Closed
Bug 865635
Opened 12 years ago
Closed 12 years ago
IonMonkey: Crash [@ isTagged]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
mozilla23
| Tracking | Status | |
|---|---|---|
| firefox21 | --- | unaffected |
| firefox22 | --- | unaffected |
| firefox23 | --- | verified |
| firefox-esr17 | --- | unaffected |
| b2g18 | --- | unaffected |
People
(Reporter: decoder, Assigned: bhackett1024)
References
Details
(Keywords: crash, sec-high, testcase, Whiteboard: [jsbugmon:update,ignore][adv-main23-])
Crash Data
Attachments
(1 file)
|
2.88 KB,
patch
|
dvander
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision 690b5e0f6562 (run with --ion-eager):
function TestCase(d)
this.description = d;
function reportCompare (description) {
if (typeof description == "undefined")
description = '';
new TestCase(description);
}
reportCompare(0);
gc();
function foo() {}
evaluate("for(var i = 0; i < 1; ++i) reportCompare(foo[0]);", { noScriptRval : true });
|
Reporter | |
Comment 1•12 years ago
|
||
Crash trace:
Program received signal SIGSEGV, Segmentation fault.
0x084ea488 in isTagged (this=0x24) at /srv/repos/mozilla-central/js/src/ion/LIR.h:88
88 return !!(bits_ & TAG_MASK);
(gdb) bt
#0 0x084ea488 in isTagged (this=0x24) at /srv/repos/mozilla-central/js/src/ion/LIR.h:88
#1 kind (this=0x24) at /srv/repos/mozilla-central/js/src/ion/LIR.h:132
#2 isArgument (this=0x24) at /srv/repos/mozilla-central/js/src/ion/LIR.h:162
#3 js::ion::LinearScanAllocator::populateSafepoints (this=0xffffbb54) at /srv/repos/mozilla-central/js/src/ion/LinearScan.cpp:535
#4 0x084f2f68 in js::ion::LinearScanAllocator::go (this=0xffffbb54) at /srv/repos/mozilla-central/js/src/ion/LinearScan.cpp:1168
#5 0x084704c3 in js::ion::GenerateLIR (mir=0x8910c68) at /srv/repos/mozilla-central/js/src/ion/Ion.cpp:1128
#6 0x0847246e in CompileBackEnd (mir=0x8910c68, maybeMasm=<optimized out>) at /srv/repos/mozilla-central/js/src/ion/Ion.cpp:1208
#7 js::ion::SequentialCompileContext::compile (this=0xffffbe4f, builder=0x8910c68, graph=0x8910bd0, autoDelete=...) at /srv/repos/mozilla-central/js/src/ion/Ion.cpp:1401
#8 0x08472f52 in IonCompile<js::ion::SequentialCompileContext> (compileContext=..., constructing=true, osrPc=0x8914b6b <incomplete sequence \343\232>, fp=..., script=<optimized out>, cx=0x88ca440)
at /srv/repos/mozilla-central/js/src/ion/Ion.cpp:1341
#9 js::ion::Compile<js::ion::SequentialCompileContext> (cx=0x88ca440, script=0xf75282b8, fp=..., osrPc=0x8914b6b <incomplete sequence \343\232>, constructing=false, compileContext=...)
at /srv/repos/mozilla-central/js/src/ion/Ion.cpp:1572
#10 0x084733bf in js::ion::CanEnterAtBranch (cx=0x88ca440, script=0xf75282b8, fp=..., pc=0x8914b6b <incomplete sequence \343\232>, isConstructing=false) at /srv/repos/mozilla-central/js/src/ion/Ion.cpp:1617
#11 0x0865c45c in EnsureCanEnterIon (jitcodePtr=<synthetic pointer>, pc=0x8914b6b <incomplete sequence \343\232>, script=0xf75282b8, frame=0xffffbf5c, cx=0x88ca440, stub=<optimized out>)
at /srv/repos/mozilla-central/js/src/ion/BaselineIC.cpp:658
#12 DoUseCountFallback (infoPtr=0xffffbf48, frame=0xffffbf5c, stub=0x8931df8, cx=0x88ca440) at /srv/repos/mozilla-central/js/src/ion/BaselineIC.cpp:844
#13 js::ion::DoUseCountFallback (cx=0x88ca440, stub=0x8931df8, frame=0xffffbf5c, infoPtr=0xffffbf48) at /srv/repos/mozilla-central/js/src/ion/BaselineIC.cpp:803
#14 0xf770ebe1 in ?? ()
#15 0x08931df8 in ?? ()
#16 0xf77079ad in ?? ()
(gdb) x /i $pc
=> 0x84ea488 <js::ion::LinearScanAllocator::populateSafepoints()+760>: mov 0x24(%ecx),%eax
(gdb) info reg ecx
ecx 0x0 0
Looks like a null-deref but the test performs a gc() so marking s-s until investigated.
Whiteboard: [jsbugmon:update,bisect]
|
|
Reporter | |
Updated•12 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
|
|
Reporter | |
Comment 2•12 years ago
|
||
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: 129594:79f78c194329
user: Brian Hackett
date: Fri Apr 12 07:25:50 2013 -0600
summary: Bug 804676 - Fix various fuzz bugs.
This iteration took 144.571 seconds to run.
|
Assignee | |
Comment 3•12 years ago
|
||
This is another case of lowering getting terminally confused when a type barrier has unexpected inputs. In this case the input was a box, and the input to the box was a constant value. The patch fixes this by using MMonitorTypes instead, which is basically a type barrier without the wonky behavior and closer to what the type write barriers want to be happening. The earlier workarounds for type barrier inputs are also rolled back here.
Attachment #741925 -
Flags: review?(dvander)
|
||
Updated•12 years ago
|
Attachment #741925 -
Flags: review?(dvander) → review+
|
|
Assignee | |
Comment 4•12 years ago
|
||
|
||
Comment 5•12 years ago
|
||
Assuming this leads to badness. Feel free to adjust as appropriate.
Assignee: general → bhackett1024
status-b2g18:
--- → unaffected
status-firefox21:
--- → unaffected
status-firefox22:
--- → unaffected
status-firefox23:
--- → affected
status-firefox-esr17:
--- → unaffected
tracking-firefox23:
--- → ?
Keywords: sec-high
|
|
Reporter | |
Updated•12 years ago
|
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
|
|
Reporter | |
Comment 6•12 years ago
|
||
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 0e45f1b9521f).
|
||
Comment 7•12 years ago
|
||
Status: NEW → RESOLVED
Closed: 12 years ago
Flags: in-testsuite?
Resolution: --- → FIXED
Target Milestone: --- → mozilla23
|
|
Reporter | |
Updated•12 years ago
|
Status: RESOLVED → VERIFIED
|
|
Reporter | |
Comment 8•12 years ago
|
||
JSBugMon: This bug has been automatically verified fixed.
|
||
Updated•12 years ago
|
tracking-firefox23:
? → ---
Marking status-firefox23:verified based on comment 8.
|
||
Updated•12 years ago
|
Whiteboard: [jsbugmon:update,ignore] → [jsbugmon:update,ignore][adv-main23-]
|
||
Updated•11 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•