Closed
Bug 783537
Opened 13 years ago
Closed 13 years ago
Crash [@ js::mjit::CallCompiler::patchInlinePath]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla17
| Tracking | Status | |
|---|---|---|
| firefox-esr10 | --- | unaffected |
People
(Reporter: decoder, Assigned: billm)
Details
(Keywords: crash, testcase, Whiteboard: [jsbugmon:update][fuzzblocker])
Attachments
(1 file)
|
2.25 KB,
patch
|
dvander
:
review+
|
Details | Diff | Splinter Review |
The following test crashes on mozilla-central revision 1ecca798b1fb (options -m -a):
try {
gczeal(4);
var source = "".concat( repeat_str("}", N));
} catch(exc1) {}
var g = newGlobal('new-compartment');
g.eval("function f() { return 1; }");
var N = g.N = 11;
g.eval("function h() { for (var i = 0; i < N; i += f()) {} }");
g.h();
Crash trace:
==39412== Invalid read of size 8
==39412== at 0x82F74B: js::mjit::CallCompiler::patchInlinePath(JSScript*, JSObject*) (MonoIC.cpp:677)
==39412== by 0x830FD8: js::mjit::CallCompiler::update() (MonoIC.cpp:968)
==39412== by 0x831110: js::mjit::ic::Call(js::VMFrame&, js::mjit::ic::CallICInfo*) (MonoIC.cpp:997)
==39412== by 0x403BE9E: ???
==39412== by 0x7807C3: js::mjit::EnterMethodJIT(JSContext*, js::StackFrame*, void*, JS::Value*, bool) (MethodJIT.cpp:1016)
==39412== by 0x780A6B: CheckStackAndEnterMethodJIT(JSContext*, js::StackFrame*, void*, bool) (MethodJIT.cpp:1074)
==39412== by 0x780B6A: js::mjit::JaegerShot(JSContext*, bool) (MethodJIT.cpp:1086)
==39412== by 0x530A82: js::RunScript(JSContext*, JSScript*, js::StackFrame*) (jsinterp.cpp:305)
==39412== by 0x530F4C: js::InvokeKernel(JSContext*, JS::CallArgs, js::MaybeConstruct) (jsinterp.cpp:362)
==39412== by 0x4679FD: js::Invoke(JSContext*, js::InvokeArgsGuard&, js::MaybeConstruct) (jsinterp.h:119)
==39412== by 0x531182: js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value*, JS::Value*) (jsinterp.cpp:394)
==39412== by 0x5BA50B: js::IndirectProxyHandler::call(JSContext*, JSObject*, unsigned int, JS::Value*) (jsproxy.cpp:477)
==39412== Address 0x10 is not stack'd, malloc'd or (recently) free'd
Hitting this very often, marking as fuzzblocker. Also this is in mjit code and it could be a dup of bug 783421 so marking s-s.
|
Assignee | |
Comment 1•13 years ago
|
||
This is not a dupe of bug 783421.
|
|
Assignee | |
Comment 2•13 years ago
|
||
I just bisected this to myself.
changeset: 102421:07f21ec5d516
user: Bill McCloskey <wmccloskey@mozilla.com>
date: Wed Aug 15 10:39:48 2012 -0700
summary: Bug 781390 - Make barrier verifier testing work better with the methodjit (r=bhackett)
Assignee: general → wmccloskey
|
|
Assignee | |
Comment 3•13 years ago
|
||
I missed converting a few calls to needsBarrier() to compileBarriers(). I didn't think it was necessary for the ICs, but I guess it is. For one, we don't flush the ICs when starting the barrier verifier.
Attachment #652893 -
Flags: review?(dvander)
|
||
Updated•13 years ago
|
Attachment #652893 -
Flags: review?(dvander) → review+
|
|
Assignee | |
Comment 4•13 years ago
|
||
|
||
Comment 5•13 years ago
|
||
Status: NEW → RESOLVED
Closed: 13 years ago
Flags: in-testsuite?
Resolution: --- → FIXED
Target Milestone: --- → mozilla17
|
||
Updated•13 years ago
|
status-firefox-esr10:
--- → unaffected
|
||
Updated•10 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•