Closed
Bug 1259913
Opened 9 years ago
Closed 9 years ago
Crash [@ js::ConcatStrings<(js::AllowGC)0>] with gczeal and TypedArray
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1259490
| Tracking | Status | |
|---|---|---|
| firefox48 | --- | fixed |
People
(Reporter: decoder, Unassigned)
Details
(Keywords: crash, regression, testcase, Whiteboard: [jsbugmon:update,bisect][adv-main48-])
Crash Data
The following testcase crashes on mozilla-central revision d5f3da0cfe7c (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --target=i686-pc-linux-gnu --disable-tests --enable-simulator=arm --enable-debug, run with --fuzzing-safe --thread-count=2 --arm-asm-nop-fill=1 --baseline-eager --arm-sim-icache-checks --ion-eager --arm-hwcap=vfp --ion-extra-checks):
gczeal(9, 1000);
var f32 = new Float32Array(10);
var i = 0;
for (var j = 0; j < 10000; - j) {
f32[i + 1] = typeof i + 72964 + ("gsm");
}
Backtrace:
Program terminated with signal SIGSEGV, Segmentation fault.
#0 js::ConcatStrings<(js::AllowGC)0> (cx=cx@entry=0xf7270020, left=left@entry=0xf51133b0, right=right@entry=0xf3723020) at js/src/vm/String.cpp:574
#1 0x086e3d1f in AddOperation (cx=0xf7270020, lhs=..., rhs=..., res=...) at js/src/vm/Interpreter.cpp:1341
#2 0x086e3fbb in js::AddValues (cx=<optimized out>, cx@entry=0xf7270020, lhs=..., lhs@entry=..., rhs=rhs@entry=..., res=res@entry=...) at js/src/vm/Interpreter.cpp:4388
#3 0x08447e08 in js::jit::DoBinaryArithFallback (cx=cx@entry=0xf7270020, payload=payload@entry=0xf53ffda8, stub_=stub_@entry=0xf39fc0f8, lhs=lhs@entry=..., rhs=rhs@entry=..., ret=ret@entry=...) at js/src/jit/SharedIC.cpp:934
#4 0x084fbfbe in js::jit::Simulator::softwareInterrupt (this=0xf7218000, instr=0xf7203bd4) at js/src/jit/arm/Simulator-arm.cpp:2380
[...]
#34 main (argc=11, argv=0xfff5b154, envp=0xfff5b184) at js/src/shell/js.cpp:7443
eax 0xf7270020 -148439008
ebx 0x988f438 159970360
ecx 0xffffff81 -127
edx 0xf51133b0 -183422032
esi 0xf51133b0 -183422032
edi 0xf3723020 -210620384
ebp 0xfff594d8 4294284504
esp 0xfff59480 4294284416
eip 0x87abea3 <js::ConcatStrings<(js::AllowGC)0>(js::ExclusiveContext*, js::MaybeRooted<JSString*, (js::AllowGC)0>::HandleType, js::MaybeRooted<JSString*, (js::AllowGC)0>::HandleType)+35>
=> 0x87abea3 <js::ConcatStrings<(js::AllowGC)0>(js::ExclusiveContext*, js::MaybeRooted<JSString*, (js::AllowGC)0>::HandleType, js::MaybeRooted<JSString*, (js::AllowGC)0>::HandleType)+35>: testb $0x8,(%edi)
0x87abea6 <js::ConcatStrings<(js::AllowGC)0>(js::ExclusiveContext*, js::MaybeRooted<JSString*, (js::AllowGC)0>::HandleType, js::MaybeRooted<JSString*, (js::AllowGC)0>::HandleType)+38>: je 0x87ac1f0 <js::ConcatStrings<(js::AllowGC)0>(js::ExclusiveContext*, js::MaybeRooted<JSString*, (js::AllowGC)0>::HandleType, js::MaybeRooted<JSString*, (js::AllowGC)0>::HandleType)+880>
S-s and fuzzblocker due to frequent GC bug. Possibly related to bug 1259490, but has a different gczeal level and stack.
|
||
Comment 1•9 years ago
|
||
I reproduced and verified that this is fixed by bug 1259490.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → DUPLICATE
|
||
Updated•9 years ago
|
|
||
Updated•9 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update,bisect][adv-main48-]
|
||
Updated•8 years ago
|
Group: javascript-core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•