Closed Bug 811694 Opened 13 years ago Closed 13 years ago

JM Crash [@ js::mjit::EnterMethodJIT] on Heap with TI disabled

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED
Tracking Flags:
Tracking Status
firefox18 --- unaffected
firefox19 + fixed
firefox-esr10 --- unaffected
firefox-esr17 --- unaffected

People

(Reporter: decoder, Unassigned)

References

Details

(4 keywords, Whiteboard: [jsbugmon:][adv-main19-])

Crash Data

The following testcase crashes on mozilla-central revision 4e9567eeb09e (run with -m -a --no-ti): evaluate('\ var ClassToMethodMap = { Array: [ "indexOf", "lastIndexOf", "every" ] };\ function testMethod(Class, className, method) {\ try {\ (0, Class.prototype[method])();\ } catch (e) { }\ }\ for (var className in ClassToMethodMap) {\ var Class = this[className];\ var methodNames = ClassToMethodMap[className];\ for (var i = 0, sz = methodNames.length; i < sz; i++) {\ var method = methodNames[i];\ testMethod(Class, className, method);\ }\ }\ ', { newContext: false, compileAndGo: true, global: newGlobal('new-compartment') });
Crash traces: Program received signal SIGSEGV, Segmentation fault. 0x00007ffff7fedb7d in ?? () (gdb) bt #0 0x00007ffff7fedb7d in ?? () #1 0x00007ffff7fe8cd2 in ?? () #2 0x0000000000000001 in ?? () #3 0x00007fffffffd3e0 in ?? () #4 0x0000000000000000 in ?? () (gdb) x /i $pc => 0x7ffff7fedb7d: mov 0x58(%r15),%r15 ==44076== Invalid read of size 8 ==44076== at 0x402BB65: ??? ==44076== by 0x7AACC1: js::mjit::EnterMethodJIT(JSContext*, js::StackFrame*, void*, JS::Value*, bool) (MethodJIT.cpp:1043) ==44076== by 0x7AAF73: CheckStackAndEnterMethodJIT(JSContext*, js::StackFrame*, void*, bool) (MethodJIT.cpp:1101) ==44076== by 0x7AB106: js::mjit::JaegerShotAtSafePoint(JSContext*, void*, bool) (MethodJIT.cpp:1131) ==44076== by 0x53CFE4: js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) (jsinterp.cpp:1374) ==44076== by 0x7AAD98: js::mjit::EnterMethodJIT(JSContext*, js::StackFrame*, void*, JS::Value*, bool) (MethodJIT.cpp:1070) ==44076== by 0x7AAF73: CheckStackAndEnterMethodJIT(JSContext*, js::StackFrame*, void*, bool) (MethodJIT.cpp:1101) ==44076== by 0x7AB0C2: js::mjit::JaegerShot(JSContext*, bool) (MethodJIT.cpp:1119) ==44076== by 0x539227: js::RunScript(JSContext*, JS::Handle<JSScript*>, js::StackFrame*) (jsinterp.cpp:323) ==44076== by 0x53A212: js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::ExecuteType, js::StackFrame*, JS::Value*) (jsinterp.cpp:515) ==44076== by 0x53A46C: js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) (jsinterp.cpp:553) ==44076== by 0x453569: JS_ExecuteScript(JSContext*, JSObject*, JSScript*, JS::Value*) (jsapi.cpp:5540) ==44076== Address 0x58 is not stack'd, malloc'd or (recently) free'd Since this bug is with TI disabled, it could affect at least the ARMv6 devices where only JM is used. S-s because this is a heap crash.
Whiteboard: [jsbugmon:update,bisect]
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update,ignore]
JSBugMon: The testcase found in this bug no longer reproduces (tried revision fc1684f4d3a9).
Whiteboard: [jsbugmon:update,ignore] → [jsbugmon:bisectfix]
Whiteboard: [jsbugmon:bisectfix] → [jsbugmon:]
JSBugMon: Fix Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first good revision is: changeset: 113132:dd68409d7810 user: Phil Ringnalda date: Tue Nov 13 22:08:22 2012 -0800 summary: Back out 3da143341145 (bug 784294) and 862f9cd7eb0b (bug 791850) for breaking Jetpack This iteration took 100.782 seconds to run.
This is fixed by the backout in comment 3.
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Status: RESOLVED → VERIFIED
JSBugMon: This bug has been automatically verified fixed.
Can this be put in testsuite?
Flags: in-testsuite?
Whiteboard: [jsbugmon:] → [jsbugmon:][adv-main19-]
Group: core-security
You need to log in before you can comment on or make changes to this bug.