Closed Bug 925848 Opened 6 years ago Closed 6 years ago

Crash with SIGTRAP and range analysis

Categories

(Core :: JavaScript Engine, defect, critical)

x86
Linux
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla27
Tracking Status
firefox26 --- unaffected
firefox27 --- fixed
firefox-esr17 --- unaffected
firefox-esr24 --- unaffected
b2g18 --- unaffected
b2g-v1.2 --- unaffected

People

(Reporter: decoder, Assigned: sunfish)

References

(Blocks 1 open bug)

Details

(Keywords: crash, regression, testcase, Whiteboard: [qa-])

Attachments

(1 file)

The following testcase crashes on mozilla-central revision 672cd63528d3 (threadsafe build, run with --ion-check-range-analysis --ion-eager):


var TIME_1900 = -2208988800000;
var array = new Array();
array[array.length] = new Date( TIME_1900 * Math.PI );
array[array.length] = new Date( TIME_1900 * 10 );
var stringarr = new Array();
clone( array, stringarr );
stringarr.sort( stringsort );
function clone( source, target ) {
  for (i = 0; i < source.length; i++ ) {
    target[i] = source[i];
  }
}
function stringsort( x, y ) {
  for ( var i = 0; i < x.toString().length; i++ ) {
    var d = x.length - y.length;
    if  ( d > 0 ) {
    } else {
      if ( d < 0 ) {}
    }
  }
}
Dan, do you have an idea on whether this is related to any of the recent range analysis work?
Flags: needinfo?(sunfish)
Yes, I can confirm this is due to my range analysis changes.
Assignee: general → sunfish
Flags: needinfo?(sunfish)
Attachment #817492 - Flags: review?(nicolas.b.pierron)
Attachment #817492 - Flags: review?(nicolas.b.pierron) → review+
Since this was caused by my recent range analysis changes, I just checked the fix in:

https://hg.mozilla.org/integration/mozilla-inbound/rev/d0fc1cc4c62b
fixed in mozilla-central https://hg.mozilla.org/mozilla-central/rev/d0fc1cc4c62b
Status: NEW → RESOLVED
Closed: 6 years ago
Flags: in-testsuite?
Resolution: --- → FIXED
Target Milestone: --- → mozilla27
Keywords: verifyme
Cleaning up list of security bugs for b2g18. This bug doesn't need to be backported either due to it affecting a later version of Fx or another reason.
Keywords: verifyme
Whiteboard: [qa-]
Blocks: 924920
Group: core-security
You need to log in before you can comment on or make changes to this bug.