Closed Bug 936403 Opened 12 years ago Closed 12 years ago

Crash [@ operator] or [@ JSObject::nativeSetSlotWithType] or Assertion failure: obj, at dist/include/js/Value.h

Categories

(Core :: JavaScript Engine: JIT, defect)

Product:
Core
Component:
JavaScript Engine: JIT
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla28
Tracking Flags:
Tracking Status
firefox27 --- unaffected
firefox28 --- fixed
firefox-esr24 --- unaffected
b2g18 --- unaffected
b2g-v1.1hd --- unaffected
b2g-v1.2 --- ?

People

(Reporter: gkw, Assigned: bhackett1024)

References

Details

(5 keywords, Whiteboard: [jsbugmon:])

Crash Data

Attachments

(2 files)

stacks
3.93 KB, text/plain
Details
patch
1.98 KB, patch
jandem
: review+
Details | Diff | Splinter Review
Attached file stacks
s = newGlobal() function f(code) { evalcx(code, s) } f("\ c = [];\ var x;\ for each(z in[\ x,,[],,new Number,,,,new Number,,,,new Number,new Number,[],\ ,,,[],,new Number,,new Number,,[],new Number,[],,,,,,[],\ new Number,,new Number,[],,[],,,,[],,[],,,,,,,,,[],[],,[],\ [],[],,new Number,[],[],,[],,new Number,new Number,new Number,\ new Number,new Number,,,new Number,new Number,,[],[],[],,,[],\ [],[],new Number,,new Number,,,,,[],new Number,new Number,[],\ [],[],[],,x,[]]\ ) {\ c = z\ };\ "); f("c"); asserts js debug shell on m-c changeset c44f12776a87 with --ion-eager at Assertion failure: obj, at dist/include/js/Value.h and unreduced variants of this used to crash at operator with JSObject::nativeSetSlotWithType on the stack. My configure flags are: sh ./configure --enable-optimize --enable-debug --enable-profiling --enable-gczeal --enable-debug-symbols --enable-methodjit --enable-type-inference --disable-tests --enable-more-deterministic --with-ccache --disable-threadsafe
Tested on 64-bit debug shell on Ubuntu Linux 13.04.
Turning s-s to be safe, there's a gc line on the crash stack and there are a few memory addresses at the bottom of the assertion stack too.
Group: core-security
Crash Signature: [@ operator] [@ JSObject::nativeSetSlotWithType] → [@ operator] [@ JSObject::nativeSetSlotWithType]
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:bisect]
JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.
Whiteboard: [jsbugmon:bisect] → [jsbugmon:]
Crash Signature: [@ operator] [@ JSObject::nativeSetSlotWithType] → [@ operator] [@ JSObject::nativeSetSlotWithType]
Component: JavaScript Engine → JavaScript Engine: JIT
autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: http://hg.mozilla.org/mozilla-central/rev/636620b3af0a user: Brian Hackett date: Tue Oct 29 16:10:59 2013 -0600 summary: Bug 930048 - Remove need to read objects directly when optimizing singleton accesses, r=jandem. Brian, is bug 930048 a likely regressor?
Blocks: 930048
Flags: needinfo?(bhackett1024)
Is this just a null pointer deref or am I misreading the stacks?
Attached patch patchSplinter Review
Baseline update ICs could write undefined values to global slots without the undefined value being reflected in the global's type information.
Assignee: general → bhackett1024
Attachment #832289 - Flags: review?(jdemooij)
Flags: needinfo?(bhackett1024)
Attachment #832289 - Flags: review?(jdemooij) → review+
Yeah, this is a null pointer deref. https://hg.mozilla.org/integration/mozilla-inbound/rev/4f05b7cf7d11
Group: core-security
No clue why that unset s-s.
Group: core-security
https://hg.mozilla.org/mozilla-central/rev/4f05b7cf7d11
Status: NEW → RESOLVED
Closed: 12 years ago
status-firefox28: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla28
Per comment 4 b2g18 and b2g1.1 are unaffected. The changeset landed after the Fx26 branch so b2g1.2 /should/ be okay
status-b2g18: --- → unaffected
status-b2g-v1.1hd: --- → unaffected
status-b2g-v1.2: --- → ?
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: