Closed
Bug 819794
Opened 12 years ago
Closed 12 years ago
IonMonkey: Crash [@ js::ion::Range::isLowerInfinite] or [@ js::ion::LIRGenerator::visitAbs] with --ion-range-analysis=off
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
mozilla20
Tracking | Status | |
---|---|---|
firefox17 | --- | unaffected |
firefox18 | --- | unaffected |
firefox19 | --- | unaffected |
firefox20 | - | fixed |
firefox-esr10 | --- | unaffected |
firefox-esr17 | --- | unaffected |
People
(Reporter: gkw, Assigned: h4writer)
References
Details
(Keywords: crash, regression, testcase)
Crash Data
Attachments
(2 files)
7.18 KB,
text/plain
|
Details | |
1.93 KB,
patch
|
bhackett1024
:
review+
|
Details | Diff | Splinter Review |
x = []; x[2] = 1; x.unshift(0); x.unshift(0); x.sort(function() { return Math.abs(4) }) crashes js opt shell on IonMonkey changeset 725eb8792d27 with --ion-eager and --ion-range-analysis=off at js::ion::Range::isLowerInfinite Although this seems like a null deref, I'm setting s-s and sec-moderate just-in-case, because I'm not sure of the meaning of --ion-range-analysis=off yet. autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: 114092:89e5db8cf62f user: Brian Hackett date: Fri Nov 23 23:23:03 2012 -0500 summary: Add symbolic range analysis for loop induction variables, bug 766592. r=mjrosenb
Reporter | ||
Comment 1•12 years ago
|
||
js::ion::LIRGenerator::visitAbs is also on the stack.
Crash Signature: [@ js::ion::Range::isLowerInfinite] → [@ js::ion::Range::isLowerInfinite]
[@ js::ion::LIRGenerator::visitAbs]
Summary: IonMonkey: Crash [@ js::ion::Range::isLowerInfinite] → IonMonkey: Crash [@ js::ion::Range::isLowerInfinite] or [@ js::ion::LIRGenerator::visitAbs]
Reporter | ||
Comment 2•12 years ago
|
||
Debug shells also crash with virtually identical stacks.
Assignee | ||
Comment 3•12 years ago
|
||
I think we first wanted to land ion with range analysis disabled, but eventually it got enabled in all releases we ship ion. Now I think the chance that it will get disabled ever is very very low.
Assignee: general → hv1989
Attachment #690240 -
Flags: review?(bhackett1024)
Updated•12 years ago
|
Attachment #690240 -
Flags: review?(bhackett1024) → review+
Comment 4•12 years ago
|
||
NULL deref in a configuration we don't ship, not s-s.
Group: core-security
Keywords: csec-dos,
sec-moderate
Reporter | ||
Comment 5•12 years ago
|
||
Testcase can land with the patch.
Flags: in-testsuite?
Keywords: checkin-needed
Assignee | ||
Comment 6•12 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/a4a0aa798038
Flags: in-testsuite? → in-testsuite+
Keywords: checkin-needed
Assignee | ||
Comment 7•12 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/a4a0aa798038
Target Milestone: --- → mozilla20
Assignee | ||
Updated•12 years ago
|
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Updated•12 years ago
|
Reporter | ||
Updated•12 years ago
|
Summary: IonMonkey: Crash [@ js::ion::Range::isLowerInfinite] or [@ js::ion::LIRGenerator::visitAbs] → IonMonkey: Crash [@ js::ion::Range::isLowerInfinite] or [@ js::ion::LIRGenerator::visitAbs] with --ion-range-analysis=off
Updated•11 years ago
|
Depends on: move-fb-to-datastore
You need to log in
before you can comment on or make changes to this bug.
Description
•