Closed Bug 782103 Opened 12 years ago Closed 12 years ago

IonMonkey: Crash [@ JSScript::hasIonScript]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Version:
Other Branch
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 777537

People

(Reporter: gkw, Unassigned)

References

Details

(Keywords: crash, testcase, Whiteboard: [ion:p1:fx18])

Crash Data

Attachments

(3 files, 6 obsolete files)

stack
6.75 KB, text/plain
Details
main script that is loaded by the checkpoint script
8.75 KB, text/plain
Details
checkpoint6 - needs main script (main.js)
24.29 KB, text/plain
Details
Attached file stack
The upcoming attached testcase crashes js debug shell on IonMonkey changeset 32b7b76d111c with --no-jm at JSScript::hasIonScript
Attached file checkpoint partially reduced testcase (obsolete) —
IonMonkey changeset 32b7b76d111c : $ ./js-dbg-64-ionmonkey-darwin --no-jm 2maybe.js fuzzSeed: 97677646 2maybe.js:226: TypeError: rndElt(...) is not a function Segmentation fault: 11
Attachment #651176 - Attachment is obsolete: true
Attached file checkpoint2 (obsolete) —
Attachment #651241 - Attachment is obsolete: true
Attached file checkpoint3 (obsolete) —
Lithium has reached its limits here, let's see what LangDDMin can do..
Attachment #651280 - Attachment is obsolete: true
I moved the random number generator out to this file, the upcoming checkpointed "2maybe.js" scripts will load this.
Attachment #651409 - Attachment is obsolete: true
IonMonkey changeset 32b7b76d111c : ./js-dbg-64-ionmonkey-darwin --no-jm 2maybe.js fuzzSeed: 97677646 2maybe.js:789: TypeError: rndElt(...) is not a function Segmentation fault: 11
Whiteboard: [ion:p1:fx18]
Based on the backtrace this is most likely a duplicate of Bug 777537. It trips constantly in the browser.
I cannot reproduce this in IonMonkey changeset 22fe5c9f4433 with and without the patch in bug 777537, so I cannot confirm that that patch is the one that fixes this. Ideally we should reduce this testcase till we have one where we can check in to the repository.
Attachment #651446 - Attachment is obsolete: true
> Ideally we should reduce this testcase till we have one where we can check > in to the repository. Our automated reducers have hit their limits so unfortunately someone will have to reduce this manually.
checkpoint6 - reduced off checkpoint4 because 5 is unreadable. (tested on 64-bit debug js shell on Mac IonMonkey changeset 32b7b76d111c with --no-jm ) Nicolas, is it possible for you to try to reduce this? Jesse and I have taken a few stabs at it. It does not seem reproducible on tip but this does not mean that the bug is gone, see previous comment for a testcase that crashes at the same stacktrace on a later changeset e244389fbfc4.
Attachment #651563 - Attachment is obsolete: true
(In reply to Gary Kwong [:gkw, :nth10sd] from comment #12) > Created attachment 652105 [details] > checkpoint6 - needs main script (main.js) > > checkpoint6 - reduced off checkpoint4 because 5 is unreadable. > > (tested on 64-bit debug js shell on Mac IonMonkey changeset 32b7b76d111c > with --no-jm ) > > Nicolas, is it possible for you to try to reduce this? Jesse and I have > taken a few stabs at it. > > It does not seem reproducible on tip but this does not mean that the bug is > gone, see previous comment for a testcase that crashes at the same > stacktrace on a later changeset e244389fbfc4. I was not able to reproduce this bug with the patch for Bug 777537 (changeset cfc77da79f9f) on both test cases. > Program received signal EXC_BAD_ACCESS, Could not access memory. > Reason: KERN_INVALID_ADDRESS at address: 0x00000001027076c8 > JSScript::hasIonScript (this=0x102707628) at jsscript.h:627 > 627 return ion && ion != ION_DISABLED_SCRIPT; > (gdb) bt > #0 JSScript::hasIonScript (this=0x102707628) at jsscript.h:627 Knowing that Bug 777537 is fixing the dangling pointer issue, which seems to be the case here based on the reported stack trace. I think it is not necessary to look into reproducing this bug. I will flag this issue as a duplicate of Bug 777537. gary, I'll let you check if we can make this bug public. It seems ok for me.
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → DUPLICATE
alright, opening up.
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: