Crash [@ js::ParallelArrayObject::getParallelArrayElement] with Floating Point Exception (SIGFPE)

VERIFIED FIXED in Firefox 17

Status

()

--
critical
VERIFIED FIXED
6 years ago
6 years ago

People

(Reporter: decoder, Assigned: shu)

Tracking

(Blocks: 1 bug, {crash, regression, testcase})

Trunk
mozilla17
x86_64
Linux
crash, regression, testcase
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(firefox16 unaffected, firefox17 verified, firefox-esr10 unaffected)

Details

(Whiteboard: [jsbugmon:update][adv-track-main17-], crash signature)

Attachments

(1 attachment)

(Reporter)

Description

6 years ago
The following test crashes on mozilla-central revision c676b554c7bb (no options required):


var p = new ParallelArray([1,25e8 ,3,4]);
var pp = p.partition(.34 );



Valgrind shows:

==56980== Process terminating with default action of signal 8 (SIGFPE)
==56980==  Integer divide by zero at address 0x701C37D
==56980==    at 0x8352743: js::ParallelArrayObject::partition(JSContext*, JS::CallArgs) (ParallelArray.cpp:1371)
==56980==    by 0x8191613: JS::CallNonGenericMethod(JSContext*, bool (*)(JS::Value const&), bool (*)(JSContext*, JS::CallArgs), JS::CallArgs) (jsapi.h:1570)
==56980==    by 0x8355754: int NonGenericMethod<&(js::ParallelArrayObject::partition(JSContext*, JS::CallArgs))>(JSContext*, unsigned int, JS::Value*) (ParallelArray.cpp:163)
==56980==    by 0x816DCD8: js::CallJSNative(JSContext*, int (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) (jscntxtinlines.h:389)
==56980==    by 0x817662B: js::InvokeKernel(JSContext*, JS::CallArgs, js::MaybeConstruct) (jsinterp.cpp:351)
==56980==    by 0x818450B: js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) (jsinterp.cpp:2423)
==56980==    by 0x8176249: js::RunScript(JSContext*, JSScript*, js::StackFrame*) (jsinterp.cpp:308)
==56980==    by 0x8177036: js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::ExecuteType, js::StackFrame*, JS::Value*) (jsinterp.cpp:492)
==56980==    by 0x8177288: js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) (jsinterp.cpp:530)
==56980==    by 0x809AB80: JS_ExecuteScript (jsapi.cpp:5673)
==56980==    by 0x8050913: Process(JSContext*, JSObject*, char const*, bool) (js.cpp:433)
==56980==    by 0x805C457: ProcessArgs(JSContext*, JSObject*, js::cli::OptionParser*) (js.cpp:4813)


Marking s-s till triaged properly.
(Assignee)

Comment 1

6 years ago
Created attachment 653428 [details] [diff] [review]
fix and testcase
Attachment #653428 - Flags: review?(dmandelin)
Attachment #653428 - Flags: review?(dmandelin) → review+

Comment 3

6 years ago
https://hg.mozilla.org/mozilla-central/rev/be7d6ce3ee9b
Assignee: general → shu
Status: NEW → RESOLVED
Last Resolved: 6 years ago
status-firefox17: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla17
(Reporter)

Updated

6 years ago
Status: RESOLVED → VERIFIED
(Reporter)

Comment 4

6 years ago
JSBugMon: This bug has been automatically verified fixed.

Comment 5

6 years ago
Do we think ESR10 is affected by this bug, or is this a newer regression?
(Assignee)

Comment 6

6 years ago
(In reply to Alex Keybl [:akeybl] from comment #5)
> Do we think ESR10 is affected by this bug, or is this a newer regression?

It's introduced by http://hg.mozilla.org/integration/mozilla-inbound/rev/ea2ad8970f3e which is pretty recent.
status-firefox-esr10: --- → unaffected
status-firefox17: fixed → verified
status-firefox16: --- → unaffected
Whiteboard: [jsbugmon:update] → [jsbugmon:update][adv-track-main17-]
Blocks: 778559
Group: core-security
Keywords: regression
(Reporter)

Comment 7

6 years ago
Automatically extracted testcase for this bug was committed:

https://hg.mozilla.org/mozilla-central/rev/efaf8960a929
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.