Closed Bug 729364 Opened 12 years ago Closed 12 years ago

[IncrementalGC] Crash [@ js::mjit::JITScript::chunkIndex] or "Assertion failure: m_value," with verifybarriers

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 728609

People

(Reporter: gkw, Assigned: billm)

References

Details

(4 keywords, Whiteboard: [sg:nse] js-triage-needed)

Crash Data

Attachments

(1 file)

stack
2.96 KB, text/plain
Details
Attached file stack 
function f() {
  try {} catch (e) {}
}
function g(code) {
  function m() {
    return "(function(){return " + code + "})()"
  }
  var codeNestedDeep = m(codeNestedDeep)
  h(m(code), "same-compartment")
  h(codeNestedDeep, "same-compartment")
}
function h(code, globalType) {
  try {
    evalcx(code, newGlobal(globalType))
  } catch (e) {
    "" + f()
  }
}
function p()(function() function() {})
g("print(let(x=verifybarriers(),q)((x(\"\",l('')))?(\"\"):(\"\")))()")


The upcoming attached testcase asserts js debug shell on m-c changeset 9bde0d25d76e with -m, -a and -n at Assertion failure: m_value, and sometimes crashes instead at js::mjit::JITScript::chunkIndex

Pass the testcase as a CLI argument to reproduce the assert. Paste the testcase in to get the crash.

verifybarriers is present -> locking s-s and assuming [sg:critical] prior to diagnosis.
Assignee: general → wmccloskey
Not s-s because it's a bug in the verifier.
Group: core-security
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → DUPLICATE
No longer blocks: 630996
> Not s-s because it's a bug in the verifier.

-> sg:nse
Whiteboard: [sg:critical] js-triage-needed → [sg:nse] js-triage-needed
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/bug729364.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: