Closed
Bug 819794
Opened 13 years ago
Closed 13 years ago
IonMonkey: Crash [@ js::ion::Range::isLowerInfinite] or [@ js::ion::LIRGenerator::visitAbs] with --ion-range-analysis=off
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
mozilla20
| Tracking | Status | |
|---|---|---|
| firefox17 | --- | unaffected |
| firefox18 | --- | unaffected |
| firefox19 | --- | unaffected |
| firefox20 | - | fixed |
| firefox-esr10 | --- | unaffected |
| firefox-esr17 | --- | unaffected |
People
(Reporter: gkw, Assigned: h4writer)
References
Details
(Keywords: crash, regression, testcase)
Crash Data
Attachments
(2 files)
|
7.18 KB,
text/plain
|
Details | |
|
1.93 KB,
patch
|
bhackett1024
:
review+
|
Details | Diff | Splinter Review |
x = [];
x[2] = 1;
x.unshift(0);
x.unshift(0);
x.sort(function() {
return Math.abs(4)
})
crashes js opt shell on IonMonkey changeset 725eb8792d27 with --ion-eager and --ion-range-analysis=off at js::ion::Range::isLowerInfinite
Although this seems like a null deref, I'm setting s-s and sec-moderate just-in-case, because I'm not sure of the meaning of --ion-range-analysis=off yet.
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: 114092:89e5db8cf62f
user: Brian Hackett
date: Fri Nov 23 23:23:03 2012 -0500
summary: Add symbolic range analysis for loop induction variables, bug 766592. r=mjrosenb
|
Reporter | |
Comment 1•13 years ago
|
||
js::ion::LIRGenerator::visitAbs is also on the stack.
Crash Signature: [@ js::ion::Range::isLowerInfinite] → [@ js::ion::Range::isLowerInfinite]
[@ js::ion::LIRGenerator::visitAbs]
Summary: IonMonkey: Crash [@ js::ion::Range::isLowerInfinite] → IonMonkey: Crash [@ js::ion::Range::isLowerInfinite] or [@ js::ion::LIRGenerator::visitAbs]
|
|
Reporter | |
Comment 2•13 years ago
|
||
Debug shells also crash with virtually identical stacks.
|
Assignee | |
Comment 3•13 years ago
|
||
I think we first wanted to land ion with range analysis disabled, but eventually it got enabled in all releases we ship ion. Now I think the chance that it will get disabled ever is very very low.
Assignee: general → hv1989
Attachment #690240 -
Flags: review?(bhackett1024)
|
||
Updated•13 years ago
|
Attachment #690240 -
Flags: review?(bhackett1024) → review+
|
|
||
Comment 4•13 years ago
|
||
NULL deref in a configuration we don't ship, not s-s.
Group: core-security
Keywords: csec-dos,
sec-moderate
|
|
Reporter | |
Comment 5•13 years ago
|
||
Testcase can land with the patch.
Flags: in-testsuite?
Keywords: checkin-needed
|
|
Assignee | |
Comment 6•13 years ago
|
||
Flags: in-testsuite? → in-testsuite+
Keywords: checkin-needed
|
|
Assignee | |
Comment 7•13 years ago
|
||
Target Milestone: --- → mozilla20
|
|
Assignee | |
Updated•13 years ago
|
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
|
||
Updated•13 years ago
|
|
|
Reporter | |
Updated•13 years ago
|
Summary: IonMonkey: Crash [@ js::ion::Range::isLowerInfinite] or [@ js::ion::LIRGenerator::visitAbs] → IonMonkey: Crash [@ js::ion::Range::isLowerInfinite] or [@ js::ion::LIRGenerator::visitAbs] with --ion-range-analysis=off
|
||
Updated•12 years ago
|
Depends on: move-fb-to-datastore
You need to log in
before you can comment on or make changes to this bug.
Description
•