Closed
Bug 757149
Opened 12 years ago
Closed 12 years ago
"Assertion failure: (ptrBits & 0x7) == 0,"
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
Tracking | Status | |
---|---|---|
firefox-esr10 | --- | unaffected |
People
(Reporter: gkw, Unassigned)
Details
(Keywords: assertion, sec-critical, testcase, Whiteboard: js-triage-needed)
Crash Data
Attachments
(2 files)
The attached testcase asserts 64-bit js debug shell on m-c changeset 642d1a36702f with -m and -n at Assertion failure: (ptrBits & 0x7) == 0, does not crash in opt builds nor does it show any Valgrind errors in opt builds. The testcase is fragile so any bisection is likely to be unreliable. s-s because there are seemingly memory address on the stack. (gdb) bt #0 0x00007ffff7bccb7b in raise (sig=<optimized out>) at ../nptl/sysdeps/unix/sysv/linux/pt-raise.c:42 #1 0x0000000000404041 in JSVAL_TO_OBJECT_IMPL (l=...) at /home/fuzz2lin/Desktop/jsfunfuzz-mozilla-central-_AOadW-642d1a36702f-94417/compilePath/js/src/jsval.h:729 #2 0x000000000040441d in JS::Value::toObject (this=0x7ffff6924520) at /home/fuzz2lin/Desktop/jsfunfuzz-mozilla-central-_AOadW-642d1a36702f-94417/compilePath/js/src/jsapi.h:510 #3 0x00000000004fd03c in js::ValueToObject (cx=0xc1ec20, v=...) at /home/fuzz2lin/Desktop/jsfunfuzz-mozilla-central-_AOadW-642d1a36702f-94417/compilePath/js/src/jsobj.h:1363 #4 0x00000000007adde2 in js::mjit::ic::GetElement (f=..., ic=0xcb9d68) at /home/fuzz2lin/Desktop/jsfunfuzz-mozilla-central-_AOadW-642d1a36702f-94417/compilePath/js/src/methodjit/PolyIC.cpp:2539 #5 0x00007ffff7effa1c in ?? () #6 0x00007ffff7efed19 in ?? () #7 0x0000000000000001 in ?? () #8 0x0000000000000000 in ?? ()
Reporter | ||
Comment 1•12 years ago
|
||
Comment 2•12 years ago
|
||
The test crashes for me on a 32 bit debug build (Linux) with this stack: Program received signal SIGSEGV, Segmentation fault. 0x7fffff00 in ?? () (gdb) bt #0 0x7fffff00 in ?? () #1 0x0804e689 in JSObject::getGeneric (this=0xffffc378, cx=0x862c340, receiver=0xffffc378, id=..., vp=0xf7702298) at ../../jsobjinlines.h:189 #2 0x0804e7af in JSObject::getGeneric (this=0xffffc378, cx=0x862c340, id=..., vp=0xf7702298) at ../../jsobjinlines.h:207 #3 0x083dd85d in js::mjit::ic::GetElement (f=..., ic=0x86b8530) at /srv/repos/mozilla-central/js/src/methodjit/PolyIC.cpp:2576 #4 0xf737c6e8 in ?? () #5 0x085deff4 in ?? () Backtrace stopped: previous frame inner to this frame (corrupt stack?) (gdb) x /i $pc => 0x7fffff00: Cannot access memory at address 0x7fffff00 (gdb)
Crash Signature: [@ JSObject::getGeneric]
Comment 3•12 years ago
|
||
Assuming the worst based on executing an odd-looking address. I suppose it could be jitted code but it's still suspicious.
Keywords: sec-critical
Reporter | ||
Comment 4•12 years ago
|
||
Asserts with m-c changeset 64187d60fae7 but not with 1987beeb0038. Fix window: http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=64187d60fae7&tochange=1987beeb0038
Reporter | ||
Comment 5•12 years ago
|
||
Likely fixed by bug 755639: autoBisect shows this is probably related to the following changeset: The first good revision is: changeset: 94546:ce618ce8d84a user: Brian Hackett date: Mon May 21 20:34:22 2012 -0700 summary: Throw on incompatible calls to gcPreserveCode() and mjitChunkLimit(), bug 755639. r=dvander
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Comment 6•12 years ago
|
||
JSBugMon: This bug has been automatically verified fixed.
Updated•12 years ago
|
Status: RESOLVED → VERIFIED
Updated•12 years ago
|
status-firefox-esr10:
--- → unaffected
Updated•9 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•