Closed
Bug 605391
Opened 14 years ago
Closed 14 years ago
Crash [@ js::PropertyCache::fullTest] or "Assertion failure: js_CodeSpec[op].length >= 1 + pcoff + UINT16_LEN," on ARM
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
WORKSFORME
| Tracking | Status | |
|---|---|---|
| blocking2.0 | --- | betaN+ |
People
(Reporter: gkw, Assigned: cdleary)
Details
(4 keywords, Whiteboard: [sg:critical?])
Crash Data
new (function (){})()
asserts js debug shell on TM changeset ca2fdf36985c with -m but without -j at Assertion failure: js_CodeSpec[op].length >= 1 + pcoff + UINT16_LEN, on ARM and crashes js opt shell at js::PropertyCache::fullTest
===
dbg:
(gdb) bt
#0 0x4004211c in raise () from /lib/vfp/libpthread.so.0
#1 0x00212400 in JS_Assert (s=0x3f4494 "js_CodeSpec[op].length >= 1 + pcoff + UINT16_LEN",
file=0x3f40d0 "/mnt/nth10sd/Desktop/jsfunfuzz-dbg-32-tm-55678-ca2fdf36985c/compilePath/jsopcode.cpp", ln=155)
at /mnt/nth10sd/Desktop/jsfunfuzz-dbg-32-tm-55678-ca2fdf36985c/compilePath/jsutil.cpp:83
#2 0x00159540 in js_GetIndexFromBytecode (cx=0x4d7af0, script=0x4e8910, pc=0x4e8968 "�", pcoff=0)
at /mnt/nth10sd/Desktop/jsfunfuzz-dbg-32-tm-55678-ca2fdf36985c/compilePath/jsopcode.cpp:155
#3 0x001a3fb8 in GetAtomFromBytecode (cx=0x4d7af0, pc=0x4e8968 "�", op=JSOP_STOP, cs=@0x3f61d8)
at /mnt/nth10sd/Desktop/jsfunfuzz-dbg-32-tm-55678-ca2fdf36985c/compilePath/jspropertycache.cpp:316
#4 0x001a42b0 in js::PropertyCache::fullTest (this=0x49534c, cx=0x4d7af0, pc=0x4e8968 "�", objp=0xbe84aee4, pobjp=0xbe84aedc, entry=0x4a2c3c)
at /mnt/nth10sd/Desktop/jsfunfuzz-dbg-32-tm-55678-ca2fdf36985c/compilePath/jspropertycache.cpp:342
#5 0x002a3b58 in js::PropertyCache::test (this=0x49534c, cx=0x4d7af0, pc=0x4e8968 "�", obj=@0xbe84aee4, pobj=@0xbe84aedc, entry=@0xbe84aee0,
atom=@0xbe84aed8) at /mnt/nth10sd/Desktop/jsfunfuzz-dbg-32-tm-55678-ca2fdf36985c/compilePath/jspropertycacheinlines.h:99
#6 0x003ad104 in InlineGetProp (f=@0xbe84af30) at /mnt/nth10sd/Desktop/jsfunfuzz-dbg-32-tm-55678-ca2fdf36985c/compilePath/methodjit/StubCalls.cpp:2039
#7 0x003ad720 in js::mjit::stubs::GetProp (f=@0xbe84af30)
at /mnt/nth10sd/Desktop/jsfunfuzz-dbg-32-tm-55678-ca2fdf36985c/compilePath/methodjit/StubCalls.cpp:2076
#8 0x002f01a8 in JaegerStubVeneer ()
#9 0x4082c2d0 in ?? ()
Cannot access memory at address 0x60007a
opt:
(gdb) bt
#0 0x000ec4f0 in js::PropertyCache::fullTest ()
#1 0x0024fe70 in InlineGetProp ()
#2 0x002501c8 in js::mjit::stubs::GetProp ()
#3 0x001cbccc in JaegerStubVeneer ()
#4 0x4082c2d4 in ?? ()
Cannot access memory at address 0x60007a
|
Reporter | |
Comment 1•14 years ago
|
||
Some details of the stack might be weird output because it was copied from a MinGW shell from MozillaBuild..
|
||
Comment 2•14 years ago
|
||
Give the JM guys some time to diagnose before we open this.
Group: core-security
|
||
Updated•14 years ago
|
Assignee: general → cdleary
|
|
||
Updated•14 years ago
|
blocking2.0: ? → betaN+
|
||
Comment 3•14 years ago
|
||
Sure, when we get a chance, can you suggest a security rating?
|
||
Updated•14 years ago
|
Whiteboard: [sg:critical?]
|
||
Comment 5•14 years ago
|
||
Gary, can you help finding a regression range here?
|
||
Comment 6•14 years ago
|
||
WFM in a77a648a6f4c.
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → WORKSFORME
|
||
Updated•13 years ago
|
Crash Signature: [@ js::PropertyCache::fullTest]
|
||
Updated•9 years ago
|
Group: core-security → core-security-release
|
||
Updated•9 years ago
|
Keywords: regressionwindow-wanted
|
|
||
Updated•9 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•