Closed Bug 623854 Opened 14 years ago Closed 14 years ago

JM: Crash [@ js::mjit::EnterMethodJIT] or [@ js::mjit::JaegerShot]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 623474

People

(Reporter: gkw, Unassigned)

Details

(Keywords: crash, regression, testcase, Whiteboard: [ccbr])

Crash Data

for each(let y in [Number, Number]) {
    try {
        "".length()
    } catch(e) {}
}

crashes both debug and opt shells on TM changeset ca11457ed5fe with -m at js::mjit::EnterMethodJIT and js::mjit::JaegerShot respectively.

s-s because unsure if this is bad.

opt console output:

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_PROTECTION_FAILURE at address: 0x00000000
0x005e3528 in ?? ()
(gdb) bt
#0  0x005e3528 in ?? ()
#1  0x001d7a3a in js::mjit::JaegerShot ()
#2  0x0009640f in js::Execute ()
#3  0x00018e18 in JS_ExecuteScript ()
#4  0x00006774 in Process ()
#5  0x0000af22 in Shell ()
#6  0x0000b4bf in main ()
(gdb) x/i $eip
0x5e3528:       mov    (%esi),%esi
(gdb) x/b $esi
0x0:    Cannot access memory at address 0x0

dbg console output:

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_PROTECTION_FAILURE at address: 0x00000000
0x014e3528 in ?? ()
(gdb) bt
#0  0x014e3528 in ?? ()
#1  0x00255882 in js::mjit::EnterMethodJIT (cx=0x70f740, fp=0x1010030, code=0x14e3044, stackLimit=0x109ca60) at /Users/fuzz2/Desktop/jsfunfuzz-dbg-32-tm-59849-ca11457ed5fe/compilePath/methodjit/MethodJIT.cpp:748
#2  0x002559a1 in CheckStackAndEnterMethodJIT (cx=0x70f740, fp=0x1010030, code=0x14e3044) at /Users/fuzz2/Desktop/jsfunfuzz-dbg-32-tm-59849-ca11457ed5fe/compilePath/methodjit/MethodJIT.cpp:774
#3  0x00255ac3 in js::mjit::JaegerShot (cx=0x70f740) at /Users/fuzz2/Desktop/jsfunfuzz-dbg-32-tm-59849-ca11457ed5fe/compilePath/methodjit/MethodJIT.cpp:791
#4  0x000e6055 in js::RunScript (cx=0x70f740, script=0x7123a0, fp=0x1010030) at jsinterp.cpp:654
#5  0x000e661b in js::Execute (cx=0x70f740, chain=0x1502028, script=0x7123a0, prev=0x0, flags=0, result=0xbffff6c0) at jsinterp.cpp:1024
#6  0x00023e9f in JS_ExecuteScript (cx=0x70f740, obj=0x1502028, script=0x7123a0, rval=0xbffff6c0) at /Users/fuzz2/Desktop/jsfunfuzz-dbg-32-tm-59849-ca11457ed5fe/compilePath/jsapi.cpp:4932
#7  0x000168c8 in Process (cx=0x70f740, obj=0x1502028, filename=0x0, forceTTY=0) at /Users/fuzz2/Desktop/jsfunfuzz-dbg-32-tm-59849-ca11457ed5fe/compilePath/shell/js.cpp:548
#8  0x00017386 in ProcessArgs (cx=0x70f740, obj=0x1502028, argv=0xbffff84c, argc=1) at /Users/fuzz2/Desktop/jsfunfuzz-dbg-32-tm-59849-ca11457ed5fe/compilePath/shell/js.cpp:951
#9  0x000174c4 in Shell (cx=0x70f740, argc=1, argv=0xbffff84c, envp=0xbffff854) at /Users/fuzz2/Desktop/jsfunfuzz-dbg-32-tm-59849-ca11457ed5fe/compilePath/shell/js.cpp:5464
#10 0x0001762b in main (argc=1, argv=0xbffff84c, envp=0xbffff854) at /Users/fuzz2/Desktop/jsfunfuzz-dbg-32-tm-59849-ca11457ed5fe/compilePath/shell/js.cpp:5572
Group: core-security
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → DUPLICATE
Crash Signature: [@ js::mjit::EnterMethodJIT] [@ js::mjit::JaegerShot]
A testcase for this bug was already added in the original bug (bug 623474).
Flags: in-testsuite-
You need to log in before you can comment on or make changes to this bug.