Crash [@ js::mjit::EnterMethodJIT] with mjitChunkLimit

VERIFIED FIXED

Status

()

Core
JavaScript Engine
--
critical
VERIFIED FIXED
6 years ago
5 years ago

People

(Reporter: gkw, Unassigned)

Tracking

(Blocks: 1 bug, {crash, regression, testcase})

Trunk
x86
Windows 7
crash, regression, testcase
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(firefox11 unaffected, firefox12 fixed, firefox13 fixed, firefox-esr10 unaffected)

Details

(Whiteboard: [sg:critical] js-triage-needed, crash signature)

Attachments

(1 attachment)

(Reporter)

Description

6 years ago
Created attachment 598470 [details]
stack

function g(code) {
    try {
        f = eval("(function(){" + code + "})")
    } catch (r) {}
    f()
    try {
        evalcx("(function(){return" + code + "})()")
    } catch (e) {}
}
g("mjitChunkLimit(8)")
g(" function(x,[]){NaN.x::c}()")


crashes js opt 32-bit shell on m-c changeset 78fde7e54d92 with -m, -a and -n at js::mjit::EnterMethodJIT

Assuming related to chunk patch in bug 722598. s-s because crashing on opt in Windows seems scary, together with the fact that I don't seem to see this signature on other platforms.
I can't repro this but it sure looks like bug 728342.  Can you see if that patch fixes this one?
(Reporter)

Comment 2

6 years ago
Crashes in m-c changeset 39ea8d8f9768 but not in 13b571bde26a. The latter contains the patches from bug 728342.

-> assuming FIXED by bug 728342
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Flags: in-testsuite?
Resolution: --- → FIXED
If that's true then a better candidate for a regressor is bug 706914
Blocks: 706914
No longer blocks: 722598
status-firefox-esr10: --- → unaffected
status-firefox11: --- → unaffected
status-firefox12: --- → fixed
status-firefox13: --- → fixed
Verified crash and fix in js shell.
Status: RESOLVED → VERIFIED
Group: core-security
Automatically extracted testcase for this bug was committed:

https://hg.mozilla.org/mozilla-central/rev/efaf8960a929
Flags: in-testsuite? → in-testsuite+
You need to log in before you can comment on or make changes to this bug.