Closed Bug 1264980 Opened 8 years ago Closed 8 years ago

Crash [@ js::TypeMonitorResult] or Crash [@ JSScript::maybeSweepTypes]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1264429
Tracking Flags:
Tracking Status
firefox48 --- fixed

People

(Reporter: decoder, Unassigned)

References

Details

(Keywords: crash, regression, testcase, Whiteboard: [jsbugmon:update,ignore][adv-main48-])

Crash Data

The following testcase crashes on mozilla-central revision 10f66b316457 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --ion-eager):

try {
  gczeal(9,1000);
  function test() {
      f32 = Float32Array;
      for (var i = 0; i < 10000; ++i)
        f32[1 ^ 0 && this];
  }
  test()
} catch (exc274) {}



Backtrace:

Program received signal SIGSEGV, Segmentation fault.
js::TypeMonitorResult (cx=cx@entry=0x7ffff6908800, script=0x7ffff7e74230, pc=0x7ffff697fd21 "7QV", rval=...) at js/src/vm/TypeInference.cpp:3262
#0  js::TypeMonitorResult (cx=cx@entry=0x7ffff6908800, script=0x7ffff7e74230, pc=0x7ffff697fd21 "7QV", rval=...) at js/src/vm/TypeInference.cpp:3262
#1  0x000000000070e977 in Monitor (rval=..., pc=<optimized out>, script=<optimized out>, cx=0x7ffff6908800) at js/src/vm/TypeInference-inl.h:552
#2  js::jit::GetPropertyIC::update (cx=0x7ffff6908800, outerScript=..., cacheIndex=<optimized out>, obj=..., idval=..., vp=...) at js/src/jit/IonCaches.cpp:2282
#3  0x00007ffff7fed5bf in ?? ()
#4  0x0000000000000000 in ?? ()
rax	0xf9f664	16381540
rbx	0x7ffff69409c8	140737330285000
rcx	0x7fffffffc138	140737488339256
rdx	0x7ffff697fd21	140737330543905
rsi	0x7ffff7e74230	140737352516144
rdi	0x7ffff6908800	140737330055168
rbp	0x7fffffffbfd0	140737488338896
rsp	0x7fffffffbfb0	140737488338864
r8	0x37	55
r9	0xffffc100	4294951168
r10	0x1b	27
r11	0x7fffffffc080	140737488339072
r12	0x7ffff694d000	140737330335744
r13	0x7ffff6908800	140737330055168
r14	0x1	1
r15	0x7fffffffc0a0	140737488339104
rip	0xb745ec <js::TypeMonitorResult(JSContext*, JSScript*, unsigned char*, JS::Value const&)+28>
=> 0xb745ec <js::TypeMonitorResult(JSContext*, JSScript*, unsigned char*, JS::Value const&)+28>:	cmpq   $0x1,0x78(%rsi)
   0xb745f1 <js::TypeMonitorResult(JSContext*, JSScript*, unsigned char*, JS::Value const&)+33>:	mov    0x70(%rsi),%rax


Crash address is bad in all crashes I've seen so far, marking s-s.
Flags: needinfo?(jdemooij)
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/002224165269
user:        Jon Coppeard
date:        Wed Apr 13 10:03:44 2016 +0100
summary:     Bug 1259180 - Compact arenas containing scripts r=terrence

This iteration took 218.903 seconds to run.
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
JSBugMon: The testcase found in this bug no longer reproduces (tried revision f5a97eb5c89a).
Status: NEW → RESOLVED
Closed: 8 years ago
Flags: needinfo?(jdemooij)
Resolution: --- → DUPLICATE
Whiteboard: [jsbugmon:update,ignore] → [jsbugmon:update,ignore][adv-main48-]
Blocks: 1259180
Group: javascript-core-security
You need to log in before you can comment on or make changes to this bug.