Closed
Bug 528870
Opened 15 years ago
Closed 15 years ago
TM: Crash [@ TraceRecorder::slurpDownFrames] or "Assertion failure: traceMonitor->recorder == this, at ../jstracer.cpp"
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
| Tracking | Status | |
|---|---|---|
| status1.9.2 | --- | unaffected |
| status1.9.1 | --- | unaffected |
People
(Reporter: gkw, Assigned: luke)
References
Details
(4 keywords, Whiteboard: [ccbr][sg:critical?], fixed-in-tracemonkey)
Crash Data
Attachments
(1 file)
|
1.35 KB,
patch
|
dvander
:
review+
|
Details | Diff | Splinter Review |
eval("\
for each(x in [0, 0, Infinity, Infinity, 0, Infinity, new Boolean(true)]) { \
((function f(aaaaaa) {\
return aaaaaa.length == 0 ? 0 : aaaaaa[0] + f(aaaaaa.slice(1))\
})([x, new Number, /x/]))\
}\
")
crashes js opt shell at TraceRecorder::slurpDownFrames at 0xc0000097 and asserts js debug shell at Assertion failure: traceMonitor->recorder == this, at ../jstracer.cpp:2508 with -j on TM tip on 10.5.8.
Security-sensitive because this is crashing at a scary address in 32-bit in 10.5.8. It is apparently crashing near null in 64-bit in 10.6.2.
autoBisect shows this is probably related to bug 517174:
The first bad revision is:
changeset: 34686:81afd53646d4
user: Luke Wagner
date: Thu Nov 12 18:34:24 2009 -0800
summary: Bug 517174 - trace js_Invoke calls from natives (r=dvander)
|
Reporter | |
Comment 1•15 years ago
|
||
jsfunfuzz is hitting this fairly regularly. (Also assuming [sg:critical?] until otherwise known) 10.5.8 opt stack: Exception Type: EXC_BAD_ACCESS (SIGSEGV) Exception Codes: KERN_INVALID_ADDRESS at 0x00000000c0000097 Crashed Thread: 0 Thread 0 Crashed: 0 js-opt-tm-darwin 0x00115b57 TraceRecorder::slurpDownFrames(unsigned char*) + 23 1 js-opt-tm-darwin 0x00117e92 TraceRecorder::startRecorder(JSContext*, VMSideExit*, VMFragment*, TreeInfo*, unsigned int, unsigned int, JSTraceType_*, VMSideExit*, unsigned char*, unsigned int, RecordReason) + 434 2 js-opt-tm-darwin 0x00118258 __ZL19AttemptToExtendTreeP9JSContextP10VMSideExitS2_Ph + 920 3 js-opt-tm-darwin 0x0011a87b js_MonitorLoopEdge(JSContext*, unsigned int&, RecordReason) + 1307 4 js-opt-tm-darwin 0x00059923 js_Interpret + 46995 5 js-opt-tm-darwin 0x0005dfdc js_Execute + 444 6 js-opt-tm-darwin 0x00070dda __ZL8obj_evalP9JSContextP8JSObjectjPlS3_ + 2346 7 js-opt-tm-darwin 0x0005e824 js_Invoke + 1332 8 js-opt-tm-darwin 0x0004ec01 js_Interpret + 2673 9 js-opt-tm-darwin 0x0005dfdc js_Execute + 444 10 js-opt-tm-darwin 0x0000d1ac JS_ExecuteScript + 60 11 js-opt-tm-darwin 0x00003de5 __ZL7ProcessP9JSContextP8JSObjectPci + 1605 12 js-opt-tm-darwin 0x00007dd4 main + 2212 13 js-opt-tm-darwin 0x00001c5b _start + 209 14 js-opt-tm-darwin 0x00001b89 start + 41
Whiteboard: [ccbr][sg:critical?]
|
|
Assignee | |
Comment 2•15 years ago
|
||
This was written correctly at some point in time, but lost in a rebase. Righteous fuzzing, thanks!
|
|
||
Updated•15 years ago
|
Attachment #412624 -
Flags: review?(dvander) → review+
|
|
Assignee | |
Comment 3•15 years ago
|
||
http://hg.mozilla.org/tracemonkey/rev/13081eb1537d
Whiteboard: [ccbr][sg:critical?] → [ccbr][sg:critical?], fixed-in-tracemonkey
|
||
Comment 4•15 years ago
|
||
http://hg.mozilla.org/mozilla-central/rev/13081eb1537d
Status: ASSIGNED → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
|
||
Updated•14 years ago
|
|
||
Updated•13 years ago
|
Crash Signature: [@ TraceRecorder::slurpDownFrames]
|
||
Comment 5•12 years ago
|
||
Tracer has been long gone on trunk, marking verified.
Status: RESOLVED → VERIFIED
|
|
||
Comment 6•11 years ago
|
||
Bug in removed tracer code, setting in-testsuite- flag.
Flags: in-testsuite-
You need to log in
before you can comment on or make changes to this bug.
Description
•