Closed Bug 769611 Opened 13 years ago Closed 13 years ago

Assertion failure: incBitmap.isMarked(cell, BLACK), at jsgc.cpp:3258 or Opt-Crash [@ PropertyAccess] or Opt-Crash [@ js::RegExpShared::execute]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
All
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 768732

People

(Reporter: decoder, Assigned: billm)

Details

(Keywords: assertion, crash, testcase, Whiteboard: js-triage-needed [jsbugmon:update])

Crash Data

Attachments

(1 file)

Test case for shell (run with -n -m -a)
5.66 KB, application/javascript
Details
The attached test asserts/crashes on mozilla-central revision 9bf5e71c5746 (options -m -n -a). Valgrind trace from opt-build: ==58700== Invalid read of size 4 ==58700== at 0x4689CA: PropertyAccess(JSContext*, JSScript*, unsigned char*, js::types::TypeObject*, bool, js::types::TypeSet*, long) (jsinfer.h:387) ==58700== by 0x470B59: TypeConstraintProp::newType(JSContext*, js::types::TypeSet*, js::types::Type) (jsinfer.cpp:1047) ==58700== by 0x420425: js::types::TypeCompartment::resolvePending(JSContext*) (jsinferinlines.h:812) ==58700== by 0x4293DF: js::types::TypeSet::addType(JSContext*, js::types::Type) (jsinferinlines.h:1127) ==58700== by 0x4646AD: js::types::TypeMonitorResult(JSContext*, JSScript*, unsigned char*, JS::Value const&) (jsinfer.cpp:4985) ==58700== by 0x637A32: js::mjit::stubs::StubTypeHelper(js::VMFrame&, int) (jsinferinlines.h:591) ==58700== by 0x4060165: ??? ==58700== by 0x58FF56: js::mjit::EnterMethodJIT(JSContext*, js::StackFrame*, void*, JS::Value*, bool) (MethodJIT.cpp:1016) ==58700== by 0x47E686: js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) (jsinterp.cpp:1496) ==58700== by 0x58FF93: js::mjit::EnterMethodJIT(JSContext*, js::StackFrame*, void*, JS::Value*, bool) (MethodJIT.cpp:1043) ==58700== by 0x5900E2: js::mjit::JaegerShot(JSContext*, bool) (MethodJIT.cpp:1074) ==58700== by 0x47F5E9: js::RunScript(JSContext*, JSScript*, js::StackFrame*) (jsinterp.cpp:264) ==58700== Address 0xfff9000000000008 is not stack'd, malloc'd or (recently) free'd Less reduced versions crash differently. Looks like a critical corruption, s-s.
Assignee: general → wmccloskey
Cool! I'm glad we're starting to find these sorts of crashes.
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → DUPLICATE
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: