Closed
Bug 936004
Opened 11 years ago
Closed 11 years ago
Assertion failure: is<CallObject>() || is<ClonedBlockObject>(), at ../vm/ScopeObject.h:771 Crash [@ slotSpan] or Crash [@ js::jit::MacroAssembler::initGCThing]
Categories
(Core :: JavaScript Engine: JIT, defect)
Tracking
()
VERIFIED
FIXED
mozilla28
| Tracking | Status | |
|---|---|---|
| firefox26 | --- | unaffected |
| firefox27 | --- | unaffected |
| firefox28 | + | fixed |
| firefox-esr24 | --- | unaffected |
| b2g18 | --- | unaffected |
People
(Reporter: decoder, Assigned: bhackett1024)
References
Details
(5 keywords, Whiteboard: [fuzzblocker] [jsbugmon:update])
Crash Data
Attachments
(2 files)
|
1.78 KB,
text/plain
|
Details | |
|
1.89 KB,
patch
|
jandem
:
review+
|
Details | Diff | Splinter Review |
The following testcase asserts on mozilla-central revision 70de5e24d79b (run with --fuzzing-safe --ion-eager):
function f(... f) {
function g() {
gc();
}
g();
}
function h() {
f([false, true]) = Math.floor(-0);
}
f();
h();
|
Reporter | |
Comment 1•11 years ago
|
||
|
|
Reporter | |
Comment 2•11 years ago
|
||
Looks like a critical crash on 64 bit:
Program received signal SIGSEGV, Segmentation fault.
js::jit::MacroAssembler::initGCThing (this=0x15058b0, obj=..., templateObject=0x7ffff694ef40) at js/src/jit/IonMacroAssembler.cpp:825
825 if (templateObject->hasPrivate()) {
#0 js::jit::MacroAssembler::initGCThing (this=0x15058b0, obj=..., templateObject=0x7ffff694ef40) at js/src/jit/IonMacroAssembler.cpp:825
#1 0x000000000068dd71 in js::jit::CodeGenerator::visitRest (this=0x1505870, lir=0x15007a8) at js/src/jit/CodeGenerator.cpp:5586
#2 0x000000000068b23f in js::jit::CodeGenerator::generateBody (this=0x1505870) at js/src/jit/CodeGenerator.cpp:2837
#3 0x000000000068df24 in js::jit::CodeGenerator::generate (this=0x1505870) at js/src/jit/CodeGenerator.cpp:5706
#4 0x00000000006aae28 in GenerateCode (lir=0x1500198, mir=0x144bcb8, maybeMasm=<optimized out>) at js/src/jit/Ion.cpp:1461
#5 CompileBackEnd (mir=0x144bcb8, maybeMasm=<optimized out>) at js/src/jit/Ion.cpp:1480
#6 js::jit::IonCompile (cx=0x1439790, script=0x144bcb8, baselineFrame=0x0, osrPc=0x7fffffffbb00 "", constructing=false, executionMode=js::SequentialExecution) at js/src/jit/Ion.cpp:1678
#7 0x00000000006ab034 in js::jit::Compile (cx=0x1439790, script=..., osrFrame=<optimized out>, osrPc=<optimized out>, constructing=<optimized out>, executionMode=js::SequentialExecution) at js/src/jit/Ion.cpp:1824
rax 0x4d055000 5587161088
rip 0x70d5b0 <js::jit::MacroAssembler::initGCThing(js::jit::Register const&, JSObject*)+1472>
=> 0x70d5b0 <js::jit::MacroAssembler::initGCThing(js::jit::Register const&, JSObject*)+1472>: testb $0x1,0x8(%rax)
Also causes various other signatures, marking sec-critical.Crash Signature: [@ slotSpan]
[@ js::jit::MacroAssembler::initGCThing]
Keywords: crash,
sec-critical
Whiteboard: [jsbugmon:update,bisect][fuzzblocker]
|
Assignee | |
Comment 3•11 years ago
|
||
Rest_Fallback ICs weren't being marked properly.
Assignee: general → bhackett1024
Attachment #828701 -
Flags: review?(jdemooij)
|
|
Reporter | |
Updated•11 years ago
|
Crash Signature: [@ slotSpan]
[@ js::jit::MacroAssembler::initGCThing] → [@ slotSpan]
[@ js::jit::MacroAssembler::initGCThing]
Whiteboard: [jsbugmon:update,bisect][fuzzblocker] → [fuzzblocker] [jsbugmon:update]
|
|
Reporter | |
Comment 4•11 years ago
|
||
JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: http://hg.mozilla.org/mozilla-central/rev/3f88f1e41372 user: Brian Hackett date: Tue Nov 05 17:54:29 2013 -0800 summary: Bug 935027 - Don't create 'rest' template objects in IonBuilder, r=jandem. This iteration took 424.723 seconds to run.
|
||
Updated•11 years ago
|
Crash Signature: [@ slotSpan]
[@ js::jit::MacroAssembler::initGCThing] → [@ slotSpan]
[@ js::jit::MacroAssembler::initGCThing]
status-b2g18:
--- → unaffected
status-firefox26:
--- → unaffected
status-firefox27:
--- → unaffected
status-firefox28:
--- → affected
status-firefox-esr24:
--- → unaffected
|
|
||
Updated•11 years ago
|
Blocks: 935027
Keywords: regression
|
||
Updated•11 years ago
|
Attachment #828701 -
Flags: review?(jdemooij) → review+
|
||
Updated•11 years ago
|
tracking-firefox28:
--- → +
|
|
Assignee | |
Comment 5•11 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/92499f6abfa8
|
||
Comment 7•11 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/92499f6abfa8
Status: NEW → RESOLVED
Closed: 11 years ago
Flags: in-testsuite?
Resolution: --- → FIXED
Target Milestone: --- → mozilla28
|
|
Reporter | |
Updated•11 years ago
|
Status: RESOLVED → VERIFIED
Crash Signature: [@ slotSpan]
[@ js::jit::MacroAssembler::initGCThing] → [@ slotSpan]
[@ js::jit::MacroAssembler::initGCThing]
|
|
Reporter | |
Comment 8•11 years ago
|
||
JSBugMon: This bug has been automatically verified fixed.
|
||
Updated•9 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•