Closed
Bug 792510
Opened 12 years ago
Closed 12 years ago
IonMonkey: Crash with Illegal instruction (SIGILL) with gczeal(4)
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: decoder, Unassigned)
References
Details
(Keywords: crash, testcase)
Attachments
(1 file)
|
(deleted),
patch
|
dvander
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision e4757379b99a (run with --ion-eager):
gczeal(4);
function TestCase( n, d, e, a ) {
this.bugnumber = "";
}
addNewTestCase("new Date(-1)", [-1]);
addNewTestCase("new Date(28799999)", [0]);
function addNewTestCase(DateCase, ResultArray) {
new TestCase( Math.floor(ResultArray[0]/1000)*1000, Date.parse(DateCase.toString()));
}
|
||
Updated•12 years ago
|
Summary: Crash with Illegal instruction (SIGILL) with gczeal(4) → IonMonkey: Crash with Illegal instruction (SIGILL) with gczeal(4)
|
Reporter | |
Comment 1•12 years ago
|
||
Valgrind shows:
disInstr(thumb): unhandled instruction: 0xFA62 0xF303
==19477== valgrind: Unrecognised instruction at address 0x1a9fad.
==19477==
==19477== Process terminating with default action of signal 4 (SIGILL)
==19477== Illegal opcode at address 0x1A9FAD
==19477== at 0x1A9FAC: mozilla::RotateBitsLeft32(unsigned int, unsigned char) (HashFunctions.h:65)
==19477== by 0x1A9FD7: mozilla::detail::AddU32ToHash(unsigned int, unsigned int) (HashFunctions.h:112)
==19477== by 0x1BE389: unsigned int mozilla::AddToHash<char>(unsigned int, char) (HashFunctions.h:163)
==19477== by 0x1BAB25: unsigned int mozilla::detail::HashUntilZero<char>(char const*) (HashFunctions.h:277)
==19477== by 0x1B4A75: mozilla::HashString(char const*) (HashFunctions.h:303)
==19477== by 0x1B51A5: js::ScriptFilenameHasher::hash(char const*) (jsscript.h:1164)
==19477== by 0x1C2345: js::detail::HashTable<js::ScriptFilenameEntry* const, js::HashSet<js::ScriptFilenameEntry*, js::ScriptFilenameHasher, js::SystemAllocPolicy>::SetOps, js::SystemAllocPolicy>::prepareHash(char const* const&) (HashTable.h:306)
==19477== by 0x1C02D9: js::detail::HashTable<js::ScriptFilenameEntry* const, js::HashSet<js::ScriptFilenameEntry*, js::ScriptFilenameHasher, js::SystemAllocPolicy>::SetOps, js::SystemAllocPolicy>::lookupForAdd(char const* const&) const (HashTable.h:730)
==19477== by 0x1BDB1D: js::HashSet<js::ScriptFilenameEntry*, js::ScriptFilenameHasher, js::SystemAllocPolicy>::lookupForAdd(char const* const&) const (HashTable.h:1322)
==19477== by 0x1B6F2F: js::SaveScriptFilename(JSContext*, char const*) (jsscript.cpp:1314)
==19477== by 0x1B7AD1: JSScript::fullyInitFromEmitter(JSContext*, JS::Handle<JSScript*>, js::frontend::BytecodeEmitter*) (jsscript.cpp:1648)
==19477== by 0x284EA9: js::frontend::CompileScript(JSContext*, JS::Handle<JSObject*>, js::StackFrame*, JS::CompileOptions const&, unsigned short const*, unsigned int, JSString*, unsigned int) (BytecodeCompiler.cpp:243)
Assuming sec-critical due to illegal jump.
|
|
Reporter | |
Comment 2•12 years ago
|
||
Marty says this is guaranteed to be a safe SIGILL in all cases, removing s-s.
Group: core-security
|
||
Comment 3•12 years ago
|
||
Straightforward, but not horribly pretty patch.
Attachment #662819 -
Flags: review?(Jacob.Bramley)
|
|
||
Comment 4•12 years ago
|
||
Comment on attachment 662819 [details] [diff] [review]
/home/mrosenberg/patches/togglejumps should not be pool guards-r0.patch
david said he wants to review this asap so it can get into the next nightly
Attachment #662819 -
Flags: review?(Jacob.Bramley) → review?(dvander)
|
||
Updated•12 years ago
|
Attachment #662819 -
Flags: review?(dvander) → review+
|
|
||
Comment 5•12 years ago
|
||
|
|
||
Updated•12 years ago
|
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•