Closed
Bug 769433
Opened 13 years ago
Closed 13 years ago
Assertion failure: objArrayType >= 0 && objArrayType < TypedArray::TYPE_MAX, at jsinfer.cpp:1756 or Opt-Crash [@ js::mjit::Assembler::storeToTypedArray]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
| Tracking | Status | |
|---|---|---|
| firefox13 | --- | unaffected |
| firefox14 | --- | unaffected |
| firefox15 | --- | unaffected |
| firefox16 | - | affected |
| firefox-esr10 | --- | unaffected |
People
(Reporter: decoder, Unassigned)
References
Details
(5 keywords, Whiteboard: js-triage-needed [jsbugmon:update])
Crash Data
Attachments
(1 file)
|
1.16 KB,
patch
|
dvander
:
review+
|
Details | Diff | Splinter Review |
The following test asserts/crashes on mozilla-central revision 9bf5e71c5746 (options -m -n -a):
function stringConvert() {
var a = Uint32Array.prototype;
for (var i = 0; i < 10; i++) {
a[0] = 1 >> s1;
}
}
stringConvert();
Valgrind trace from opt-build:
==47271== Invalid read of size 4
==47271== at 0x5E2A59: js::mjit::Assembler::storeToTypedArray(int, JSC::X86Registers::RegisterID, js::mjit::Int32Key, js::mjit::ValueRemat) (jstypedarrayinlines.h:119)
==47271== by 0x5E71BB: js::mjit::Compiler::jsop_setelem_typed(int) (FastOps.cpp:1474)
==47271== by 0x5E9EDF: js::mjit::Compiler::jsop_setelem(bool) (FastOps.cpp:1556)
==47271== by 0x5B8E04: js::mjit::Compiler::generateMethod() (Compiler.cpp:2607)
==47271== by 0x5BF130: js::mjit::Compiler::performCompilation() (Compiler.cpp:517)
==47271== by 0x5BF1EA: js::mjit::Compiler::compile() (Compiler.cpp:112)
==47271== by 0x5C0B34: js::mjit::CanMethodJIT(JSContext*, JSScript*, unsigned char*, bool, js::mjit::CompileRequest) (Compiler.cpp:978)
==47271== by 0x47DC35: js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) (jsinterp.cpp:1489)
==47271== by 0x58FF93: js::mjit::EnterMethodJIT(JSContext*, js::StackFrame*, void*, JS::Value*, bool) (MethodJIT.cpp:1043)
==47271== by 0x5900E2: js::mjit::JaegerShot(JSContext*, bool) (MethodJIT.cpp:1074)
==47271== by 0x47F5E9: js::RunScript(JSContext*, JSScript*, js::StackFrame*) (jsinterp.cpp:264)
==47271== by 0x4801E1: js::Execute(JSContext*, JSScript*, JSObject&, JS::Value*) (jsinterp.cpp:455)
==47271== Address 0x37e112078 is not stack'd, malloc'd or (recently) free'd
Looks like a critical corruption, s-s.
|
||
Comment 1•13 years ago
|
||
x = new Uint8ClampedArray;
y = x.__proto__;
(function() {
for (var z = 0; z < 9; ++z) {
y[0];
}
})()
is another testcase that has a similar assertion on m-c changeset rev 081d8578beb1.
OS: Linux → All
|
|
||
Comment 2•13 years ago
|
||
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: 97780:195ffaea56ea
user: Brian Hackett
date: Wed Jun 27 07:10:50 2012 -0700
summary: Specialize big typed arrays with singleton types, bug 762561. r=dvander
Blocks: 762561
status-firefox-esr10:
--- → unaffected
status-firefox13:
--- → unaffected
status-firefox14:
--- → unaffected
status-firefox15:
--- → unaffected
status-firefox16:
--- → affected
tracking-firefox16:
--- → ?
Keywords: regression
|
||
Comment 3•13 years ago
|
||
JSObject::makeLazyType needs to look for typed array prototypes, which have a typed array proto key but are regular native objects.
Attachment #637961 -
Flags: review?(dvander)
|
|
||
Updated•13 years ago
|
Attachment #637961 -
Flags: review?(dvander) → review+
|
|
||
Comment 4•13 years ago
|
||
|
|
||
Comment 5•13 years ago
|
||
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
|
|
||
Updated•13 years ago
|
|
||
Updated•13 years ago
|
Group: core-security
Keywords: sec-critical
|
Reporter | |
Comment 6•13 years ago
|
||
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/bug769433.js.
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•