Closed
Bug 930543
Opened 11 years ago
Closed 11 years ago
Assertion failure: JSVAL_IS_DOUBLE_IMPL(l), at dist/include/js/Value.h:406 or Crash [@ js::LoadScalarfloat::Func] or Crash [@ js::jit::BaselineScript::nativeCodeForPC]
Categories
(Core :: JavaScript Engine: JIT, defect)
Tracking
()
VERIFIED
FIXED
mozilla28
| Tracking | Status | |
|---|---|---|
| firefox26 | --- | disabled |
| firefox27 | --- | disabled |
| firefox28 | + | fixed |
| firefox-esr17 | --- | unaffected |
| firefox-esr24 | --- | unaffected |
| b2g18 | --- | unaffected |
| b2g-v1.2 | --- | disabled |
People
(Reporter: decoder, Assigned: nmatsakis)
Details
(4 keywords, Whiteboard: [jsbugmon:update][fuzzblocker])
Crash Data
Attachments
(2 files, 1 obsolete file)
|
2.79 KB,
patch
|
jandem
:
review+
|
Details | Diff | Splinter Review |
|
917 bytes,
text/plain
|
Details |
The following testcase asserts on mozilla-central revision 19fd3388c372 (run with --fuzzing-safe):
var T = TypedObject;
var Point = new T.ArrayType(T.float32, 3);
var Line = new T.StructType({from: Point, to: Point});
var Lines = new T.ArrayType(Line, 3);
var lines = new Lines([
{from: [1, 2, 3], to: [4, 5, 6]},
{from: [7, 8, 9], to: [10, 11, 12]},
{from: [13, 14, 15], to: [16, 17, 18]}
]);
function allPoints(lines, func) {
var handle = Point.handle();
for (var i = 0; i < lines.length; i-- ) {
T.Handle.move(handle, lines, i, "from");
func(handle);
}
}
allPoints(lines, function(p) {
p[0] += 100;
});
|
Reporter | |
Comment 1•11 years ago
|
||
|
|
Reporter | |
Comment 2•11 years ago
|
||
Optimized trace: Program received signal SIGSEGV, Segmentation fault. 0x0000000000a0be25 in js::LoadScalarfloat::Func (argc=<optimized out>, vp=0x7fffffffa1b8) at js/src/builtin/TypedObject.cpp:2528 2528 JS_FOR_EACH_UNIQUE_SCALAR_TYPE_REPR_CTYPE(JS_LOAD_SCALAR_CLASS_IMPL) #0 0x0000000000a0be25 in js::LoadScalarfloat::Func (argc=<optimized out>, vp=0x7fffffffa1b8) at js/src/builtin/TypedObject.cpp:2528 #1 0x00007ffff7f30f1b in ?? () #2 0xfffbfffff6246370 in ?? () #3 0x00007fffffffa190 in ?? () #4 0x0000000000000000 in ?? () rax 0x1808298 4320166552 r12 0x0 0 => 0xa0be25 <js::LoadScalarfloat::Func(js::ThreadSafeContext*, unsigned int, JS::Value*)+277>: movss (%rax,%r12,1),%xmm0 S-s and sec-critical due to dangerous crash.
|
|
Reporter | |
Updated•11 years ago
|
Crash Signature: [@ js::LoadScalarfloat::Func]
[@ js::jit::BaselineScript::nativeCodeForPC]
Keywords: crash,
sec-critical
Whiteboard: [jsbugmon:update,bisect]
|
|
Reporter | |
Updated•11 years ago
|
Crash Signature: [@ js::LoadScalarfloat::Func]
[@ js::jit::BaselineScript::nativeCodeForPC] → [@ js::LoadScalarfloat::Func]
[@ js::jit::BaselineScript::nativeCodeForPC]
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
|
|
Reporter | |
Comment 3•11 years ago
|
||
JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: http://hg.mozilla.org/mozilla-central/rev/35a83682c173 user: Nicholas D. Matsakis date: Wed Sep 11 16:24:23 2013 -0400 summary: Bug 898342 - Implement movable handles for Typed Objects r=till This iteration took 425.481 seconds to run.
|
||
Updated•11 years ago
|
Crash Signature: [@ js::LoadScalarfloat::Func]
[@ js::jit::BaselineScript::nativeCodeForPC] → [@ js::LoadScalarfloat::Func]
[@ js::jit::BaselineScript::nativeCodeForPC]
Flags: needinfo?(nmatsakis)
|
Assignee | |
Updated•11 years ago
|
Assignee: general → nmatsakis
|
|
Assignee | |
Comment 5•11 years ago
|
||
Forgot to check for negative indices (sigh).
|
|
Assignee | |
Comment 6•11 years ago
|
||
Attachment #823378 -
Flags: review?(jdemooij)
|
|
||
Updated•11 years ago
|
Attachment #823378 -
Flags: review?(jdemooij) → review+
|
|
Reporter | |
Comment 7•11 years ago
|
||
Attachment #821694 -
Attachment is obsolete: true
|
|
Reporter | |
Updated•11 years ago
|
Whiteboard: [jsbugmon:update] → [jsbugmon:update][fuzzblocker]
|
||
Updated•11 years ago
|
status-b2g18:
--- → unaffected
status-firefox26:
--- → disabled
status-firefox27:
--- → disabled
status-firefox28:
--- → affected
status-firefox-esr17:
--- → unaffected
status-firefox-esr24:
--- → unaffected
tracking-firefox28:
--- → +
|
|
Assignee | |
Comment 8•11 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/54c65daa9bed
|
||
Comment 9•11 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/54c65daa9bed
Status: NEW → RESOLVED
Closed: 11 years ago
status-b2g-v1.2:
--- → disabled
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla28
|
|
Reporter | |
Updated•11 years ago
|
Status: RESOLVED → VERIFIED
Crash Signature: [@ js::LoadScalarfloat::Func]
[@ js::jit::BaselineScript::nativeCodeForPC] → [@ js::LoadScalarfloat::Func]
[@ js::jit::BaselineScript::nativeCodeForPC]
|
|
Reporter | |
Comment 10•11 years ago
|
||
JSBugMon: This bug has been automatically verified fixed.
|
||
Updated•9 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•