Closed
Bug 1226816
Opened 8 years ago
Closed 8 years ago
Crash [@ ??] with --ion-shared-stubs=on
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla45
| Tracking | Status | |
|---|---|---|
| firefox45 | --- | fixed |
People
(Reporter: gkw, Assigned: h4writer)
References
Details
(Keywords: crash, regression, testcase, Whiteboard: [jsbugmon:update])
Attachments
(1 file)
|
3.86 KB,
patch
|
jandem
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision 0b2b0570777f (build with --enable-more-deterministic, run with --fuzzing-safe --no-threads --ion-eager --ion-shared-stubs=on):
x = 1;
x;
function g(y) {}
g(this);
x = /x/;
function f() {
f(x.flags);
}
f();
Backtrace:
warning: core file may not match specified executable file.
[New LWP 7156]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Core was generated by `/home/fuzz3lin/shell-cache/js-64-dm-linux-0b2b0570777f/js-64-dm-linux-0b2b05707'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x00007fa20dd4ceb4 in ?? ()
backtrace
#0 0x00007fa20dd4ceb4 in ?? ()
#1 0x0000000000000000 in ?? ()
info reg
rax 0x7fa20dc1af28 140333992226600
rbx 0x7fa20dd4cc6d 140333993479277
rcx 0xfffaffa20dc1af28 -1407778379682008
rdx 0x7ffda54a24d8 140727376553176
rsi 0x7fa20dc68f60 140333992546144
rdi 0x2002 8194
rbp 0x7ffda54a2610 0x7ffda54a2610
rsp 0x7ffda54a2518 0x7ffda54a2518
r8 0x7ffda54a2470 140727376553072
r9 0x1a 26
r10 0x3 3
r11 0x1fff3 131059
r12 0x0 0
r13 0x7ffda54a2a60 140727376554592
r14 0x7fa20dc7d100 140333992628480
r15 0x7fa20dd3f660 140333993424480
rip 0x7fa20dd4ceb4 0x7fa20dd4ceb4
eflags 0x10206 [ PF IF RF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
x/8i $pc
=> 0x7fa20dd4ceb4: mov 0x18(%rdi),%rdi
0x7fa20dd4ceb8: jmpq *(%rdi)
0x7fa20dd4ceba: pop %rdi
0x7fa20dd4cebb: pop %rsi
0x7fa20dd4cebc: mov 0x8(%rdi),%rdi
0x7fa20dd4cec0: jmpq *(%rdi)
0x7fa20dd4cec2: push %rbp
0x7fa20dd4cec3: add (%rax),%al
thread apply all backtrace
Thread 1 (Thread 0x7fa20dd2c740 (LWP 7156)):
#0 0x00007fa20dd4ceb4 in ?? ()
#1 0x0000000000000000 in ?? ()
|
Reporter | |
Comment 1•8 years ago
|
||
=== Treeherder Build Bisection Results by autoBisect === The "good" changeset has the timestamp "20151117080511" and the hash "fe34d01fb2ecb2dd4cda82e788cf7b541d5cbdb4". The "bad" changeset has the timestamp "20151117094304" and the hash "c6139e8bad12b756a178dd7eb005c82cf247bd43". Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=fe34d01fb2ecb2dd4cda82e788cf7b541d5cbdb4&tochange=c6139e8bad12b756a178dd7eb005c82cf247bd43 Hannes, is bug 1214508 a likely regressor? Setting s-s because this seems to be crashing at a weird memory address, but note that it seems to require --ion-shared-stubs=on. This blocks fuzzing with --ion-shared-stubs=on as it does not have an easy signature to ignore.
|
|
Reporter | |
Updated•8 years ago
|
Summary: Crash [@ ??] → Crash [@ ??] with --ion-shared-stubs=on
|
Assignee | |
Updated•8 years ago
|
Group: javascript-core-security
Flags: needinfo?(hv1989)
|
|
Assignee | |
Comment 2•8 years ago
|
||
ICGetProp_CallScripted has code that only works in baseline. We shouldn't try to run it in IonMonkey. This will need refactoring to get this stub working in IM.
Assignee: nobody → hv1989
Attachment #8693050 -
Flags: review?(jdemooij)
|
||
Comment 3•8 years ago
|
||
Comment on attachment 8693050 [details] [diff] [review] Patch Review of attachment 8693050 [details] [diff] [review]: ----------------------------------------------------------------- Sorry for the delay.
Attachment #8693050 -
Flags: review?(jdemooij) → review+
|
||
Comment 5•8 years ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/0d88461fff1b
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla45
You need to log in
before you can comment on or make changes to this bug.
Description
•