Assertion failure: index < natoms, at ../jsscript.h:772 or Crash [@ range]

RESOLVED FIXED in mozilla24

Status

()

Core
JavaScript Engine
--
critical
RESOLVED FIXED
5 years ago
4 years ago

People

(Reporter: decoder, Assigned: bhackett)

Tracking

(Blocks: 1 bug, 4 keywords)

Trunk
mozilla24
x86_64
Linux
assertion, crash, regression, testcase
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [jsbugmon:update,ignore], crash signature)

Attachments

(2 attachments, 1 obsolete attachment)

(Reporter)

Description

5 years ago
The following testcase asserts on mozilla-central revision df526497d949 (run with --ion-eager):


eval("(function() { \
var f = '';\
var flags = new Array(); \
flags[2] = 'm';\
flags[3] = undefined;\
test();\
function test() {\
    for (j in flags)\
      f = flags[j];\
  }\
" + " })();");
(Reporter)

Comment 1

5 years ago
Created attachment 753772 [details]
[crash-signature] Machine-readable crash signature
(Reporter)

Comment 2

5 years ago
S-s because this is a dangerous range assertion and it non-deterministically crashes in opt builds.
Crash Signature: [@ range]
Keywords: crash
Whiteboard: [jsbugmon:update,bisect]
(Reporter)

Comment 3

5 years ago
Created attachment 753775 [details]
[crash-signature] Machine-readable crash signature
Attachment #753772 - Attachment is obsolete: true
(Reporter)

Comment 4

5 years ago
This can also lead to heap crashes with random address not covered by the machine-readable signature here.
(Reporter)

Updated

5 years ago
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
(Reporter)

Comment 5

5 years ago
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   132759:b9beff192aa2
user:        Brian Hackett
date:        Thu May 23 05:59:53 2013 -0600
summary:     Bug 864218 - Improve performance when accessing variables defined in run-once closures, r=luke,jandem.

This iteration took 322.733 seconds to run.
(Reporter)

Comment 6

5 years ago
Brian, can you take a look based on comment 5? Thanks.
Flags: needinfo?(bhackett1024)
(Reporter)

Updated

5 years ago
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
(Reporter)

Comment 7

5 years ago
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 7a2f7a45819a).
Blocks: 864218
Keywords: regression
Looks like it went away when bug 864218 was backed out.
(Assignee)

Comment 9

5 years ago
Created attachment 754882 [details] [diff] [review]
patch
Assignee: general → bhackett1024
Attachment #754882 - Flags: review?(jdemooij)
Flags: needinfo?(bhackett1024)
(Assignee)

Comment 10

5 years ago
Opening this up since 864218 is no longer in the tree.
Group: core-security

Updated

5 years ago
Attachment #754882 - Flags: review?(jdemooij) → review+
(Nice, it looks like this bug caused the DoTypeUpdateFallback topcrash, bug 875757.)
Fix landed as part of bug 864218.
Status: NEW → RESOLVED
Last Resolved: 4 years ago
Resolution: --- → FIXED
No longer blocks: 864218
Depends on: 864218
Target Milestone: --- → mozilla24
You need to log in before you can comment on or make changes to this bug.