Closed
Bug 1238577
Opened 8 years ago
Closed 8 years ago
Crash [@ js::jit::AssertValidStringPtr] with OOM and ES6 Class
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1242279
People
(Reporter: decoder, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: crash, regression, testcase, Whiteboard: [jsbugmon:update])
Crash Data
The following testcase crashes on mozilla-central revision 6020a4cb41a7 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --ion-offthread-compile=off --ion-eager): var lfcode = new Array(); lfcode.push(""); oomTest(() => new class {}({ thisprops : gc() && delete addDebuggee.enabled })); for (var i = 0; i < 10000; ++i) { var file = lfcode.shift(); } Backtrace: Program received signal SIGSEGV, Segmentation fault. js::jit::AssertValidStringPtr (cx=0x7ffff6907800, str=0x0) at js/src/jit/VMFunctions.cpp:1167 #0 js::jit::AssertValidStringPtr (cx=0x7ffff6907800, str=0x0) at js/src/jit/VMFunctions.cpp:1167 #1 0x00007ffff7fd30e0 in ?? () #2 0x0000000000000001 in ?? () #3 0x00007fffffffcd78 in ?? () #4 0x00007ffff6907800 in ?? () #5 0x0000000000000000 in ?? () rax 0x7ece40 8310336 rbx 0x0 0 rcx 0x7ffff6907800 140737330051072 rdx 0x0 0 rsi 0x0 0 rdi 0x7ffff6907800 140737330051072 rbp 0x7fffffffcd50 140737488342352 rsp 0x7fffffffcd20 140737488342304 r8 0xe6f46f 15135855 r9 0xe75d76 15162742 r10 0x7ffff3155750 140737271650128 r11 0x7ffff695d1e8 140737330401768 r12 0x7ffff6907800 140737330051072 r13 0x0 0 r14 0x204 516 r15 0x7ffff6907800 140737330051072 rip 0x7ece6b <js::jit::AssertValidStringPtr(JSContext*, JSString*)+43> => 0x7ece6b <js::jit::AssertValidStringPtr(JSContext*, JSString*)+43>: mov 0xffff8(%r13),%rax 0x7ece72 <js::jit::AssertValidStringPtr(JSContext*, JSString*)+50>: cmp %rax,(%rdi) Marking s-s until investigated because the test uses GC and crash indicates that a string pointer might be invalid (although it looks like 0x0 in the trace).
Updated•8 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
Comment 2•8 years ago
|
||
JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/d1b7ec38dedc user: Jan de Mooij date: Thu Jan 07 14:01:52 2016 +0100 summary: Bug 1236546 - Don't deoptimize in ObjectGroup::defaultNewGroup when we have a null proto. r=bhackett This iteration took 294.470 seconds to run.
Comment 4•8 years ago
|
||
JSBugMon is wrong; this is a much older TI OOM bug. The TypeScript::Monitor call in ArrayShiftDense is not invalidating the script, because we lost a freeze constraint. I verified the patch in bug 1242279 fixes this.
Status: NEW → RESOLVED
Closed: 8 years ago
Flags: needinfo?(jdemooij)
Flags: needinfo?(efaustbmo)
Resolution: --- → DUPLICATE
Updated•8 years ago
|
Updated•8 years ago
|
status-firefox45:
--- → fixed
status-firefox-esr45:
--- → fixed
Updated•7 years ago
|
Group: javascript-core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•