Closed
Bug 947661
Opened 11 years ago
Closed 11 years ago
Crash at a weird memory address with [@ EnterBaseline] or [@ js::jit::EnterBaselineMethod] on the stack
Categories
(Core :: JavaScript Engine: JIT, defect)
Tracking
()
VERIFIED
FIXED
mozilla28
| Tracking | Status | |
|---|---|---|
| firefox27 | --- | unaffected |
| firefox28 | --- | verified |
| firefox-esr24 | --- | unaffected |
| b2g18 | --- | unaffected |
| b2g-v1.1hd | --- | unaffected |
| b2g-v1.2 | --- | unaffected |
People
(Reporter: gkw, Assigned: bhackett1024)
References
Details
(Keywords: crash, regression, testcase, Whiteboard: [jsbugmon:update])
Crash Data
Attachments
(2 files)
|
8.19 KB,
text/plain
|
Details | |
|
1.25 KB,
patch
|
luke
:
review+
|
Details | Diff | Splinter Review |
(function() {
var x, y, z = (let(x) eval())
})()
crashes js debug and opt shell on m-c changeset edac8cba9f78 with --ion-eager at a weird memory address with EnterBaseline on the stack.
s-s because 0xfff9000000000000 seems to be accessed, locking just-in-case.
My configure flags are:
CC="clang -Qunused-arguments" AR=ar CXX="clang++ -Qunused-arguments" sh ./configure --target=x86_64-apple-darwin12.5.0 --enable-optimize --enable-debug --enable-profiling --enable-gczeal --enable-debug-symbols --enable-methodjit --enable-type-inference --disable-tests --with-ccache --enable-threadsafe <other NSPR options>
|
Reporter | |
Updated•11 years ago
|
Crash Signature: [@ EnterBaseline] → [@ EnterBaseline]
[@ js::jit::EnterBaselineMethod]
Summary: Crash at a weird memory address with [@ EnterBaseline] on the stack → Crash at a weird memory address with [@ EnterBaseline] or [@ js::jit::EnterBaselineMethod] on the stack
|
|
Reporter | |
Comment 1•11 years ago
|
||
=== Tinderbox Build Bisection Results ===
Last "good" changeset has timestamp "20131207111101" and the hash "b50d803d0ad5"
First "bad" changeset has timestamp "20131207151002" and the hash "edac8cba9f78"
Likely regression window: http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=b50d803d0ad5&tochange=edac8cba9f78
===
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: http://hg.mozilla.org/mozilla-central/rev/5bb192fc539e
user: Brian Hackett
date: Sat Dec 07 11:03:07 2013 -0800
summary: Bug 944930 - Remove block index from aliasedvar ops, use a binary search to find the block chain for a given pc, r=luke.
Brian, is bug 944930 a possible regressor?
Flags: needinfo?(bhackett1024)
|
Assignee | |
Comment 2•11 years ago
|
||
Stupid bounds check error.
Assignee: general → bhackett1024
Attachment #8344345 -
Flags: review?(luke)
Flags: needinfo?(bhackett1024)
|
|
Assignee | |
Comment 4•11 years ago
|
||
Pushing ahead of review to maybe make tomorrow's nightly.
https://hg.mozilla.org/integration/mozilla-inbound/rev/cb0546838451
|
||
Comment 5•11 years ago
|
||
landed on central https://hg.mozilla.org/mozilla-central/rev/cb0546838451
Status: NEW → RESOLVED
Closed: 11 years ago
status-firefox28:
--- → fixed
Flags: in-testsuite?
Resolution: --- → FIXED
Target Milestone: --- → mozilla28
|
||
Updated•11 years ago
|
Status: RESOLVED → VERIFIED
Crash Signature: [@ EnterBaseline]
[@ js::jit::EnterBaselineMethod] → [@ EnterBaseline]
[@ js::jit::EnterBaselineMethod]
|
|
||
Comment 6•11 years ago
|
||
JSBugMon: This bug has been automatically verified fixed.
|
|
||
Updated•11 years ago
|
Attachment #8344345 -
Flags: review?(luke) → review+
Crash Signature: [@ EnterBaseline]
[@ js::jit::EnterBaselineMethod] → [@ EnterBaseline]
[@ js::jit::EnterBaselineMethod]
|
||
Updated•11 years ago
|
status-b2g18:
--- → unaffected
status-b2g-v1.1hd:
--- → unaffected
status-b2g-v1.2:
--- → unaffected
status-firefox27:
--- → unaffected
status-firefox-esr24:
--- → unaffected
|
||
Updated•10 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•