Closed
Bug 783537
Opened 12 years ago
Closed 12 years ago
Crash [@ js::mjit::CallCompiler::patchInlinePath]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla17
Tracking | Status | |
---|---|---|
firefox-esr10 | --- | unaffected |
People
(Reporter: decoder, Assigned: billm)
Details
(Keywords: crash, testcase, Whiteboard: [jsbugmon:update][fuzzblocker])
Attachments
(1 file)
2.25 KB,
patch
|
dvander
:
review+
|
Details | Diff | Splinter Review |
The following test crashes on mozilla-central revision 1ecca798b1fb (options -m -a): try { gczeal(4); var source = "".concat( repeat_str("}", N)); } catch(exc1) {} var g = newGlobal('new-compartment'); g.eval("function f() { return 1; }"); var N = g.N = 11; g.eval("function h() { for (var i = 0; i < N; i += f()) {} }"); g.h(); Crash trace: ==39412== Invalid read of size 8 ==39412== at 0x82F74B: js::mjit::CallCompiler::patchInlinePath(JSScript*, JSObject*) (MonoIC.cpp:677) ==39412== by 0x830FD8: js::mjit::CallCompiler::update() (MonoIC.cpp:968) ==39412== by 0x831110: js::mjit::ic::Call(js::VMFrame&, js::mjit::ic::CallICInfo*) (MonoIC.cpp:997) ==39412== by 0x403BE9E: ??? ==39412== by 0x7807C3: js::mjit::EnterMethodJIT(JSContext*, js::StackFrame*, void*, JS::Value*, bool) (MethodJIT.cpp:1016) ==39412== by 0x780A6B: CheckStackAndEnterMethodJIT(JSContext*, js::StackFrame*, void*, bool) (MethodJIT.cpp:1074) ==39412== by 0x780B6A: js::mjit::JaegerShot(JSContext*, bool) (MethodJIT.cpp:1086) ==39412== by 0x530A82: js::RunScript(JSContext*, JSScript*, js::StackFrame*) (jsinterp.cpp:305) ==39412== by 0x530F4C: js::InvokeKernel(JSContext*, JS::CallArgs, js::MaybeConstruct) (jsinterp.cpp:362) ==39412== by 0x4679FD: js::Invoke(JSContext*, js::InvokeArgsGuard&, js::MaybeConstruct) (jsinterp.h:119) ==39412== by 0x531182: js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value*, JS::Value*) (jsinterp.cpp:394) ==39412== by 0x5BA50B: js::IndirectProxyHandler::call(JSContext*, JSObject*, unsigned int, JS::Value*) (jsproxy.cpp:477) ==39412== Address 0x10 is not stack'd, malloc'd or (recently) free'd Hitting this very often, marking as fuzzblocker. Also this is in mjit code and it could be a dup of bug 783421 so marking s-s.
Assignee | ||
Comment 1•12 years ago
|
||
This is not a dupe of bug 783421.
Assignee | ||
Comment 2•12 years ago
|
||
I just bisected this to myself. changeset: 102421:07f21ec5d516 user: Bill McCloskey <wmccloskey@mozilla.com> date: Wed Aug 15 10:39:48 2012 -0700 summary: Bug 781390 - Make barrier verifier testing work better with the methodjit (r=bhackett)
Assignee: general → wmccloskey
Assignee | ||
Comment 3•12 years ago
|
||
I missed converting a few calls to needsBarrier() to compileBarriers(). I didn't think it was necessary for the ICs, but I guess it is. For one, we don't flush the ICs when starting the barrier verifier.
Attachment #652893 -
Flags: review?(dvander)
Updated•12 years ago
|
Attachment #652893 -
Flags: review?(dvander) → review+
Assignee | ||
Comment 4•12 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/e141e1418174
Comment 5•12 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/e141e1418174
Status: NEW → RESOLVED
Closed: 12 years ago
Flags: in-testsuite?
Resolution: --- → FIXED
Target Milestone: --- → mozilla17
Updated•12 years ago
|
status-firefox-esr10:
--- → unaffected
Updated•9 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•