Closed Bug 1006561 Opened 11 years ago Closed 11 years ago

crash in @0x123fe1307

Categories

(Core :: JavaScript Engine: JIT, defect)

defect
Not set
critical

Tracking

()

RESOLVED DUPLICATE of bug 1006301

People

(Reporter: TheOne, Unassigned)

References

Details

(Keywords: crash, Whiteboard: [sg:dupe 1006301])

Crash Data

Attachments

(1 file)

This bug was filed from the Socorro interface and is report bp-303be8b0-db21-41cd-b491-b75fe2140506. ============================================================= I can reproduce on Nightly 2014-05-06 both on Mac and Linux (haven't tested Windows), seems not to be reproducible on 2014-05-05. Cannot reprod on current asan build as that one is slightly older than the current Nightly. STR: Open https://addons.mozilla.org/en-US/firefox/files/compare/255780...253002/file/chrome/content/common.js (You might need a reviewer or admin account on amo because the source code for this particular add-on is not public. But for others it might be public, then no login is needed.) Regression window will follow...
EXC_ARITHMETIC (SIGFPE). No stacktrace :-( Might you be able to provide a minimized testcase that we can attach here?
Flags: needinfo?(mail)
Sadly, I currently have no clue what makes Nightly creash. The page is quite complex. I am however currently building a Mac asan build, should be done soonish, I hope I can provide a stracktrace then. I also could provide a static html dump of that page mentioned in the STR. Nightly crashes with just that, too. Would that help?
Flags: needinfo?(mail)
Yes, that would be very helpful!
Attached file non-minimal testcase (deleted) —
Stacktrace: Assertion failure: ins->lhs()->type() == MIRType_Int32, at /Users/awagner/mozilla/mozilla-central/js/src/jit/Lowering.cpp:1545 ASAN:SIGSEGV ================================================================= ==53021==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x00010d5e5c85 sp 0x00011ec6b5e0 bp 0x00011ec6b6f0 T19) AddressSanitizer can not provide additional info. #0 0x10d5e5c84 in js::jit::LIRGenerator::visitMod(js::jit::MMod*) (/Users/awagner/mozilla/mozilla-central/objdir-ff-asan/dist/bin/./XUL+0x924ec84) #1 0x10d07d96a in js::jit::MMod::accept(js::jit::MInstructionVisitor*) (/Users/awagner/mozilla/mozilla-central/objdir-ff-asan/dist/bin/./XUL+0x8ce696a) #2 0x10d63a7dd in js::jit::LIRGenerator::visitInstruction(js::jit::MInstruction*) (/Users/awagner/mozilla/mozilla-central/objdir-ff-asan/dist/bin/./XUL+0x92a37dd) #3 0x10d63b7b6 in js::jit::LIRGenerator::visitBlock(js::jit::MBasicBlock*) (/Users/awagner/mozilla/mozilla-central/objdir-ff-asan/dist/bin/./XUL+0x92a47b6) #4 0x10d63c409 in js::jit::LIRGenerator::generate() (/Users/awagner/mozilla/mozilla-central/objdir-ff-asan/dist/bin/./XUL+0x92a5409) #5 0x10d3bd31d in js::jit::GenerateLIR(js::jit::MIRGenerator*) (/Users/awagner/mozilla/mozilla-central/objdir-ff-asan/dist/bin/./XUL+0x902631d) #6 0x10d3c0849 in js::jit::CompileBackEnd(js::jit::MIRGenerator*) (/Users/awagner/mozilla/mozilla-central/objdir-ff-asan/dist/bin/./XUL+0x9029849) #7 0x10dd3e4ee in js::WorkerThread::handleIonWorkload() (/Users/awagner/mozilla/mozilla-central/objdir-ff-asan/dist/bin/./XUL+0x99a74ee) #8 0x10dd3c540 in js::WorkerThread::threadLoop() (/Users/awagner/mozilla/mozilla-central/objdir-ff-asan/dist/bin/./XUL+0x99a5540) #9 0x103d0ba73 in _pt_root (/Users/awagner/mozilla/mozilla-central/objdir-ff-asan/dist/bin/./libnss3.dylib+0x4daa73) #10 0x10002f914 in __asan::AsanThread::ThreadStart(unsigned long) (/Users/awagner/mozilla/llvm/build/lib/clang/3.4/lib/darwin/libclang_rt.asan_osx_dynamic.dylib+0x1f914) #11 0x7fff93474729 in _pthread_start (/usr/lib/system/libsystem_pthread.dylib+0x1729) #12 0x7fff93478fc8 in thread_start (/usr/lib/system/libsystem_pthread.dylib+0x5fc8) SUMMARY: AddressSanitizer: SEGV ??:0 js::jit::LIRGenerator::visitMod(js::jit::MMod*) Thread T19 created by T0 here: #0 0x100022b01 in wrap_pthread_create (/Users/awagner/mozilla/llvm/build/lib/clang/3.4/lib/darwin/libclang_rt.asan_osx_dynamic.dylib+0x12b01) #1 0x103d06b01 in _PR_CreateThread (/Users/awagner/mozilla/mozilla-central/objdir-ff-asan/dist/bin/./libnss3.dylib+0x4d5b01) #2 0x103d0644a in PR_CreateThread (/Users/awagner/mozilla/mozilla-central/objdir-ff-asan/dist/bin/./libnss3.dylib+0x4d544a) #3 0x10dd33a46 in js::GlobalWorkerThreadState::ensureInitialized() (/Users/awagner/mozilla/mozilla-central/objdir-ff-asan/dist/bin/./XUL+0x999ca46) #4 0x10dd40d2a in js::StartOffThreadCompression(js::ExclusiveContext*, js::SourceCompressionTask*) (/Users/awagner/mozilla/mozilla-central/objdir-ff-asan/dist/bin/./XUL+0x99a9d2a) #5 0x10dba6287 in js::ScriptSource::setSourceCopy(js::ExclusiveContext*, JS::SourceBufferHolder&, bool, js::SourceCompressionTask*) (/Users/awagner/mozilla/mozilla-central/objdir-ff-asan/dist/bin/./XUL+0x980f287) #6 0x10cd75e14 in js::frontend::CompileScript(js::ExclusiveContext*, js::LifoAlloc*, JS::Handle<JSObject*>, JS::Handle<JSScript*>, JS::ReadOnlyCompileOptions const&, JS::SourceBufferHolder&, JSString*, unsigned int, js::SourceCompressionTask*) (/Users/awagner/mozilla/mozilla-central/objdir-ff-asan/dist/bin/./XUL+0x89dee14) #7 0x10d8f2d0c in JS::Compile(JSContext*, JS::Handle<JSObject*>, JS::ReadOnlyCompileOptions const&, JS::SourceBufferHolder&) (/Users/awagner/mozilla/mozilla-central/objdir-ff-asan/dist/bin/./XUL+0x955bd0c) #8 0x107df7b75 in mozJSSubScriptLoader::ReadScript(nsIURI*, JSContext*, JSObject*, nsAString_internal const&, char const*, nsIIOService*, nsIPrincipal*, bool, JSScript**, JSFunction**) (/Users/awagner/mozilla/mozilla-central/objdir-ff-asan/dist/bin/./XUL+0x3a60b75) #9 0x107dfa8ef in mozJSSubScriptLoader::DoLoadSubScriptWithOptions(nsAString_internal const&, LoadSubScriptOptions&, JSContext*, JS::MutableHandle<JS::Value>) (/Users/awagner/mozilla/mozilla-central/objdir-ff-asan/dist/bin/./XUL+0x3a638ef) #10 0x107df86be in mozJSSubScriptLoader::LoadSubScript(nsAString_internal const&, JS::Handle<JS::Value>, nsAString_internal const&, JSContext*, JS::MutableHandle<JS::Value>) (/Users/awagner/mozilla/mozilla-central/objdir-ff-asan/dist/bin/./XUL+0x3a616be) #11 0x1045c6358 in NS_InvokeByIndex (/Users/awagner/mozilla/mozilla-central/objdir-ff-asan/dist/bin/./XUL+0x22f358) #12 0x107d7668b in CallMethodHelper::Call() (/Users/awagner/mozilla/mozilla-central/objdir-ff-asan/dist/bin/./XUL+0x39df68b) #13 0x107d26773 in XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) (/Users/awagner/mozilla/mozilla-central/objdir-ff-asan/dist/bin/./XUL+0x398f773) #14 0x107d2c1db in XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) (/Users/awagner/mozilla/mozilla-central/objdir-ff-asan/dist/bin/./XUL+0x39951db) #15 0x10df5db85 in js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) (/Users/awagner/mozilla/mozilla-central/objdir-ff-asan/dist/bin/./XUL+0x9bc6b85) #16 0x10def8e96 in js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) (/Users/awagner/mozilla/mozilla-central/objdir-ff-asan/dist/bin/./XUL+0x9b61e96) #17 0x10dedc51f in Interpret(JSContext*, js::RunState&) (/Users/awagner/mozilla/mozilla-central/objdir-ff-asan/dist/bin/./XUL+0x9b4551f) #18 0x10deb9cf4 in js::RunScript(JSContext*, js::RunState&) (/Users/awagner/mozilla/mozilla-central/objdir-ff-asan/dist/bin/./XUL+0x9b22cf4) #19 0x10def8eb3 in js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) (/Users/awagner/mozilla/mozilla-central/objdir-ff-asan/dist/bin/./XUL+0x9b61eb3) #20 0x10da34c0d in js_fun_apply(JSContext*, unsigned int, JS::Value*) (/Users/awagner/mozilla/mozilla-central/objdir-ff-asan/dist/bin/./XUL+0x969dc0d) #21 0x10df5db85 in js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) (/Users/awagner/mozilla/mozilla-central/objdir-ff-asan/dist/bin/./XUL+0x9bc6b85) #22 0x10def8e96 in js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) (/Users/awagner/mozilla/mozilla-central/objdir-ff-asan/dist/bin/./XUL+0x9b61e96) #23 0x10defaf34 in js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value const*, JS::MutableHandle<JS::Value>) (/Users/awagner/mozilla/mozilla-central/objdir-ff-asan/dist/bin/./XUL+0x9b63f34) #24 0x10db591a0 in js::DirectProxyHandler::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) (/Users/awagner/mozilla/mozilla-central/objdir-ff-asan/dist/bin/./XUL+0x97c21a0) #25 0x10dd4f189 in js::CrossCompartmentWrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) (/Users/awagner/mozilla/mozilla-central/objdir-ff-asan/dist/bin/./XUL+0x99b8189) #26 0x10db84033 in js::Proxy::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) (/Users/awagner/mozilla/mozilla-central/objdir-ff-asan/dist/bin/./XUL+0x97ed033) #27 0x10db8dbea in js::proxy_Call(JSContext*, unsigned int, JS::Value*) (/Users/awagner/mozilla/mozilla-central/objdir-ff-asan/dist/bin/./XUL+0x97f6bea) #28 0x10df5db85 in js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) (/Users/awagner/mozilla/mozilla-central/objdir-ff-asan/dist/bin/./XUL+0x9bc6b85) #29 0x10def8e96 in js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) (/Users/awagner/mozilla/mozilla-central/objdir-ff-asan/dist/bin/./XUL+0x9b61e96) #30 0x10dedc51f in Interpret(JSContext*, js::RunState&) (/Users/awagner/mozilla/mozilla-central/objdir-ff-asan/dist/bin/./XUL+0x9b4551f) #31 0x10deb9cf4 in js::RunScript(JSContext*, js::RunState&) (/Users/awagner/mozilla/mozilla-central/objdir-ff-asan/dist/bin/./XUL+0x9b22cf4) #32 0x10def8eb3 in js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) (/Users/awagner/mozilla/mozilla-central/objdir-ff-asan/dist/bin/./XUL+0x9b61eb3) #33 0x10da3ae9b in js::CallOrConstructBoundFunction(JSContext*, unsigned int, JS::Value*) (/Users/awagner/mozilla/mozilla-central/objdir-ff-asan/dist/bin/./XUL+0x96a3e9b) #34 0x10df5db85 in js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) (/Users/awagner/mozilla/mozilla-central/objdir-ff-asan/dist/bin/./XUL+0x9bc6b85) #35 0x10def8e96 in js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) (/Users/awagner/mozilla/mozilla-central/objdir-ff-asan/dist/bin/./XUL+0x9b61e96) #36 0x10defaf34 in js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value const*, JS::MutableHandle<JS::Value>) (/Users/awagner/mozilla/mozilla-central/objdir-ff-asan/dist/bin/./XUL+0x9b63f34) #37 0x10db591a0 in js::DirectProxyHandler::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) (/Users/awagner/mozilla/mozilla-central/objdir-ff-asan/dist/bin/./XUL+0x97c21a0) #38 0x10dd4f189 in js::CrossCompartmentWrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) (/Users/awagner/mozilla/mozilla-central/objdir-ff-asan/dist/bin/./XUL+0x99b8189) #39 0x10db84033 in js::Proxy::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) (/Users/awagner/mozilla/mozilla-central/objdir-ff-asan/dist/bin/./XUL+0x97ed033) #40 0x10db8dbea in js::proxy_Call(JSContext*, unsigned int, JS::Value*) (/Users/awagner/mozilla/mozilla-central/objdir-ff-asan/dist/bin/./XUL+0x97f6bea) #41 0x10df5db85 in js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) (/Users/awagner/mozilla/mozilla-central/objdir-ff-asan/dist/bin/./XUL+0x9bc6b85) #42 0x10def8e96 in js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) (/Users/awagner/mozilla/mozilla-central/objdir-ff-asan/dist/bin/./XUL+0x9b61e96) #43 0x10dedc51f in Interpret(JSContext*, js::RunState&) (/Users/awagner/mozilla/mozilla-central/objdir-ff-asan/dist/bin/./XUL+0x9b4551f) #44 0x10deb9cf4 in js::RunScript(JSContext*, js::RunState&) (/Users/awagner/mozilla/mozilla-central/objdir-ff-asan/dist/bin/./XUL+0x9b22cf4) #45 0x10defdd09 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::ExecuteType, js::AbstractFramePtr, JS::Value*) (/Users/awagner/mozilla/mozilla-central/objdir-ff-asan/dist/bin/./XUL+0x9b66d09) #46 0x10defe674 in js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) (/Users/awagner/mozilla/mozilla-central/objdir-ff-asan/dist/bin/./XUL+0x9b67674) #47 0x10d8f9387 in ExecuteScript(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSScript*>, JS::Value*) (/Users/awagner/mozilla/mozilla-central/objdir-ff-asan/dist/bin/./XUL+0x9562387) #48 0x10d8fa0aa in JS_ExecuteScriptVersion(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSScript*>, JSVersion) (/Users/awagner/mozilla/mozilla-central/objdir-ff-asan/dist/bin/./XUL+0x95630aa) #49 0x107de37a4 in mozJSComponentLoader::ObjectForLocation(nsIFile*, nsIURI*, JS::MutableHandle<JSObject*>, JS::MutableHandle<JSScript*>, char**, bool, JS::MutableHandle<JS::Value>) (/Users/awagner/mozilla/mozilla-central/objdir-ff-asan/dist/bin/./XUL+0x3a4c7a4) #50 0x107dec9a2 in mozJSComponentLoader::ImportInto(nsACString_internal const&, JS::Handle<JSObject*>, JSContext*, JS::MutableHandle<JSObject*>) (/Users/awagner/mozilla/mozilla-central/objdir-ff-asan/dist/bin/./XUL+0x3a559a2) #51 0x107de98a8 in mozJSComponentLoader::Import(nsACString_internal const&, JS::Handle<JS::Value>, JSContext*, unsigned char, JS::MutableHandle<JS::Value>) (/Users/awagner/mozilla/mozilla-central/objdir-ff-asan/dist/bin/./XUL+0x3a528a8) #52 0x107bd5613 in nsXPCComponents_Utils::Import(nsACString_internal const&, JS::Handle<JS::Value>, JSContext*, unsigned char, JS::MutableHandle<JS::Value>) (/Users/awagner/mozilla/mozilla-central/objdir-ff-asan/dist/bin/./XUL+0x383e613) #53 0x1045c6358 in NS_InvokeByIndex (/Users/awagner/mozilla/mozilla-central/objdir-ff-asan/dist/bin/./XUL+0x22f358) #54 0x107d7668b in CallMethodHelper::Call() (/Users/awagner/mozilla/mozilla-central/objdir-ff-asan/dist/bin/./XUL+0x39df68b) #55 0x107d26773 in XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) (/Users/awagner/mozilla/mozilla-central/objdir-ff-asan/dist/bin/./XUL+0x398f773) #56 0x107d2c1db in XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) (/Users/awagner/mozilla/mozilla-central/objdir-ff-asan/dist/bin/./XUL+0x39951db) #57 0x10df5db85 in js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) (/Users/awagner/mozilla/mozilla-central/objdir-ff-asan/dist/bin/./XUL+0x9bc6b85) #58 0x10def8e96 in js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) (/Users/awagner/mozilla/mozilla-central/objdir-ff-asan/dist/bin/./XUL+0x9b61e96) #59 0x10dedc51f in Interpret(JSContext*, js::RunState&) (/Users/awagner/mozilla/mozilla-central/objdir-ff-asan/dist/bin/./XUL+0x9b4551f) #60 0x10deb9cf4 in js::RunScript(JSContext*, js::RunState&) (/Users/awagner/mozilla/mozilla-central/objdir-ff-asan/dist/bin/./XUL+0x9b22cf4) #61 0x10defdd09 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::ExecuteType, js::AbstractFramePtr, JS::Value*) (/Users/awagner/mozilla/mozilla-central/objdir-ff-asan/dist/bin/./XUL+0x9b66d09) #62 0x10defe674 in js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) (/Users/awagner/mozilla/mozilla-central/objdir-ff-asan/dist/bin/./XUL+0x9b67674) #63 0x10d8f9387 in ExecuteScript(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSScript*>, JS::Value*) (/Users/awagner/mozilla/mozilla-central/objdir-ff-asan/dist/bin/./XUL+0x9562387) #64 0x10d8fa0aa in JS_ExecuteScriptVersion(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSScript*>, JSVersion) (/Users/awagner/mozilla/mozilla-central/objdir-ff-asan/dist/bin/./XUL+0x95630aa) #65 0x107de37a4 in mozJSComponentLoader::ObjectForLocation(nsIFile*, nsIURI*, JS::MutableHandle<JSObject*>, JS::MutableHandle<JSScript*>, char**, bool, JS::MutableHandle<JS::Value>) (/Users/awagner/mozilla/mozilla-central/objdir-ff-asan/dist/bin/./XUL+0x3a4c7a4) #66 0x107dec9a2 in mozJSComponentLoader::ImportInto(nsACString_internal const&, JS::Handle<JSObject*>, JSContext*, JS::MutableHandle<JSObject*>) (/Users/awagner/mozilla/mozilla-central/objdir-ff-asan/dist/bin/./XUL+0x3a559a2) #67 0x107de98a8 in mozJSComponentLoader::Import(nsACString_internal const&, JS::Handle<JS::Value>, JSContext*, unsigned char, JS::MutableHandle<JS::Value>) (/Users/awagner/mozilla/mozilla-central/objdir-ff-asan/dist/bin/./XUL+0x3a528a8) #68 0x107bd5613 in nsXPCComponents_Utils::Import(nsACString_internal const&, JS::Handle<JS::Value>, JSContext*, unsigned char, JS::MutableHandle<JS::Value>) (/Users/awagner/mozilla/mozilla-central/objdir-ff-asan/dist/bin/./XUL+0x383e613) #69 0x1045c6358 in NS_InvokeByIndex (/Users/awagner/mozilla/mozilla-central/objdir-ff-asan/dist/bin/./XUL+0x22f358) #70 0x107d7668b in CallMethodHelper::Call() (/Users/awagner/mozilla/mozilla-central/objdir-ff-asan/dist/bin/./XUL+0x39df68b) #71 0x107d26773 in XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) (/Users/awagner/mozilla/mozilla-central/objdir-ff-asan/dist/bin/./XUL+0x398f773) #72 0x107d2c1db in XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) (/Users/awagner/mozilla/mozilla-central/objdir-ff-asan/dist/bin/./XUL+0x39951db) #73 0x10df5db85 in js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) (/Users/awagner/mozilla/mozilla-central/objdir-ff-asan/dist/bin/./XUL+0x9bc6b85) #74 0x10def8e96 in js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) (/Users/awagner/mozilla/mozilla-central/objdir-ff-asan/dist/bin/./XUL+0x9b61e96) #75 0x10dedc51f in Interpret(JSContext*, js::RunState&) (/Users/awagner/mozilla/mozilla-central/objdir-ff-asan/dist/bin/./XUL+0x9b4551f) #76 0x10deb9cf4 in js::RunScript(JSContext*, js::RunState&) (/Users/awagner/mozilla/mozilla-central/objdir-ff-asan/dist/bin/./XUL+0x9b22cf4) #77 0x10defdd09 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::ExecuteType, js::AbstractFramePtr, JS::Value*) (/Users/awagner/mozilla/mozilla-central/objdir-ff-asan/dist/bin/./XUL+0x9b66d09) #78 0x10defe674 in js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) (/Users/awagner/mozilla/mozilla-central/objdir-ff-asan/dist/bin/./XUL+0x9b67674) #79 0x10d8f9387 in ExecuteScript(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSScript*>, JS::Value*) (/Users/awagner/mozilla/mozilla-central/objdir-ff-asan/dist/bin/./XUL+0x9562387) #80 0x10d8fa0aa in JS_ExecuteScriptVersion(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSScript*>, JSVersion) (/Users/awagner/mozilla/mozilla-central/objdir-ff-asan/dist/bin/./XUL+0x95630aa) #81 0x107de37a4 in mozJSComponentLoader::ObjectForLocation(nsIFile*, nsIURI*, JS::MutableHandle<JSObject*>, JS::MutableHandle<JSScript*>, char**, bool, JS::MutableHandle<JS::Value>) (/Users/awagner/mozilla/mozilla-central/objdir-ff-asan/dist/bin/./XUL+0x3a4c7a4) #82 0x107dec9a2 in mozJSComponentLoader::ImportInto(nsACString_internal const&, JS::Handle<JSObject*>, JSContext*, JS::MutableHandle<JSObject*>) (/Users/awagner/mozilla/mozilla-central/objdir-ff-asan/dist/bin/./XUL+0x3a559a2) #83 0x107de98a8 in mozJSComponentLoader::Import(nsACString_internal const&, JS::Handle<JS::Value>, JSContext*, unsigned char, JS::MutableHandle<JS::Value>) (/Users/awagner/mozilla/mozilla-central/objdir-ff-asan/dist/bin/./XUL+0x3a528a8) #84 0x107bd5613 in nsXPCComponents_Utils::Import(nsACString_internal const&, JS::Handle<JS::Value>, JSContext*, unsigned char, JS::MutableHandle<JS::Value>) (/Users/awagner/mozilla/mozilla-central/objdir-ff-asan/dist/bin/./XUL+0x383e613) #85 0x1045c6358 in NS_InvokeByIndex (/Users/awagner/mozilla/mozilla-central/objdir-ff-asan/dist/bin/./XUL+0x22f358) #86 0x107d7668b in CallMethodHelper::Call() (/Users/awagner/mozilla/mozilla-central/objdir-ff-asan/dist/bin/./XUL+0x39df68b) #87 0x107d26773 in XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) (/Users/awagner/mozilla/mozilla-central/objdir-ff-asan/dist/bin/./XUL+0x398f773) #88 0x107d2c1db in XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) (/Users/awagner/mozilla/mozilla-central/objdir-ff-asan/dist/bin/./XUL+0x39951db) #89 0x10df5db85 in js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) (/Users/awagner/mozilla/mozilla-central/objdir-ff-asan/dist/bin/./XUL+0x9bc6b85) #90 0x10def8e96 in js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) (/Users/awagner/mozilla/mozilla-central/objdir-ff-asan/dist/bin/./XUL+0x9b61e96) #91 0x10dedc51f in Interpret(JSContext*, js::RunState&) (/Users/awagner/mozilla/mozilla-central/objdir-ff-asan/dist/bin/./XUL+0x9b4551f) #92 0x10deb9cf4 in js::RunScript(JSContext*, js::RunState&) (/Users/awagner/mozilla/mozilla-central/objdir-ff-asan/dist/bin/./XUL+0x9b22cf4) #93 0x10def8eb3 in js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) (/Users/awagner/mozilla/mozilla-central/objdir-ff-asan/dist/bin/./XUL+0x9b61eb3) #94 0x10da3359d in js_fun_call(JSContext*, unsigned int, JS::Value*) (/Users/awagner/mozilla/mozilla-central/objdir-ff-asan/dist/bin/./XUL+0x969c59d) #95 0x10da34622 in js_fun_apply(JSContext*, unsigned int, JS::Value*) (/Users/awagner/mozilla/mozilla-central/objdir-ff-asan/dist/bin/./XUL+0x969d622) #96 0x10df5db85 in js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) (/Users/awagner/mozilla/mozilla-central/objdir-ff-asan/dist/bin/./XUL+0x9bc6b85) #97 0x10def8e96 in js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) (/Users/awagner/mozilla/mozilla-central/objdir-ff-asan/dist/bin/./XUL+0x9b61e96) #98 0x10dedc51f in Interpret(JSContext*, js::RunState&) (/Users/awagner/mozilla/mozilla-central/objdir-ff-asan/dist/bin/./XUL+0x9b4551f) #99 0x10deb9cf4 in js::RunScript(JSContext*, js::RunState&) (/Users/awagner/mozilla/mozilla-central/objdir-ff-asan/dist/bin/./XUL+0x9b22cf4) #100 0x10def8eb3 in js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) (/Users/awagner/mozilla/mozilla-central/objdir-ff-asan/dist/bin/./XUL+0x9b61eb3) #101 0x10defaf34 in js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value const*, JS::MutableHandle<JS::Value>) (/Users/awagner/mozilla/mozilla-central/objdir-ff-asan/dist/bin/./XUL+0x9b63f34) #102 0x10db591a0 in js::DirectProxyHandler::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) (/Users/awagner/mozilla/mozilla-central/objdir-ff-asan/dist/bin/./XUL+0x97c21a0) #103 0x10dd4f189 in js::CrossCompartmentWrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) (/Users/awagner/mozilla/mozilla-central/objdir-ff-asan/dist/bin/./XUL+0x99b8189) #104 0x10db84033 in js::Proxy::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) (/Users/awagner/mozilla/mozilla-central/objdir-ff-asan/dist/bin/./XUL+0x97ed033) #105 0x10db8dbea in js::proxy_Call(JSContext*, unsigned int, JS::Value*) (/Users/awagner/mozilla/mozilla-central/objdir-ff-asan/dist/bin/./XUL+0x97f6bea) #106 0x10df5db85 in js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) (/Users/awagner/mozilla/mozilla-central/objdir-ff-asan/dist/bin/./XUL+0x9bc6b85) #107 0x10def8e96 in js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) (/Users/awagner/mozilla/mozilla-central/objdir-ff-asan/dist/bin/./XUL+0x9b61e96) #108 0x10defaf34 in js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value const*, JS::MutableHandle<JS::Value>) (/Users/awagner/mozilla/mozilla-central/objdir-ff-asan/dist/bin/./XUL+0x9b63f34) #109 0x10defd6c4 in js::InvokeGetterOrSetter(JSContext*, JSObject*, JS::Value, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) (/Users/awagner/mozilla/mozilla-central/objdir-ff-asan/dist/bin/./XUL+0x9b666c4) #110 0x10dca34ee in js::Shape::get(JSContext*, JS::Handle<JSObject*>, JSObject*, JSObject*, JS::MutableHandle<JS::Value>) (/Users/awagner/mozilla/mozilla-central/objdir-ff-asan/dist/bin/./XUL+0x990c4ee) #111 0x10db05683 in bool NativeGetInline<(js::AllowGC)1>(JSContext*, js::MaybeRooted<JSObject*, (js::AllowGC)1>::HandleType, js::MaybeRooted<JSObject*, (js::AllowGC)1>::HandleType, js::MaybeRooted<JSObject*, (js::AllowGC)1>::HandleType, js::MaybeRooted<js::Shape*, (js::AllowGC)1>::HandleType, js::MaybeRooted<JS::Value, (js::AllowGC)1>::MutableHandleType) (/Users/awagner/mozilla/mozilla-central/objdir-ff-asan/dist/bin/./XUL+0x976e683) #112 0x10db05097 in js::NativeGet(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSObject*>, JS::Handle<js::Shape*>, JS::MutableHandle<JS::Value>) (/Users/awagner/mozilla/mozilla-central/objdir-ff-asan/dist/bin/./XUL+0x976e097) #113 0x10dfd1eca in bool js::FetchName<false>(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSObject*>, JS::Handle<js::PropertyName*>, JS::Handle<js::Shape*>, JS::MutableHandle<JS::Value>) (/Users/awagner/mozilla/mozilla-central/objdir-ff-asan/dist/bin/./XUL+0x9c3aeca) #114 0x10ded874e in Interpret(JSContext*, js::RunState&) (/Users/awagner/mozilla/mozilla-central/objdir-ff-asan/dist/bin/./XUL+0x9b4174e) #115 0x10deb9cf4 in js::RunScript(JSContext*, js::RunState&) (/Users/awagner/mozilla/mozilla-central/objdir-ff-asan/dist/bin/./XUL+0x9b22cf4) #116 0x10def8eb3 in js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) (/Users/awagner/mozilla/mozilla-central/objdir-ff-asan/dist/bin/./XUL+0x9b61eb3) #117 0x10da34c0d in js_fun_apply(JSContext*, unsigned int, JS::Value*) (/Users/awagner/mozilla/mozilla-central/objdir-ff-asan/dist/bin/./XUL+0x969dc0d) #118 0x10df5db85 in js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) (/Users/awagner/mozilla/mozilla-central/objdir-ff-asan/dist/bin/./XUL+0x9bc6b85) #119 0x10def8e96 in js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) (/Users/awagner/mozilla/mozilla-central/objdir-ff-asan/dist/bin/./XUL+0x9b61e96) #120 0x10defaf34 in js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value const*, JS::MutableHandle<JS::Value>) (/Users/awagner/mozilla/mozilla-central/objdir-ff-asan/dist/bin/./XUL+0x9b63f34) #121 0x10db591a0 in js::DirectProxyHandler::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) (/Users/awagner/mozilla/mozilla-central/objdir-ff-asan/dist/bin/./XUL+0x97c21a0) #122 0x10dd4f189 in js::CrossCompartmentWrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) (/Users/awagner/mozilla/mozilla-central/objdir-ff-asan/dist/bin/./XUL+0x99b8189) #123 0x10db84033 in js::Proxy::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) (/Users/awagner/mozilla/mozilla-central/objdir-ff-asan/dist/bin/./XUL+0x97ed033) #124 0x10db8dbea in js::proxy_Call(JSContext*, unsigned int, JS::Value*) (/Users/awagner/mozilla/mozilla-central/objdir-ff-asan/dist/bin/./XUL+0x97f6bea) #125 0x10df5db85 in js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) (/Users/awagner/mozilla/mozilla-central/objdir-ff-asan/dist/bin/./XUL+0x9bc6b85) #126 0x10def8e96 in js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) (/Users/awagner/mozilla/mozilla-central/objdir-ff-asan/dist/bin/./XUL+0x9b61e96) #127 0x10dedc51f in Interpret(JSContext*, js::RunState&) (/Users/awagner/mozilla/mozilla-central/objdir-ff-asan/dist/bin/./XUL+0x9b4551f) #128 0x10deb9cf4 in js::RunScript(JSContext*, js::RunState&) (/Users/awagner/mozilla/mozilla-central/objdir-ff-asan/dist/bin/./XUL+0x9b22cf4) #129 0x10def8eb3 in js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) (/Users/awagner/mozilla/mozilla-central/objdir-ff-asan/dist/bin/./XUL+0x9b61eb3) #130 0x10defaf34 in js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value const*, JS::MutableHandle<JS::Value>) (/Users/awagner/mozilla/mozilla-central/objdir-ff-asan/dist/bin/./XUL+0x9b63f34) #131 0x10db591a0 in js::DirectProxyHandler::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) (/Users/awagner/mozilla/mozilla-central/objdir-ff-asan/dist/bin/./XUL+0x97c21a0) #132 0x10dd4f189 in js::CrossCompartmentWrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) (/Users/awagner/mozilla/mozilla-central/objdir-ff-asan/dist/bin/./XUL+0x99b8189) #133 0x10db84033 in js::Proxy::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) (/Users/awagner/mozilla/mozilla-central/objdir-ff-asan/dist/bin/./XUL+0x97ed033) #134 0x10db8dbea in js::proxy_Call(JSContext*, unsigned int, JS::Value*) (/Users/awagner/mozilla/mozilla-central/objdir-ff-asan/dist/bin/./XUL+0x97f6bea) #135 0x10df5db85 in js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) (/Users/awagner/mozilla/mozilla-central/objdir-ff-asan/dist/bin/./XUL+0x9bc6b85) #136 0x10def8e96 in js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) (/Users/awagner/mozilla/mozilla-central/objdir-ff-asan/dist/bin/./XUL+0x9b61e96) #137 0x10dedc51f in Interpret(JSContext*, js::RunState&) (/Users/awagner/mozilla/mozilla-central/objdir-ff-asan/dist/bin/./XUL+0x9b4551f) #138 0x10deb9cf4 in js::RunScript(JSContext*, js::RunState&) (/Users/awagner/mozilla/mozilla-central/objdir-ff-asan/dist/bin/./XUL+0x9b22cf4) #139 0x10def8eb3 in js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) (/Users/awagner/mozilla/mozilla-central/objdir-ff-asan/dist/bin/./XUL+0x9b61eb3) #140 0x10defaf34 in js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value const*, JS::MutableHandle<JS::Value>) (/Users/awagner/mozilla/mozilla-central/objdir-ff-asan/dist/bin/./XUL+0x9b63f34) #141 0x10d8fdc21 in JS_CallFunctionValue(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) (/Users/awagner/mozilla/mozilla-central/objdir-ff-asan/dist/bin/./XUL+0x9566c21) #142 0x107d06321 in nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJS*, unsigned short, XPTMethodDescriptor const*, nsXPTCMiniVariant*) (/Users/awagner/mozilla/mozilla-central/objdir-ff-asan/dist/bin/./XUL+0x396f321) #143 0x1045c7cd6 in PrepareAndDispatch (/Users/awagner/mozilla/mozilla-central/objdir-ff-asan/dist/bin/./XUL+0x230cd6) #144 0x1045c65aa in SharedStub (/Users/awagner/mozilla/mozilla-central/objdir-ff-asan/dist/bin/./XUL+0x22f5aa) #145 0x10b6ae2b2 in nsXREDirProvider::DoStartup() (/Users/awagner/mozilla/mozilla-central/objdir-ff-asan/dist/bin/./XUL+0x73172b2)
Indeed. We're in js::jit::LIRGenerator::visitMod and ins->lhs()->type() is MIRType_Double.
Component: General → JavaScript Engine: JIT
Do you still need a detailed regression window?
Generally once there's a reproducible testcase, no, I'd say -- bug diagnosis tends to point out the regressor pretty easily.
Some more details: 1) We have an MMod whose getOperand(0) is an MToDouble wrapping an MSub which is subtracting two MStringLengths. The MSub is in fact MIRType_Int32. 2) getOperand(1) on the MMod is an MConstant of MIRType_Double. The actual double value inside is 2.
I wonder if this is caused by MMod::truncate: if (type() == MIRType_Double || type() == MIRType_Int32) { specialization_ = MIRType_Int32; At least it looks like that could cause us to have a MMod with int32 specialization and double operands.
Flags: needinfo?(nicolas.b.pierron)
It is possible that this is the same bug as bug 1006301.
Looks like MMod::truncate can set its type to Int32. So presumably a regression from bug 998580?
Blocks: 998580
(In reply to Dan Gohman [:sunfish] from comment #11) > It is possible that this is the same bug as bug 1006301. Yes that seems very likely, thanks.
Flags: needinfo?(nicolas.b.pierron)
MDiv seems like it could have the same issue?
(In reply to Boris Zbarsky [:bz] from comment #14) > MDiv seems like it could have the same issue? Yes, in fact Gary's testcase in bug 1006301 comment 4 is the MDiv case :)
(In reply to Jan de Mooij [:jandem] from comment #15) > Yes, in fact Gary's testcase in bug 1006301 comment 4 is the MDiv case :) Sorry, bug 1006301 comment 2.
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → DUPLICATE
Whiteboard: [sg:dupe 10006301]
Damnit, I was to slow :(
Whiteboard: [sg:dupe 10006301] → [sg:dupe 1006301]
Flags: sec-bounty?
since this is a duplicate it is not eligible for a bug. but nice find! keep at it!
Flags: sec-bounty? → sec-bounty-
I was Talking to tveditz to other day, he said you'll hash something out as I found that bug in the wild (ie crash by just visiting a web page). I also provided the stacktrace with a self compiled asan build. Am I right that the original bug got classified after I provided the details here? I understand that duplicates are not eligible in general, but if you agree that I helped finding and analyzing a security bug, how about a split if the reward?
Flags: needinfo?(rforbes)
Flags: needinfo?(dveditz)
One of the reasons Gary didn't hide his bug at first was that it was such an obvious regression (found less than 2 hours after the regressing patch landed) and caused so many test failures ("Fuzzblocker") that he assumed it would get fixed long before uplift. If this had been a long-time latent bug (months or years) and then two people found it nearly simultaneously we'd be inclined to reward both, but in this case your copy was filed 5 bug-lifetimes later than Gary's. It also triggered failures in our other major JavaScript fuzzing suite (bug 1006850) so this bug was clearly going to get fixed with or without this bug report. It was a tough call and I'm sorry it didn't go your way.
Flags: needinfo?(dveditz)
Flags: needinfo?(rforbes)
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: