Closed
Bug 811694
Opened 13 years ago
Closed 13 years ago
JM Crash [@ js::mjit::EnterMethodJIT] on Heap with TI disabled
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
Tracking | Status | |
---|---|---|
firefox18 | --- | unaffected |
firefox19 | + | fixed |
firefox-esr10 | --- | unaffected |
firefox-esr17 | --- | unaffected |
People
(Reporter: decoder, Unassigned)
References
Details
(4 keywords, Whiteboard: [jsbugmon:][adv-main19-])
Crash Data
The following testcase crashes on mozilla-central revision 4e9567eeb09e (run with -m -a --no-ti):
evaluate('\
var ClassToMethodMap = { Array: [ "indexOf", "lastIndexOf", "every" ] };\
function testMethod(Class, className, method) {\
try {\
(0, Class.prototype[method])();\
} catch (e) { }\
}\
for (var className in ClassToMethodMap) {\
var Class = this[className];\
var methodNames = ClassToMethodMap[className];\
for (var i = 0, sz = methodNames.length; i < sz; i++) {\
var method = methodNames[i];\
testMethod(Class, className, method);\
}\
}\
', { newContext: false, compileAndGo: true, global: newGlobal('new-compartment') });
Reporter | ||
Comment 1•13 years ago
|
||
Crash traces:
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7fedb7d in ?? ()
(gdb) bt
#0 0x00007ffff7fedb7d in ?? ()
#1 0x00007ffff7fe8cd2 in ?? ()
#2 0x0000000000000001 in ?? ()
#3 0x00007fffffffd3e0 in ?? ()
#4 0x0000000000000000 in ?? ()
(gdb) x /i $pc
=> 0x7ffff7fedb7d: mov 0x58(%r15),%r15
==44076== Invalid read of size 8
==44076== at 0x402BB65: ???
==44076== by 0x7AACC1: js::mjit::EnterMethodJIT(JSContext*, js::StackFrame*, void*, JS::Value*, bool) (MethodJIT.cpp:1043)
==44076== by 0x7AAF73: CheckStackAndEnterMethodJIT(JSContext*, js::StackFrame*, void*, bool) (MethodJIT.cpp:1101)
==44076== by 0x7AB106: js::mjit::JaegerShotAtSafePoint(JSContext*, void*, bool) (MethodJIT.cpp:1131)
==44076== by 0x53CFE4: js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) (jsinterp.cpp:1374)
==44076== by 0x7AAD98: js::mjit::EnterMethodJIT(JSContext*, js::StackFrame*, void*, JS::Value*, bool) (MethodJIT.cpp:1070)
==44076== by 0x7AAF73: CheckStackAndEnterMethodJIT(JSContext*, js::StackFrame*, void*, bool) (MethodJIT.cpp:1101)
==44076== by 0x7AB0C2: js::mjit::JaegerShot(JSContext*, bool) (MethodJIT.cpp:1119)
==44076== by 0x539227: js::RunScript(JSContext*, JS::Handle<JSScript*>, js::StackFrame*) (jsinterp.cpp:323)
==44076== by 0x53A212: js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::ExecuteType, js::StackFrame*, JS::Value*) (jsinterp.cpp:515)
==44076== by 0x53A46C: js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) (jsinterp.cpp:553)
==44076== by 0x453569: JS_ExecuteScript(JSContext*, JSObject*, JSScript*, JS::Value*) (jsapi.cpp:5540)
==44076== Address 0x58 is not stack'd, malloc'd or (recently) free'd
Since this bug is with TI disabled, it could affect at least the ARMv6 devices where only JM is used. S-s because this is a heap crash.
Reporter | ||
Updated•13 years ago
|
Whiteboard: [jsbugmon:update,bisect]
Reporter | ||
Updated•13 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update,ignore]
Reporter | ||
Comment 2•13 years ago
|
||
JSBugMon: The testcase found in this bug no longer reproduces (tried revision fc1684f4d3a9).
Reporter | ||
Updated•13 years ago
|
Whiteboard: [jsbugmon:update,ignore] → [jsbugmon:bisectfix]
Reporter | ||
Updated•13 years ago
|
Whiteboard: [jsbugmon:bisectfix] → [jsbugmon:]
Reporter | ||
Comment 3•13 years ago
|
||
JSBugMon: Fix Bisection requested, result:
autoBisect shows this is probably related to the following changeset:
The first good revision is:
changeset: 113132:dd68409d7810
user: Phil Ringnalda
date: Tue Nov 13 22:08:22 2012 -0800
summary: Back out 3da143341145 (bug 784294) and 862f9cd7eb0b (bug 791850) for breaking Jetpack
This iteration took 100.782 seconds to run.
Reporter | ||
Comment 4•13 years ago
|
||
This is fixed by the backout in comment 3.
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Reporter | ||
Updated•13 years ago
|
Status: RESOLVED → VERIFIED
Reporter | ||
Comment 5•13 years ago
|
||
JSBugMon: This bug has been automatically verified fixed.
Updated•13 years ago
|
status-firefox-esr10:
--- → unaffected
status-firefox-esr17:
--- → unaffected
Updated•13 years ago
|
status-firefox18:
--- → unaffected
status-firefox19:
--- → fixed
tracking-firefox19:
--- → +
Keywords: regression,
sec-critical
Updated•12 years ago
|
Whiteboard: [jsbugmon:] → [jsbugmon:][adv-main19-]
Updated•11 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•