Closed Bug 722598 Opened 9 years ago Closed 9 years ago

Crash [@ js::mjit::JITScript::destroyChunk] or "Assertion failure: i < nchunks,"

Categories

(Core :: JavaScript Engine, defect)

x86
Windows 7
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla13

People

(Reporter: gkw, Assigned: bhackett1024)

References

Details

(4 keywords, Whiteboard: js-triage-needed)

Crash Data

Attachments

(2 files)

Attached file stacks
The testcase to be attached asserts js debug shell on m-c changeset 7cdb5f5d38c6 with -m and -n at Assertion failure: i < nchunks, and crashes js opt shell at js::mjit::JITScript::destroyChunk

s-s because JIT crashes seem scary.
This *might* have been caused by the chunk patch in bug 706914.
Blocks: 706914
A small testcase, js opt shell 32-bit, m-c changeset feb866aec8d8, with -m, -a, -n :

function whatToTestSpidermonkeyTrunk(code) {
    return {
        e: true,
        g: true & !code.match(/l/) && !(code.match(/=/) && "" != 1) && code.match(/f/) && (e || e.f("") == -1),
        y: true & code.i && f("") == -1
    }
}
whatToTest = whatToTestSpidermonkeyTrunk
function tryItOut(code) {
    if (count == 0) {
        gc()
    }
    whatToTest(code)
    try {
        Function(code)()
    } catch (e) {}
}
count = 0
tryItOut("mjitChunkLimit(13)")
count = tryItOut("")
tryItOut("mjitChunkLimit(72)")
tryItOut("")
tryItOut("")
tryItOut("l")
tryItOut("f")
Attached patch patchSplinter Review
Problem with the mjitChunkLimit shell function (so not security-sensitive).  Changing the chunk limit changes the chunk structure of a script which can invalidate invalidation constraints.
Assignee: general → bhackett1024
Attachment #594769 - Flags: review?(dvander)
Group: core-security
Attachment #594769 - Flags: review?(dvander) → review+
https://hg.mozilla.org/mozilla-central/rev/65872ea859eb
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla13
No longer depends on: 728509
You need to log in before you can comment on or make changes to this bug.