Closed
Bug 697255
Opened 13 years ago
Closed 13 years ago
TM/JM: Crash [@ js_GetProperty] or [@ js::analyze::ScriptAnalysis::maybeCode] or "Assertion failure: offset < script->length," or "Assertion failure: script->code <= pc && pc < endpc,"
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
mozilla10
| Tracking | Status | |
|---|---|---|
| firefox7 | - | unaffected |
| firefox8 | - | unaffected |
| firefox9 | + | fixed |
| firefox10 | + | fixed |
| status1.9.2 | --- | unaffected |
People
(Reporter: gkw, Assigned: bhackett1024)
References
Details
(4 keywords, Whiteboard: [sg:critical][qa-] js-triage-done)
Crash Data
Attachments
(2 files, 1 obsolete file)
|
4.14 KB,
text/plain
|
Details | |
|
668 bytes,
patch
|
luke
:
review+
akeybl
:
approval-mozilla-aurora+
|
Details | Diff | Splinter Review |
a = evalcx("lazy");
b = {}
b.__proto__ = a
a.__proto__ = String
for (var a = 0; a < 50; a++) {
try {
b + ""
} catch (e) {}
}
asserts js debug shell on m-c changeset 6cd262091470 with -m and -j at Assertion failure: script->code <= pc && pc < endpc,
A variant,
o9 = evalcx("lazy");
d = {}
d.__proto__ = o9
o9.__proto__ = String.prototype.__proto__;
__proto__.__defineGetter__("toString", function() {})
for (var a = 0; a < 50; a++) {
try {
d + ""
} catch (e) {}
}
asserts js debug shell on m-c changeset 6cd262091470 with -m and -j at Assertion failure: offset < script->length, and crashes js opt shell at js_GetProperty
Tested on 32-bit Mac 10.6, setting [sg:critical] because a scary memory address, 0x83000005, is being read.
(Ran autoBisect on the second testcase, not sure if it's correct)
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: 77143:9ca3d16d575c
parent: 77103:06445f55f009
user: Brian Hackett
date: Sat Sep 17 19:14:22 2011 -0700
summary: [INFER] Reapply c2726640029f 3330521cfa4a b68281262e15 (bug 557358), 6a8947bcc821 (bug 684943), 50d4f6fa00ce (bug 683714), f3dd7cf2d0b3 (bug 683999).
|
Reporter | |
Comment 1•13 years ago
|
||
(gdb) x/i $pc
0xc8cf0 <_Z14js_GetPropertyP9JSContextP8JSObjectS2_iPN2JS5ValueE+1040>: orl $0x4000,(%eax)
(gdb) x/b $eax
0x83000005: Cannot access memory at address 0x83000005
orl performs a logical or between 0x4000 and eax, which is weird address 0x83000005
Attachment #569501 -
Attachment is obsolete: true
|
|
Reporter | |
Comment 2•13 years ago
|
||
Also crashes Mac 10.6 64-bit m-c tip changeset f2fa4ae74ee1, albeit with -j only, and with js::analyze::ScriptAnalysis::maybeCode at the top of js_GetProperty on the crash stack.
Crash Signature: [@ js_GetProperty] → [@ js_GetProperty]
[@ js::analyze::ScriptAnalysis::maybeCode]
Summary: TM/JM: Crash [@ js_GetProperty] or "Assertion failure: offset < script->length," or "Assertion failure: script->code <= pc && pc < endpc," → TM/JM: Crash [@ js_GetProperty] or [@ js::analyze::ScriptAnalysis::maybeCode] or "Assertion failure: offset < script->length," or "Assertion failure: script->code <= pc && pc < endpc,"
|
Assignee | |
Comment 3•13 years ago
|
||
Bug related to imacros. The pc returned via currentScript could be in an imacro, which confused callers that expected the script/pc to match each other.
autoBisect is wrong, the blamed revision doesn't touch anything around here.
Attachment #569884 -
Flags: review?(luke)
|
|
Reporter | |
Comment 4•13 years ago
|
||
> autoBisect is wrong, the blamed revision doesn't touch anything around here.
No wonder I had different blamed revs for the 2 testcases..
|
|
Reporter | |
Updated•13 years ago
|
Whiteboard: [sg:critical] js-triage-needed → [sg:critical] js-triage-done
|
|
||
Updated•13 years ago
|
Attachment #569884 -
Flags: review?(luke) → review+
|
|
Assignee | |
Comment 5•13 years ago
|
||
|
||
Comment 6•13 years ago
|
||
Is this something that we could take on aurora? And my understanding is that this is TI specific, so 8 and older are unaffected. Please correct me if I'm wrong on that.
Assignee: general → bhackett1024
status-firefox10:
--- → affected
status-firefox7:
--- → unaffected
status-firefox8:
--- → unaffected
status-firefox9:
--- → affected
tracking-firefox7:
--- → -
tracking-firefox8:
--- → -
|
|
Assignee | |
Comment 7•13 years ago
|
||
Comment on attachment 569884 [details] [diff] [review]
patch
currentScript() was added for the TI merge so this should only affect Fx9 and later (though this only manifests with the tracer enabled).
Attachment #569884 -
Flags: approval-mozilla-aurora?
|
||
Comment 8•13 years ago
|
||
emorley merged this to mozilla-central: https://hg.mozilla.org/mozilla-central/rev/9507d7ca0f58
Resolving fixed.
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
|
|
||
Updated•13 years ago
|
Target Milestone: --- → mozilla10
|
||
Comment 9•13 years ago
|
||
Comment on attachment 569884 [details] [diff] [review]
patch
[Triage Comment]
* Approving for Aurora since this is a TI regression in 9
Attachment #569884 -
Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
|
|
Assignee | |
Comment 10•13 years ago
|
||
|
|
||
Updated•13 years ago
|
|
||
Comment 11•13 years ago
|
||
Can someone who is already set up to reproduce this bug please verify the fix?
Whiteboard: [sg:critical] js-triage-done → [sg:critical][qa-] js-triage-done
|
||
Updated•13 years ago
|
status1.9.2:
--- → unaffected
|
|
Reporter | |
Comment 12•13 years ago
|
||
(In reply to Anthony Hughes, Mozilla QA (irc: ashughes) from comment #11)
> Can someone who is already set up to reproduce this bug please verify the
> fix?
Verified fixed on 64-bit debug and opt builds on Mac 10.6 on m-c changeset bc48009a6bbb.
|
|
Reporter | |
Updated•13 years ago
|
Status: RESOLVED → VERIFIED
|
|
||
Updated•13 years ago
|
Group: core-security
|
||
Comment 13•12 years ago
|
||
Automatically extracted testcase for this bug was committed:
https://hg.mozilla.org/mozilla-central/rev/efaf8960a929
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•