Closed
Bug 875748
Opened 11 years ago
Closed 11 years ago
Crash [@ js::types::TypeObject::readBarrier] with ParallelArray
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
mozilla24
Tracking | Status | |
---|---|---|
firefox23 | --- | unaffected |
firefox24 | --- | verified |
firefox-esr17 | --- | unaffected |
b2g18 | --- | unaffected |
People
(Reporter: decoder, Assigned: shu)
References
Details
(5 keywords, Whiteboard: [jsbugmon:update])
Crash Data
Attachments
(2 files, 1 obsolete file)
1.93 KB,
text/plain
|
Details | |
1.01 KB,
patch
|
djvj
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision df526497d949 (run with --ion-eager): testFilter(range(0, 1024), function(hits, ... toSource) {}); function range(n, m) { var result = []; for (var i = n; i < m; i++) result.push(i); return result; } try {} catch (e) {} function assertParallelArrayModesEq(modes, acc, opFunction, expect) { cmpFunction = function(e1, e2) { e1 instanceof Array; e2 instanceof ParallelArray; } modes.forEach(function (mode) { var result = opFunction({ mode: mode, expect: expect }); cmpFunction(acc, result); }); var measurements = []; } function compareAgainstArray(jsarray, opname, func, expect) { var expected = jsarray[opname].apply(jsarray, [func]); var parray = new ParallelArray(jsarray); assertParallelArrayModesEq(["seq", "par", "par"], expected, function(m) { var result = parray[opname].apply(parray, [func, m]); }, expect); } function testFilter(jsarray, func) { compareAgainstArray(jsarray, "filter", func); assertParallelArrayModesEq(["seq", "par", "par"], expected, function(m) {}); }
Reporter | ||
Comment 1•11 years ago
|
||
Reporter | ||
Comment 2•11 years ago
|
||
Crash trace: Program received signal SIGSEGV, Segmentation fault. js::types::TypeObject::readBarrier (type=<optimized out>) at ../jsinferinlines.h:1698 1698 if (zone->needsBarrier()) { #0 js::types::TypeObject::readBarrier (type=<optimized out>) at ../jsinferinlines.h:1698 #1 0x00000000004e9968 in typeObject (this=<synthetic pointer>) at ../jsinferinlines.h:1348 #2 js::types::TypeString (type=...) at js/src/jsinfer.cpp:206 #3 0x00000000004eb76a in TypeObjectString (type=0x7ffff6567078) at js/src/jsinfer.cpp:214 #4 TypeObject (unknown=true, function=<optimized out>, proto=..., clasp=0x1805f40, this=<optimized out>) at ../jsinferinlines.h:1573 #5 js::types::TypeCompartment::newTypeObject (this=<optimized out>, cx=0x185d730, clasp=0x1805f40, proto=..., unknown=true) at js/src/jsinfer.cpp:2455 #6 0x00000000004fe2c5 in JSCompartment::getNewType (this=0x1880ba0, cx=0x185d730, clasp=0x1805f40, proto_=..., fun_=0x0) at js/src/jsinfer.cpp:6215 #7 0x000000000054b74d in js::NewObjectWithGivenProto (cx=0x185d730, clasp=0x1805f40, proto_=..., parent_=<optimized out>, allocKind=js::gc::FINALIZE_OBJECT2, newKind=js::SingletonObject) at js/src/jsobj.cpp:1300 rax 0xf655d700 -1125900068989184 rip 0x45be22 <js::types::TypeObject::readBarrier(js::types::TypeObject*)+50> => 0x45be22 <js::types::TypeObject::readBarrier(js::types::TypeObject*)+50>: cmpb $0x0,(%rax) Crashes only in a debug build for me. S-s because the memory being read here points to a bad address.
Whiteboard: [jsbugmon:update,bisect]
Reporter | ||
Updated•11 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
Reporter | ||
Comment 3•11 years ago
|
||
JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: 132612:b2216a10f95b user: Shu-yu Guo date: Tue May 21 23:52:45 2013 -0700 summary: Bug 867471 - Part 2: Compile rest parameter in Ion for sequential execution. (r=djvj) This iteration took 9.919 seconds to run.
Reporter | ||
Comment 4•11 years ago
|
||
Attachment #753762 -
Attachment is obsolete: true
Assignee | ||
Comment 5•11 years ago
|
||
Another stupid mistake.
Assignee: general → shu
Attachment #753933 -
Flags: review?
Assignee | ||
Updated•11 years ago
|
Attachment #753933 -
Flags: review? → review?(kvijayan)
Updated•11 years ago
|
Attachment #753933 -
Flags: review?(kvijayan) → review+
Assignee | ||
Comment 7•11 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/4aa62afd5aa9
Comment 8•11 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/4aa62afd5aa9
Status: NEW → RESOLVED
Closed: 11 years ago
status-firefox24:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla24
Reporter | ||
Updated•11 years ago
|
Status: RESOLVED → VERIFIED
Reporter | ||
Comment 9•11 years ago
|
||
JSBugMon: This bug has been automatically verified fixed.
Reporter | ||
Comment 10•11 years ago
|
||
Assuming sec-high based on the invalid read.
Keywords: csec-bounds,
sec-high
Updated•11 years ago
|
status-firefox23:
--- → unaffected
status-firefox-esr17:
--- → unaffected
Updated•11 years ago
|
Comment 11•11 years ago
|
||
Based on comment 9
Updated•11 years ago
|
status-b2g18:
--- → unaffected
You need to log in
before you can comment on or make changes to this bug.
Description
•