Closed
Bug 1217593
Opened 9 years ago
Closed 9 years ago
Assertion failure: Modified registers between VM call and OsiPoint, at jit/MacroAssembler.cpp
Categories
(Core :: JavaScript Engine: JIT, defect)
Tracking
()
VERIFIED
FIXED
mozilla44
Tracking | Status | |
---|---|---|
firefox43 | --- | unaffected |
firefox44 | --- | verified |
firefox45 | --- | verified |
People
(Reporter: gkw, Assigned: jonco)
References
Details
(4 keywords, Whiteboard: [fuzzblocker][jsbugmon:update][b2g-adv-main2.5-])
Attachments
(2 files, 1 obsolete file)
(deleted),
text/plain
|
Details | |
(deleted),
patch
|
shu
:
review+
|
Details | Diff | Splinter Review |
enableOsiPointRegisterChecks();
function f() {
return this;
}
f();
f();
asserts js debug shell on m-c changeset 76bd0c01d72e with --fuzzing-safe --no-threads --ion-eager at Assertion failure: Modified registers between VM call and OsiPoint, at jit/MacroAssembler.cpp
Configure options:
CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --disable-threadsafe --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests
python -u ~/funfuzz/js/compileShell.py -b "--enable-debug --enable-more-deterministic" -r 76bd0c01d72e
=== Treeherder Build Bisection Results by autoBisect ===
The "good" changeset has the timestamp "20151021063502" and the hash "ab8d2508c6ea2e1a0869f62c668eb0dee6709e42".
The "bad" changeset has the timestamp "20151021065531" and the hash "935cdbf4fcf571496793fb06a5a9e1f90050e092".
Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=ab8d2508c6ea2e1a0869f62c668eb0dee6709e42&tochange=935cdbf4fcf571496793fb06a5a9e1f90050e092
Jon, is bug 930414 a likely regressor?
Flags: needinfo?(jcoppeard)
Reporter | ||
Comment 1•9 years ago
|
||
(lldb) bt 5
* thread #1: tid = 0x3117f, 0x0000000101ee1f8d, queue = 'com.apple.main-thread', stop reason = EXC_BREAKPOINT (code=EXC_I386_BPT, subcode=0x0)
* frame #0: 0x0000000101ee1f8d
frame #1: 0x00000001001e78c9 js-dbg-64-dm-darwin-76bd0c01d72e`js::jit::IonCannon(JSContext*, js::RunState&) + 395 at Ion.cpp:2682
frame #2: 0x00000001001e773e js-dbg-64-dm-darwin-76bd0c01d72e`js::jit::IonCannon(cx=0x0000000102c45400, state=0x00007fff5fbfe350) + 302 at Ion.cpp:2788
frame #3: 0x0000000100684e29 js-dbg-64-dm-darwin-76bd0c01d72e`js::RunScript(cx=0x0000000102c45400, state=0x00007fff5fbfe350) + 313 at Interpreter.cpp:410
frame #4: 0x00000001006765e2 js-dbg-64-dm-darwin-76bd0c01d72e`js::Invoke(cx=0x0000000102c45400, args=<unavailable>, construct=<unavailable>) + 882 at Interpreter.cpp:507
(lldb)
Reporter | ||
Comment 2•9 years ago
|
||
Setting [fuzzblocker] because this is happening really often with jsfunfuzz now.
Whiteboard: [jsbugmon:update] → [fuzzblocker][jsbugmon:update]
Updated•9 years ago
|
Group: core-security, javascript-core-security
Updated•9 years ago
|
Group: core-security
Assignee | ||
Comment 4•9 years ago
|
||
I messed up the changes to compiling LComputeThis. It must now return a value and because it must not clobber its input.
Assignee | ||
Comment 5•9 years ago
|
||
...and fixed so it works on 32-bit builds.
Attachment #8677978 -
Attachment is obsolete: true
Attachment #8677978 -
Flags: review?(shu)
Attachment #8678100 -
Flags: review?(shu)
Updated•9 years ago
|
Attachment #8678100 -
Flags: review?(shu) → review+
Updated•9 years ago
|
status-firefox43:
--- → unaffected
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla44
Updated•9 years ago
|
Group: javascript-core-security → core-security-release
Updated•9 years ago
|
Group: core-security-release
Updated•9 years ago
|
Comment 8•9 years ago
|
||
JSBugMon: This bug has been automatically verified fixed.
JSBugMon: This bug has been automatically verified fixed on Fx44
Updated•9 years ago
|
Whiteboard: [fuzzblocker][jsbugmon:update] → [fuzzblocker][jsbugmon:update][b2g-adv-main2.5-]
You need to log in
before you can comment on or make changes to this bug.
Description
•