Closed
Bug 667824
Opened 13 years ago
Closed 13 years ago
TM: Crash [@ js::TraceRecorder::record_NativeCallComplete] or "Assertion failure: pendingSpecializedNative,"
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla8
People
(Reporter: gkw, Assigned: luke)
References
Details
(Keywords: assertion, crash, testcase, Whiteboard: [ccbr][fixed-in-tracemonkey])
Crash Data
Attachments
(2 files)
|
5.30 KB,
text/plain
|
Details | |
|
1.96 KB,
patch
|
Waldo
:
review+
|
Details | Diff | Splinter Review |
var x;
for (let a = 0; a < 8; a++) {
Function.prototype()
}
asserts js debug shell on TM changeset 208160c856b7 with -j at Assertion failure: pendingSpecializedNative, and crashes js opt shell with -j at js::TraceRecorder::record_NativeCallComplete
Examining the registers, seems to be a null deref but locking s-s just-to-be-safe.
(gdb) x/i $pc
0x1001b927e <_ZN2js13TraceRecorder25record_NativeCallCompleteEv+78>: mov 0x18(%rcx),%edx
(gdb) x/b $rcx
0x0: Cannot access memory at address 0x0(gdb) x/b $edx
Value can't be converted to integer.
autoBisect is running as I type.
|
Reporter | |
Comment 1•13 years ago
|
||
autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: 71128:ce10e78d030d user: Luke Wagner date: Tue Jun 14 16:36:13 2011 -0700 summary: Bug 664252 - Turn lemons (LLVM-only build bustage) into lemonade (rewrite JSOP_CALL/EVAL/NEW to have less goto madness) (r=waldo)
Blocks: 664252
|
|
Assignee | |
Comment 3•13 years ago
|
||
Simple fix. Thanks for the simple test-case Gary.
|
||
Comment 4•13 years ago
|
||
I reported this before in 666701. Is this the same issue?
|
|
Assignee | |
Comment 6•13 years ago
|
||
Oops, yes, I missed that.
|
||
Updated•13 years ago
|
Attachment #542526 -
Flags: review?(jwalden+bmo) → review+
|
|
Assignee | |
Comment 7•13 years ago
|
||
http://hg.mozilla.org/tracemonkey/rev/c1afc79e7676
Whiteboard: [ccbr] → [ccbr][fixed-in-tracemonkey]
|
||
Comment 8•13 years ago
|
||
cdleary-bot mozilla-central merge info: http://hg.mozilla.org/mozilla-central/rev/c1afc79e7676
|
|
||
Updated•13 years ago
|
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla8
|
|
Reporter | |
Comment 9•13 years ago
|
||
This bug is nominated tracking-firefox7 because it fixes a crash that made it to mozilla-central. [@ js::TraceRecorder::record_NativeCallComplete]
tracking-firefox7:
--- → ?
|
|
Reporter | |
Comment 10•13 years ago
|
||
(In reply to comment #9) > This bug is nominated tracking-firefox7 because it fixes a crash that made > it to mozilla-central. [@ js::TraceRecorder::record_NativeCallComplete] Brendan mentions this particular bug should be taken: http://groups.google.com/group/mozilla.dev.tech.js-engine.internals/browse_thread/thread/626c85124555c0c9 From fuzzers' perspective, it fixes a bug that fuzzers find *really* easily. Luke will have to nominate the attachment with a risk analysis.
|
|
Assignee | |
Comment 11•13 years ago
|
||
Low-risk, should definitely take.
|
|
Assignee | |
Comment 12•13 years ago
|
||
(But I should also point out that its unexploitable and fuzzers will probably be the only thing that finds this)
|
|
Reporter | |
Updated•13 years ago
|
Attachment #542526 -
Flags: approval-mozilla-aurora?
|
|
Assignee | |
Updated•13 years ago
|
Attachment #542526 -
Flags: approval-mozilla-aurora?
|
|
||
Comment 14•11 years ago
|
||
Automatically extracted testcase for this bug was committed: https://hg.mozilla.org/mozilla-central/rev/efaf8960a929
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•