Closed Bug 925848 Opened 11 years ago Closed 11 years ago

Crash with SIGTRAP and range analysis

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla27
Tracking Flags:
Tracking Status
firefox26 --- unaffected
firefox27 --- fixed
firefox-esr17 --- unaffected
firefox-esr24 --- unaffected
b2g18 --- unaffected
b2g-v1.2 --- unaffected

People

(Reporter: decoder, Assigned: sunfish)

References

Details

(Keywords: crash, regression, testcase, Whiteboard: [qa-])

Attachments

(1 file)

range-nan-with-bounds.patch
1.74 KB, patch
nbp
: review+
Details | Diff | Splinter Review 
The following testcase crashes on mozilla-central revision 672cd63528d3 (threadsafe build, run with --ion-check-range-analysis --ion-eager):


var TIME_1900 = -2208988800000;
var array = new Array();
array[array.length] = new Date( TIME_1900 * Math.PI );
array[array.length] = new Date( TIME_1900 * 10 );
var stringarr = new Array();
clone( array, stringarr );
stringarr.sort( stringsort );
function clone( source, target ) {
  for (i = 0; i < source.length; i++ ) {
    target[i] = source[i];
  }
}
function stringsort( x, y ) {
  for ( var i = 0; i < x.toString().length; i++ ) {
    var d = x.length - y.length;
    if  ( d > 0 ) {
    } else {
      if ( d < 0 ) {}
    }
  }
}
Dan, do you have an idea on whether this is related to any of the recent range analysis work?
Flags: needinfo?(sunfish)
Yes, I can confirm this is due to my range analysis changes.
Assignee: general → sunfish
Flags: needinfo?(sunfish)

        Attachment #817492 -
        Flags: review?(nicolas.b.pierron)

        Attachment #817492 -
        Flags: review?(nicolas.b.pierron) → review+

    
    

    
  
Since this was caused by my recent range analysis changes, I just checked the fix in:

https://hg.mozilla.org/integration/mozilla-inbound/rev/d0fc1cc4c62b

    
    

    
  
fixed in mozilla-central https://hg.mozilla.org/mozilla-central/rev/d0fc1cc4c62b
Status: NEW → RESOLVED
Closed: 11 years ago

          status-firefox27:
          --- → fixed
Flags: in-testsuite?
Resolution: --- → FIXED
Target Milestone: --- → mozilla27
Keywords: verifyme

    
    

    
  
Cleaning up list of security bugs for b2g18. This bug doesn't need to be backported either due to it affecting a later version of Fx or another reason.

          status-b2g18:
          --- → unaffected
Keywords: verifyme
Whiteboard: [qa-]

    
  
Blocks: 924920
Group: core-security

          status-b2g-v1.2:
          --- → unaffected

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: