Closed Bug 690376 Opened 13 years ago Closed 13 years ago

Crash [@ JSObject::nonNativeSetProperty]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla10
Tracking Flags:
Tracking Status
firefox8 --- unaffected
firefox9 + fixed
firefox10 + fixed
firefox11 --- fixed
status1.9.2 --- unaffected

People

(Reporter: gkw, Assigned: bhackett1024)

Details

(Keywords: crash, regression, testcase, Whiteboard: [sg:critical?][qa-] js-triage-needed)

Attachments

(2 files)

stack
4.19 KB, text/plain
Details
patch
981 bytes, patch
dvander
: review+
curtisk
: approval-mozilla-aurora+
Details | Diff | Splinter Review
Attached file stack
(function() { function b(c) { if (c) u = function() {}; this.x = /x/; switch (c) { case 4: case 6: } this.r = {} } for each(let a in [ new Boolean(true), 0, new Boolean(true), function() {}, new Boolean(true), new Boolean(true), function() {}, function() {}, function() {} ]) { try { new b(a)(); } catch (e) {} } })() crashes js opt shell 64-bit on Mac 10.6 on JM changeset 44ef245b8706 with -m, -a and -j at JSObject::nonNativeSetProperty. Testcase should be passed in as a CLI argument to reproduce. The $pc value seems to be accessing register r11 at a scary address 0xf1c6d7e000000001 so locking s-s till shown otherwise.
Crashes m-c changeset dbb129f069b1 64-bit js shell too, with possibly-related-but-not-really-identical stack.
Attached patch patchSplinter Review
Codegen bug in JM+TM interaction, introduced in the TI merge I think. JM+TM can enter jitcode at any opcode marked as a safe point, but JM did not guarantee this for safe points that are not the targets of a jump.
Assignee: general → bhackett1024
Attachment #565069 - Flags: review?(dvander)
Whiteboard: js-triage-needed → [sg:critical?] js-triage-needed
Attachment #565069 - Flags: review?(dvander) → review+
Gary: does this crash affect Beta (Firefox 8)? Given the patch (if .. !typeInferenceEnabled()) maybe it does, then again this could have been completely different code prior to the TI landing.
status-firefox10: --- → affected
status-firefox9: --- → affected
tracking-firefox10: --- → +
tracking-firefox8: --- → ?
tracking-firefox9: --- → +
Keywords: regression, regressionwindow-wanted
https://hg.mozilla.org/mozilla-central/rev/e456bef5839b
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
(In reply to Daniel Veditz from comment #4) > Gary: does this crash affect Beta (Firefox 8)? Given the patch (if .. > !typeInferenceEnabled()) maybe it does, then again this could have been > completely different code prior to the TI landing. I have to hold off testing on this, as the minis are in boxes and soon-to-be shipping..
bhackett: do you know the answer to comment 4?
(In reply to Daniel Veditz from comment #7) > bhackett: do you know the answer to comment 4? This should not affect Firefox 8 or earlier. The bug is caused by doing cross-branch register allocation when we shouldn't (when JM+TM is enabled), this kind of register allocation was introduced with the TI merge.
Attachment #565069 - Flags: approval-mozilla-aurora?
Attachment #565069 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
tracking-firefox8: ? → ---
Target Milestone: --- → mozilla10
Can someone who is already set up to reproduce this bug please verify the fix?
Whiteboard: [sg:critical?] js-triage-needed → [sg:critical?][qa-] js-triage-needed
(In reply to Anthony Hughes, Mozilla QA (irc: ashughes) from comment #10) > Can someone who is already set up to reproduce this bug please verify the > fix? Verified fixed on 64-bit debug and opt builds on Mac 10.6 on m-c changeset bc48009a6bbb.
Status: RESOLVED → VERIFIED
Group: core-security
Bug involving TM, but TM is already removed, in-testsuite-.
Flags: in-testsuite-
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: