Closed Bug 820215 Opened 12 years ago Closed 12 years ago

Crash [@ js::types::MakeTypeId]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
firefox17 --- unaffected
firefox18 --- unaffected
firefox19 --- unaffected
firefox20 - affected
firefox-esr10 --- unaffected
firefox-esr17 --- unaffected

People

(Reporter: gkw, Unassigned)

References

Details

(Keywords: crash, regression, testcase, Whiteboard: [jsbugmon:])

Crash Data

Attachments

(1 file)

stack
4.66 KB, text/plain
Details
Attached file stack
try { s = g = WeakMap e = new Set v = ArrayBuffer() Uint8ClampedArray o = {} s = '' g = s = function() {} m = new WeakMap e = (4) t = new Uint8ClampedArray a2 = [] o = newGlobal('') f = p r() } catch (e) {} try { print(gczeal(10, 2)) a } catch (e) {} try {} catch (e) {} try { (function() { with({}) {} }) } catch (e) {} try { var r = p("", "") t(e('')) } catch (e) {} try { (f)() } catch (e) {} try { var r = /1/; s = ""; print(s.t(r)) } catch (e) {} try { for (c in [(/2/ ())(/2/), s()(/2/)(i)]) { [, 1] } } catch (e) {} try {} catch (e) {} try { for each(let x in [t(), e]) {} } catch (e) {} try { f = y.r(o) } catch (e) {} try { a1 = a2 } catch (e) {} try { t(b) } catch (e) {} try { t(4) } catch (e) {} try { (function() { Object.l() })() } catch (e) {} try { (function() { a1.v = (function _() { var x; return function() { x; } })() })() } catch (e) {} try { y(9) } catch (e) {} try { m = new Map } catch (e) {} try { for (let a in x) {} } catch (e) {} try { for (v of f) {} } catch (e) {} try { L: for (let d in "22CA"); } catch (e) {} crashes js opt shell on m-c changeset 725eb8792d27 with -a at js::types::MakeTypeId s-s just-in-case - this seems like a null deref at first glance, but autobisect points at gc rooted stuff. autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: 115149:5acd87d0cf33 user: Terrence Cole date: Tue Dec 04 11:10:53 2012 -0800 summary: Bug 817091 - Merge Unrooted<T> and Return<T>; r=billm My configuration command: sh ./configure --target=i686-pc-linux --enable-optimize --disable-debug --enable-profiling --enable-gczeal --enable-debug-symbols --enable-methodjit --enable-type-inference --disable-tests --enable-more-deterministic --enable-valgrind --with-ccache
Assignee: general → terrence
Full configuration command with needed environment variables is: CC="gcc -m32" CXX="g++ -m32" AR=ar PKG_CONFIG_LIBDIR=/usr/lib/pkgconfig sh ./configure --target=i686-pc-linux --enable-optimize --disable-debug --enable-profiling --enable-gczeal --enable-debug-symbols --enable-methodjit --enable-type-inference --disable-tests --enable-more-deterministic --enable-valgrind --with-ccache My GCC version: $ gcc --version gcc-4.7.real (Ubuntu/Linaro 4.7.2-2ubuntu1) 4.7.2 Copyright (C) 2012 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
I'm not able to reproduce locally on GCC 4.5. Looking at it on Gary's computer, it appears to be totally and completely unrelated to the regressing changeset. The actual error is very odd: TI seems to be trying to operate on a garbage object. I'm not familiar at all with this code, so I'm going to have to punt.
Assignee: terrence → general
Comment 2 is private: false
I've since built GCC 4.6 and 4.7 and I cannot reproduce this with either. Specific versions are: gcc version 4.6.3 (Gentoo 4.6.3 p1.8, pie-0.5.2) gcc version 4.7.2 (Gentoo 4.7.2 p1.3, pie-0.5.5) Build configuration was copied exactly from above.
Whiteboard: [jsbugmon:update] → [jsbugmon:]
Cannot process bug: Unable to reproduce bug on original revision.
Please re-nom for tracking if this becomes a reproducible crash being hit by more than just one user.
tracking-firefox20: ?-
Gary: can you still reproduce this? If so what compiler/version are you using that differs from the others?
Flags: needinfo?(gary)
autoBisect shows this is probably related to the following changeset: The first good revision is: changeset: 116126:8541aa1783c7 user: Jason Orendorff date: Fri Dec 14 14:33:13 2012 -0600 summary: Bug 817368 - Map.prototype.{keys,values,entries}. r=luke. It went away for me too, though I could reproduce in the changeset in comment 0 but not on tip. Seems like bug 817368 fixed it.
Status: NEW → RESOLVED
Closed: 12 years ago
Flags: needinfo?(gary)
Resolution: --- → FIXED
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: