The default bug view has changed. See this FAQ.

Crash [@ JSObject::nonNativeSetProperty]

VERIFIED FIXED in Firefox 9

Status

()

Core
JavaScript Engine
--
critical
VERIFIED FIXED
6 years ago
2 years ago

People

(Reporter: gkw, Assigned: bhackett)

Tracking

(Blocks: 1 bug, {crash, regression, testcase})

Trunk
mozilla10
x86
Mac OS X
crash, regression, testcase
Points:
---
Bug Flags:
in-testsuite -

Firefox Tracking Flags

(firefox8 unaffected, firefox9+ fixed, firefox10+ fixed, firefox11 fixed, status1.9.2 unaffected)

Details

(Whiteboard: [sg:critical?][qa-] js-triage-needed)

Attachments

(2 attachments)

(Reporter)

Description

6 years ago
Created attachment 563425 [details]
stack

(function() {
    function b(c) {
        if (c) u = function() {};
        this.x = /x/;
        switch (c) {
        case 4:
        case 6:
        }
        this.r = {}
    }
    for each(let a in [
        new Boolean(true),
        0,
        new Boolean(true),
        function() {},
        new Boolean(true),
        new Boolean(true),
        function() {},
        function() {},
        function() {}
        ]) {
        try {
            new b(a)();
        } catch (e) {}
    }
})()

crashes js opt shell 64-bit on Mac 10.6 on JM changeset 44ef245b8706 with -m, -a and -j at JSObject::nonNativeSetProperty. Testcase should be passed in as a CLI argument to reproduce.

The $pc value seems to be accessing register r11 at a scary address 0xf1c6d7e000000001 so locking s-s till shown otherwise.
(Reporter)

Comment 1

6 years ago
Crashes m-c changeset dbb129f069b1 64-bit js shell too, with possibly-related-but-not-really-identical stack.
Created attachment 565069 [details] [diff] [review]
patch

Codegen bug in JM+TM interaction, introduced in the TI merge I think.  JM+TM can enter jitcode at any opcode marked as a safe point, but JM did not guarantee this for safe points that are not the targets of a jump.
Assignee: general → bhackett1024
Attachment #565069 - Flags: review?(dvander)
Whiteboard: js-triage-needed → [sg:critical?] js-triage-needed
Attachment #565069 - Flags: review?(dvander) → review+
https://hg.mozilla.org/integration/mozilla-inbound/rev/e456bef5839b
Gary: does this crash affect Beta (Firefox 8)? Given the patch (if .. !typeInferenceEnabled()) maybe it does, then again this could have been completely different code prior to the TI landing.
status-firefox10: --- → affected
status-firefox9: --- → affected
tracking-firefox10: --- → +
tracking-firefox8: --- → ?
tracking-firefox9: --- → +
Keywords: regression, regressionwindow-wanted
https://hg.mozilla.org/mozilla-central/rev/e456bef5839b
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED
(Reporter)

Comment 6

6 years ago
(In reply to Daniel Veditz from comment #4)
> Gary: does this crash affect Beta (Firefox 8)? Given the patch (if ..
> !typeInferenceEnabled()) maybe it does, then again this could have been
> completely different code prior to the TI landing.

I have to hold off testing on this, as the minis are in boxes and soon-to-be shipping..
bhackett: do you know the answer to comment 4?
(In reply to Daniel Veditz from comment #7)
> bhackett: do you know the answer to comment 4?

This should not affect Firefox 8 or earlier.  The bug is caused by doing cross-branch register allocation when we shouldn't (when JM+TM is enabled), this kind of register allocation was introduced with the TI merge.
Attachment #565069 - Flags: approval-mozilla-aurora?
Attachment #565069 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
https://hg.mozilla.org/releases/mozilla-aurora/rev/c0c7322521b7

Updated

6 years ago
tracking-firefox8: ? → ---

Updated

6 years ago
status-firefox10: affected → fixed
status-firefox9: affected → fixed

Updated

6 years ago
Target Milestone: --- → mozilla10
Can someone who is already set up to reproduce this bug please verify the fix?
Whiteboard: [sg:critical?] js-triage-needed → [sg:critical?][qa-] js-triage-needed
status1.9.2: --- → unaffected
status-firefox11: --- → fixed
status-firefox8: --- → unaffected
(Reporter)

Comment 11

5 years ago
(In reply to Anthony Hughes, Mozilla QA (irc: ashughes) from comment #10)
> Can someone who is already set up to reproduce this bug please verify the
> fix?

Verified fixed on 64-bit debug and opt builds on Mac 10.6 on m-c changeset bc48009a6bbb.
Status: RESOLVED → VERIFIED
Group: core-security
Bug involving TM, but TM is already removed, in-testsuite-.
Flags: in-testsuite-
Keywords: regressionwindow-wanted
You need to log in before you can comment on or make changes to this bug.