffff32f8188) at js/src/jit/IonBuilder.cpp:1517 #6 0x000000000057ae66 in js::jit::IonBuilder::build (this=0x7ffff32f8188) at js/src/jit/IonBuilder.cpp:913 #7 0x000000000042e7de in js::jit::IonCompile (cx=cx@entry=0x7ffff6907400, script=script@entry=0x7ffff7e64160, baselineFrame=baselineFrame@entry=0x0, osrPc=<optimized out>, constructing=<optimized out>, recompile=<optimized out>, optimizationLevel=js::jit::Optimization_Normal) at js/src/jit/Ion.cpp:2176 #8 0x0000000000591790 in js::jit::Compile (cx=cx@entry=0x7ffff6907400, script=script@entry=..., osrFrame=osrFrame@entry=0x0, osrPc=osrPc@entry=0x0, constructing=<optimized out>, forceRecompile=forceRecompile@entry=false) at js/src/jit/Ion.cpp:2414 #9 0x0000000000591a7b in js::jit::CanEnter (cx=cx@entry=0x7ffff6907400, state=...) at js/src/jit/Ion.cpp:2576 #10 0x00000000007fa20d in js::RunScript (cx=cx@entry=0x7ffff6907400, state=...) at js/src/vm/Interpreter.cpp:701 #11 0x00000000007fc03b in js::ExecuteKernel (cx=cx@entry=0x7ffff6907400, script=script@entry=..., scopeChainArg=..., thisv=..., newTargetValue=..., type=<optimized out>, evalInFrame=evalInFrame@entry=..., result=<optimized out>, result@entry=0x0) at js/src/vm/Interpreter.cpp:1000 #12 0x00000000007fc404 in js::Execute (cx=cx@entry=0x7ffff6907400, script=script@entry=..., scopeChainArg=..., rval=0x0) at js/src/vm/Interpreter.cpp:1035 #13 0x00000000006cd7dd in ExecuteScript (cx=cx@entry=0x7ffff6907400, scope=..., scope@entry=..., script=script@entry=..., rval=rval@entry=0x0) at js/src/jsapi.cpp:4598 #14 0x00000000006cd8d5 in JS_ExecuteScript (cx=cx@entry=0x7ffff6907400, scriptArg=scriptArg@entry=...) at js/src/jsapi.cpp:4631 #15 0x000000000042644b in RunFile (compileOnly=false, file=0x7ffff32da400, filename=<optimized out>, cx=0x7ffff6907400) at js/src/shell/js.cpp:509 #16 Process (cx=cx@entry=0x7ffff6907400, filename=<optimized out>, forceTTY=forceTTY@entry=false) at js/src/shell/js.cpp:628 #17 0x0000000000436281 in ProcessArgs (op=0x7fffffffdb10, cx=0x7ffff6907400) at js/src/shell/js.cpp:5994 #18 Shell (envp=<optimized out>, op=0x7fffffffdb10, cx=0x7ffff6907400) at js/src/shell/js.cpp:6297 #19 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:6654 rax 0x7ffff32dadd8 140737273245144 rbx 0x7ffff32f8100 140737273364736 rcx 0xbee0e0 12509408 rdx 0x31300000000 3380139261952 rsi 0x11 17 rdi 0xbee1c0 12509632 rbp 0x7ffff32fc5a0 140737273382304 rsp 0x7fffffffd140 140737488343360 r8 0x7ffff32daca8 140737273244840 r9 0xb2f0 45808 r10 0x7ffff6922520 140737330160928 r11 0x1e 30 r12 0x7ffff32f8188 140737273364872 r13 0x7ffff32f9a68 140737273371240 r14 0x0 0 r15 0x7ffff32f6b00 140737273359104 rip 0x50819c <js::jit::BaselineInspector::expectedPropertyAccessInputType(unsigned char*)+76> => 0x50819c <js::jit::BaselineInspector::expectedPropertyAccessInputType(unsigned char*)+76>: movzwl 0x12(%rdx),%eax 0x5081a0 <js::jit::BaselineInspector::expectedPropertyAccessInputType(unsigned char*)+80>: shr $0x3,%ax S-s due to crash add weird memory address 0x31300000000.
Updated•9 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
Comment 1•9 years ago
|
||
JSBugMon: Bisection requested, result: === Treeherder Build Bisection Results by autoBisect === The "good" changeset has the timestamp "20151016163631" and the hash "4690eec6b6583f4fd01b8b60be3ce6867d85ed78". The "bad" changeset has the timestamp "20151016175031" and the hash "97e02e8d43a140b5389bd50acfd0bc33d1cd5aea". Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=4690eec6b6583f4fd01b8b60be3ce6867d85ed78&tochange=97e02e8d43a140b5389bd50acfd0bc33d1cd5aea
See bug 1215992.
Comment 3•9 years ago
|
||
(In reply to Gary Kwong [:gkw] [:nth10sd] from comment #2) > See bug 1215992. Yup this is the same issue.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → DUPLICATE
Updated•8 years ago
|
Group: javascript-core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•