Closed
Bug 693144
Opened 13 years ago
Closed 13 years ago
Crash [@ js::mjit::EnterMethodJIT] with typed array and TI
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
Tracking | Status | |
---|---|---|
firefox9 | + | fixed |
firefox10 | + | fixed |
status1.9.2 | --- | unaffected |
People
(Reporter: decoder, Assigned: bhackett1024)
Details
(Keywords: crash, testcase, Whiteboard: [sg:critical?][qa-])
Crash Data
Attachments
(1 file)
664 bytes,
patch
|
dvander
:
review+
christian
:
approval-mozilla-aurora+
|
Details | Diff | Splinter Review |
The following test crashes on mozilla-central revision b4da2d439cbc (options -m -n -a): function f() { var oa = []; for (var i = 0; i < 8; ++i) { var o = {}; oa[(new Int32Array(ArrayBuffer.prototype).length)] = o; } } f(); This also affects aurora. As the -n switch (TI) seems to be required, I assume it does not affect beta/release. Backtrace from m-c debug build: ==3713== Invalid write of size 8 ==3713== at 0x403A464: ??? ==3713== by 0x6E6C51: js::mjit::EnterMethodJIT(JSContext*, js::StackFrame*, void*, JS::Value*, bool) (MethodJIT.cpp:884) ==3713== by 0x6E6E71: CheckStackAndEnterMethodJIT(JSContext*, js::StackFrame*, void*, bool) (MethodJIT.cpp:945) ==3713== by 0x6E6FC1: js::mjit::JaegerShotAtSafePoint(JSContext*, void*, bool) (MethodJIT.cpp:972) ==3713== by 0x502930: js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) (jsinterp.cpp:2174) [...] ==3713== Address 0xffc4000006d07278 is not stack'd, malloc'd or (recently) free'd (gdb) x /2i $pc => 0x7ffff7f624c0: mov %r10,(%r9,%r12,8) 0x7ffff7f624c4: mov 0x70(%rbx),%r12 (gdb) info registers r9 r10 r12 r9 0x7ffff6007278 140737320612472 r10 0xfffbfffff6009230 -1125900074577360 r12 0xfff8800000000000 -2111062325329920
Updated•13 years ago
|
Assignee | ||
Comment 1•13 years ago
|
||
When hoisting <typed array>.length, loadPtr was used to get an int32 out of a fixed slot holding the typed array length, which leaves the high bits still holding the type tag on x64.
Assignee: general → bhackett1024
Attachment #566262 -
Flags: review?(dvander)
Assignee | ||
Updated•13 years ago
|
Whiteboard: js-triage-needed → [sg:critical?]
![]() |
||
Updated•13 years ago
|
Attachment #566262 -
Flags: review?(dvander) → review+
Assignee | ||
Comment 2•13 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/90bbf471c432
Assignee | ||
Updated•13 years ago
|
Attachment #566262 -
Flags: approval-mozilla-aurora?
Assignee | ||
Comment 3•13 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/90bbf471c432
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Comment on attachment 566262 [details] [diff] [review] patch Approved for mozilla-aurora
Attachment #566262 -
Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Assignee | ||
Comment 5•13 years ago
|
||
https://hg.mozilla.org/releases/mozilla-aurora/rev/598684717e50
Updated•13 years ago
|
Can someone who is already set up to reproduce this bug please verify the fix?
Whiteboard: [sg:critical?] → [sg:critical?][qa-]
Reporter | ||
Comment 7•13 years ago
|
||
Verified fixed on Firefox 9 and 10.
Updated•13 years ago
|
status1.9.2:
--- → unaffected
Updated•13 years ago
|
Group: core-security
Reporter | ||
Updated•12 years ago
|
Status: RESOLVED → VERIFIED
Reporter | ||
Comment 8•12 years ago
|
||
Automatically extracted testcase for this bug was committed: https://hg.mozilla.org/mozilla-central/rev/efaf8960a929
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•