Closed
Bug 693144
Opened 13 years ago
Closed 13 years ago
Crash [@ js::mjit::EnterMethodJIT] with typed array and TI
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
| Tracking | Status | |
|---|---|---|
| firefox9 | + | fixed |
| firefox10 | + | fixed |
| status1.9.2 | --- | unaffected |
People
(Reporter: decoder, Assigned: bhackett1024)
Details
(Keywords: crash, testcase, Whiteboard: [sg:critical?][qa-])
Crash Data
Attachments
(1 file)
|
664 bytes,
patch
|
dvander
:
review+
christian
:
approval-mozilla-aurora+
|
Details | Diff | Splinter Review |
The following test crashes on mozilla-central revision b4da2d439cbc (options -m -n -a):
function f() {
var oa = [];
for (var i = 0; i < 8; ++i) {
var o = {};
oa[(new Int32Array(ArrayBuffer.prototype).length)] = o;
}
}
f();
This also affects aurora. As the -n switch (TI) seems to be required, I assume it does not affect beta/release.
Backtrace from m-c debug build:
==3713== Invalid write of size 8
==3713== at 0x403A464: ???
==3713== by 0x6E6C51: js::mjit::EnterMethodJIT(JSContext*, js::StackFrame*, void*, JS::Value*, bool) (MethodJIT.cpp:884)
==3713== by 0x6E6E71: CheckStackAndEnterMethodJIT(JSContext*, js::StackFrame*, void*, bool) (MethodJIT.cpp:945)
==3713== by 0x6E6FC1: js::mjit::JaegerShotAtSafePoint(JSContext*, void*, bool) (MethodJIT.cpp:972)
==3713== by 0x502930: js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) (jsinterp.cpp:2174)
[...]
==3713== Address 0xffc4000006d07278 is not stack'd, malloc'd or (recently) free'd
(gdb) x /2i $pc
=> 0x7ffff7f624c0: mov %r10,(%r9,%r12,8)
0x7ffff7f624c4: mov 0x70(%rbx),%r12
(gdb) info registers r9 r10 r12
r9 0x7ffff6007278 140737320612472
r10 0xfffbfffff6009230 -1125900074577360
r12 0xfff8800000000000 -2111062325329920
|
||
Updated•13 years ago
|
|
Assignee | |
Comment 1•13 years ago
|
||
When hoisting <typed array>.length, loadPtr was used to get an int32 out of a fixed slot holding the typed array length, which leaves the high bits still holding the type tag on x64.
Assignee: general → bhackett1024
Attachment #566262 -
Flags: review?(dvander)
|
|
Assignee | |
Updated•13 years ago
|
Whiteboard: js-triage-needed → [sg:critical?]
|
||
Updated•13 years ago
|
Attachment #566262 -
Flags: review?(dvander) → review+
|
|
Assignee | |
Comment 2•13 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/90bbf471c432
|
|
Assignee | |
Updated•13 years ago
|
Attachment #566262 -
Flags: approval-mozilla-aurora?
|
|
Assignee | |
Comment 3•13 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/90bbf471c432
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Comment on attachment 566262 [details] [diff] [review] patch Approved for mozilla-aurora
Attachment #566262 -
Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
|
|
Assignee | |
Comment 5•13 years ago
|
||
https://hg.mozilla.org/releases/mozilla-aurora/rev/598684717e50
|
||
Updated•13 years ago
|
Can someone who is already set up to reproduce this bug please verify the fix?
Whiteboard: [sg:critical?] → [sg:critical?][qa-]
|
Reporter | |
Comment 7•13 years ago
|
||
Verified fixed on Firefox 9 and 10.
|
||
Updated•13 years ago
|
status1.9.2:
--- → unaffected
|
|
||
Updated•13 years ago
|
Group: core-security
|
|
Reporter | |
Updated•12 years ago
|
Status: RESOLVED → VERIFIED
|
|
Reporter | |
Comment 8•12 years ago
|
||
Automatically extracted testcase for this bug was committed: https://hg.mozilla.org/mozilla-central/rev/efaf8960a929
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•