Crash [@ js::mjit::JITScript::destroyChunk] or "Assertion failure: i < nchunks,"

RESOLVED FIXED in mozilla13

Status

()

Core
JavaScript Engine
--
critical
RESOLVED FIXED
6 years ago
5 years ago

People

(Reporter: gkw, Assigned: bhackett)

Tracking

(Blocks: 1 bug, 4 keywords)

Trunk
mozilla13
x86
Windows 7
assertion, crash, regression, testcase
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: js-triage-needed, crash signature)

Attachments

(2 attachments)

(Reporter)

Description

6 years ago
Created attachment 592952 [details]
stacks

The testcase to be attached asserts js debug shell on m-c changeset 7cdb5f5d38c6 with -m and -n at Assertion failure: i < nchunks, and crashes js opt shell at js::mjit::JITScript::destroyChunk

s-s because JIT crashes seem scary.
(Reporter)

Comment 2

6 years ago
This *might* have been caused by the chunk patch in bug 706914.
Blocks: 706914
(Reporter)

Comment 3

6 years ago
A small testcase, js opt shell 32-bit, m-c changeset feb866aec8d8, with -m, -a, -n :

function whatToTestSpidermonkeyTrunk(code) {
    return {
        e: true,
        g: true & !code.match(/l/) && !(code.match(/=/) && "" != 1) && code.match(/f/) && (e || e.f("") == -1),
        y: true & code.i && f("") == -1
    }
}
whatToTest = whatToTestSpidermonkeyTrunk
function tryItOut(code) {
    if (count == 0) {
        gc()
    }
    whatToTest(code)
    try {
        Function(code)()
    } catch (e) {}
}
count = 0
tryItOut("mjitChunkLimit(13)")
count = tryItOut("")
tryItOut("mjitChunkLimit(72)")
tryItOut("")
tryItOut("")
tryItOut("l")
tryItOut("f")
(Assignee)

Comment 4

6 years ago
Created attachment 594769 [details] [diff] [review]
patch

Problem with the mjitChunkLimit shell function (so not security-sensitive).  Changing the chunk limit changes the chunk structure of a script which can invalidate invalidation constraints.
Assignee: general → bhackett1024
Attachment #594769 - Flags: review?(dvander)
(Assignee)

Updated

6 years ago
Group: core-security
Attachment #594769 - Flags: review?(dvander) → review+
(Assignee)

Comment 5

5 years ago
https://hg.mozilla.org/integration/mozilla-inbound/rev/65872ea859eb
https://hg.mozilla.org/mozilla-central/rev/65872ea859eb
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla13
(Reporter)

Updated

5 years ago
Depends on: 728509
No longer depends on: 728509
You need to log in before you can comment on or make changes to this bug.