Closed
Bug 991217
Opened 10 years ago
Closed 10 years ago
Assertion failure: IsCompatibleLIRCoercion(def->type(), as->type()), at jit/shared/Lowering-shared-inl.h:195 or Crash on Heap with invalid read/write
Categories
(Core :: JavaScript Engine: JIT, defect)
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: decoder, Assigned: nmatsakis)
Details
(4 keywords, Whiteboard: [jsbugmon:ignore])
Attachments
(1 file, 1 obsolete file)
618 bytes,
text/plain
|
Details |
The following testcase asserts on mozilla-central revision 4941a2ac0786 (threadsafe build, run with --fuzzing-safe --thread-count=2): gczeal(4); setJitCompilerOption("ion.usecount.trigger", 30); var N2 = 150; var T = TypedObject; var Array2 = T.uint32.array(N2); function foo() { var array2 = new Array2(); for (var i = 0; i < 0x0451 << 0x7fffffff; array2++) array1[i] = i + 1; for (var i = 0; i < N2; i++) array2[i] = i + 2; } foo();
Reporter | ||
Comment 1•10 years ago
|
||
Crashes release builds with crashes on the heap, e.g.: Program received signal SIGSEGV, Segmentation fault. 0x00007ffff7e51fa5 in ?? () (gdb) x /i $pc => 0x7ffff7e51fa5: mov 0x30(%rcx),%r11 (gdb) info reg rcx rcx 0xfffbfffff4a65040 -1125900097269696 Crashes look dangerous, marking s-s.
Reporter | ||
Comment 2•10 years ago
|
||
Assignee | ||
Updated•10 years ago
|
Assignee: nobody → nmatsakis
Updated•10 years ago
|
Reporter | ||
Updated•10 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
Reporter | ||
Comment 3•10 years ago
|
||
JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: http://hg.mozilla.org/mozilla-central/rev/b2ed6214694f user: Nicholas D. Matsakis date: Mon Feb 10 14:48:51 2014 -0500 summary: Bug 898356 Part 4 -- Check for neutered typed object unless the check is covered by a length check r=jandem This iteration took 2.614 seconds to run.
Updated•10 years ago
|
Group: javascript-core-security
Comment 5•10 years ago
|
||
Niko, any update here? Does this only affect typed objects?
Updated•10 years ago
|
status-firefox32:
--- → affected
Reporter | ||
Updated•10 years ago
|
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
Reporter | ||
Comment 6•10 years ago
|
||
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 48eee276b1ee).
Reporter | ||
Updated•10 years ago
|
Whiteboard: [jsbugmon:update,ignore] → [jsbugmon:bisectfix]
Reporter | ||
Comment 7•10 years ago
|
||
Test seems to be intermittent, this still reproduces sometimes, even in JSBugMon.
Whiteboard: [jsbugmon:bisectfix] → [jsbugmon:ignore]
Updated•10 years ago
|
status-firefox33:
--- → affected
Updated•10 years ago
|
status-firefox34:
--- → affected
Assignee | ||
Comment 8•10 years ago
|
||
Attachment #8469563 -
Flags: review?(jdemooij)
Flags: needinfo?(nmatsakis)
Assignee | ||
Comment 9•10 years ago
|
||
Comment on attachment 8469563 [details] [diff] [review] Bug991217.diff Attached patch to wrong bug.
Attachment #8469563 -
Attachment is obsolete: true
Attachment #8469563 -
Flags: review?(jdemooij)
Updated•10 years ago
|
Flags: needinfo?(nmatsakis)
Assignee | ||
Comment 10•10 years ago
|
||
I did some investigation of this problem but was not yet able to reproduce. It is almost certainly similar to bug 1029130 -- that is, it could be fixed by an object policy on an appropriate node. (Maybe even a dup.)
Flags: needinfo?(nmatsakis)
Reporter | ||
Comment 12•10 years ago
|
||
Doesn't seem to reproduce anymore, marking WFM :)
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → WORKSFORME
Reporter | ||
Updated•10 years ago
|
Flags: needinfo?(choller)
Updated•9 years ago
|
Group: javascript-core-security
Updated•9 years ago
|
Group: core-security → core-security-release
Updated•7 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•