Closed
Bug 1367989
Opened 7 years ago
Closed 7 years ago
Crash in js::FunctionToString at mozilla-central/js/src/jsfun.cpp:1094
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
RESOLVED
DUPLICATE
of bug 1364573
People
(Reporter: kangyan91, Unassigned)
Details
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2486.0 Safari/537.36 Edge/13.10586
Steps to reproduce:
The following testcase crashes on mozilla-central revision d8762cb96742.
I build spiderMonkey with :
cd js/src
autoconf
mkdir build_DBG.OBJ
cd build_DBG.OBJ
../configure --enable-debug --disable-optimize
make
testcase.js :
function tryItOut(code)
{
f = new Function(code);
try{ var rv = f();
} catch (runError) {}
}
var count = 0;
var verbose = false;
tryItOut("\"\";/**/load(\"/mozilla-central/js/src/jit-test/tests/parser/bug-1263355-20.js\")")
/**/tryItOut("{void relazifyFunctions()}")/**/
tryItOut("\"\";M:switch(c++){case 9:(x);case 2:}")
bug-1263355-20.js:
{ function c() {} }class c { }
Actual results:
Program received signal SIGSEGV, Segmentation fault.
0x00000000009ab595 in js::FunctionToString (cx=cx@entry=0x7ffff6958000, fun=...,
prettyPrint=<optimized out>) at/mozilla-central/js/src/jsfun.cpp:1094
1094 MOZ_ASSERT(!fun->infallibleIsDefaultClassConstructor(cx));
backtrace:
#0 0x00000000009ab595 in js::FunctionToString (cx=cx@entry=0x7ffff6958000, fun=...,
prettyPrint=<optimized out>) at mozilla-central/js/src/jsfun.cpp:1094
#1 0x00000000009ab631 in fun_toStringHelper (cx=cx@entry=0x7ffff6958000, obj=...,
obj@entry=..., indent=<optimized out>)
at mozilla-central/js/src/jsfun.cpp:1123
#2 0x00000000009cfe7d in js::fun_toString (cx=0x7ffff6958000, argc=<optimized out>,
vp=<optimized out>) at mozilla-central/js/src/jsfun.cpp:1155
#3 0x0000000000539f60 in js::CallJSNative (cx=0x7ffff6958000,
native=0x9cfd50 <js::fun_toString(JSContext*, unsigned int, JS::Value*)>, args=...)
at mozilla-central/js/src/jscntxtinlines.h:293
#4 0x0000000000535276 in js::InternalCallOrConstruct (cx=cx@entry=0x7ffff6958000, args=...,
construct=construct@entry=js::NO_CONSTRUCT)
at mozilla-central/js/src/vm/Interpreter.cpp:470
#5 0x000000000053578f in InternalCall (cx=cx@entry=0x7ffff6958000, args=...)
at mozilla-central/js/src/vm/Interpreter.cpp:515
#6 0x00000000005358ed in js::Call (cx=cx@entry=0x7ffff6958000, fval=..., fval@entry=...,
thisv=..., thisv@entry=..., args=..., rval=..., rval@entry=...)
at mozilla-central/js/src/vm/Interpreter.cpp:534
#7 0x000000000099fd1a in Call (rval=..., thisObj=<optimized out>, fval=..., cx=0x7ffff6958000)
at mozilla-central/js/src/vm/Interpreter.h:94
#8 MaybeCallMethod (cx=cx@entry=0x7ffff6958000, obj=..., obj@entry=..., id=..., id@entry=...,
vp=vp@entry=...) at mozilla-central/js/src/jsobj.cpp:3105
#9 0x000000000099ff82 in JS::OrdinaryToPrimitive (cx=cx@entry=0x7ffff6958000,
obj=obj@entry=..., hint=hint@entry=JSTYPE_NUMBER, vp=..., vp@entry=...)
at mozilla-central/js/src/jsobj.cpp:3188
#10 0x00000000009a0784 in js::ToPrimitiveSlow (cx=cx@entry=0x7ffff6958000,
preferredType=preferredType@entry=JSTYPE_NUMBER, vp=..., vp@entry=...)
at mozilla-central/js/src/jsobj.cpp:3236
#11 0x00000000009b2752 in ToPrimitive (vp=..., preferredType=JSTYPE_NUMBER, cx=0x7ffff6958000)
at mozilla-central/js/src/jsobj.h:1064
#12 js::ToNumberSlow (cx=0x7ffff6958000, v_=..., out=0x7fffffffd380)
at mozilla-central/js/src/jsnum.cpp:1610
#13 0x0000000000530821 in ToNumber (vp=..., cx=<optimized out>)
at mozilla-central/js/src/jsnum.h:179
#14 Interpret (cx=0x7ffff6958000, state=...)
at mozilla-central/js/src/vm/Interpreter.cpp:2583
#15 0x0000000000534e3b in js::RunScript (cx=0x7ffff6958000, state=...)
at mozilla-central/js/src/vm/Interpreter.cpp:410
#16 0x0000000000537031 in js::ExecuteKernel (cx=cx@entry=0x7ffff6958000, script=...,
script@entry=..., envChainArg=..., newTargetValue=..., evalInFrame=...,
evalInFrame@entry=..., result=result@entry=0x0)
at mozilla-central/js/src/vm/Interpreter.cpp:699
#17 0x00000000005373d8 in js::Execute (cx=cx@entry=0x7ffff6958000, script=script@entry=...,
envChainArg=..., rval=rval@entry=0x0)
at mozilla-central/js/src/vm/Interpreter.cpp:732
#18 0x00000000008d44b3 in ExecuteScript (cx=cx@entry=0x7ffff6958000, scope=scope@entry=...,
script=script@entry=..., rval=rval@entry=0x0)
at mozilla-central/js/src/jsapi.cpp:4527
#19 0x00000000008df7d3 in JS_ExecuteScript (cx=cx@entry=0x7ffff6958000,
scriptArg=scriptArg@entry=...) at mozilla-central/js/src/jsapi.cpp:4560
#20 0x000000000042fdce in RunFile (compileOnly=false, file=0x7fffefd36000,
filename=<optimized out>, cx=0x7ffff6958000)
at mozilla-central/js/src/shell/js.cpp:714
#21 Process (cx=cx@entry=0x7ffff6958000, filename=<optimized out>,
forceTTY=forceTTY@entry=false, kind=kind@entry=FileScript)
at mozilla-central/js/src/shell/js.cpp:1161
#22 0x000000000043dab3 in ProcessArgs (op=0x7fffffffdd40, cx=0x7ffff6958000)
at mozilla-central/js/src/shell/js.cpp:7921
#23 Shell (envp=<optimized out>, op=0x7fffffffdd40, cx=0x7ffff6958000)
at mozilla-central/js/src/shell/js.cpp:8284
#24 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>)
at mozilla-central/js/src/shell/js.cpp:8682
register info:
rax 0x0 0
rbx 0x1 1
rcx 0x7ffff6c96f9d 140737333784477
rdx 0x0 0
rsi 0x7ffff6f6b9d0 140737336752592
rdi 0x7ffff6f6a1c0 140737336746432
rbp 0x7fffffffc970 0x7fffffffc970
rsp 0x7fffffffc830 0x7fffffffc830
r8 0x7ffff7fc8780 140737353910144
r9 0x697a6f6d2f736565 7600509835879343461
r10 0x7fffffffc5f0 140737488340464
r11 0x7ffff6c15e20 140737333255712
r12 0x7ffff6958000 140737330380800
r13 0x7fffffffc8a0 140737488341152
r14 0x7fffffffc860 140737488341088
r15 0x0 0
rip 0x9ab595 0x9ab595 <js::FunctionToString(JSContext*, JS::Handle<JSFunction*>, bool)+1557>
eflags 0x10246 [ PF ZF IF RF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
$pc:
=> 0x9ab595 <js::FunctionToString(JSContext*, JS::Handle<JSFunction*>, bool)+1557>:
movl $0x0,0x0
0x9ab5a0 <js::FunctionToString(JSContext*, JS::Handle<JSFunction*>, bool)+1568>: ud2
0x9ab5a2 <js::FunctionToString(JSContext*, JS::Handle<JSFunction*>, bool)+1570>:
callq 0x42e610 <__stack_chk_fail@plt>
0x9ab5a7 <js::FunctionToString(JSContext*, JS::Handle<JSFunction*>, bool)+1575>:
mov -0x140(%rbp),%rdx
0x9ab5ae <js::FunctionToString(JSContext*, JS::Handle<JSFunction*>, bool)+1582>:
jmpq 0x9ab354 <js::FunctionToString(JSContext*, JS::Handle<JSFunction*>, bool)+980>
0x9ab5b3 <js::FunctionToString(JSContext*, JS::Handle<JSFunction*>, bool)+1587>:
mov -0x140(%rbp),%rdx
0x9ab5ba <js::FunctionToString(JSContext*, JS::Handle<JSFunction*>, bool)+1594>:
jmpq 0x9ab33f <js::FunctionToString(JSContext*, JS::Handle<JSFunction*>, bool)+959>
0x9ab5bf: nop
0x9ab5c0 <fun_toStringHelper(JSContext*, JS::Handle<JSObject*>, unsigned int)>:
push %rbp
0x9ab5c1 <fun_toStringHelper(JSContext*, JS::Handle<JSObject*>, unsigned int)+1>:
lea 0x151b758(%rip),%r8 # 0x1ec6d20 <_ZN10JSFunction6class_E>
|
||
Updated•7 years ago
|
Group: core-security → javascript-core-security
|
||
Updated•7 years ago
|
Flags: needinfo?(shu)
|
||
Comment 1•7 years ago
|
||
Hi Iris, what revision did you reproduce the crash on? I can no longer reproduce this -- my suspicion is that it's fixed by bug 1364573.
Flags: needinfo?(shu) → needinfo?(kangyan91)
|
||
Comment 2•7 years ago
|
||
From comment 0 this was filed against May 10 code https://hg.mozilla.org/mozilla-central/rev/d8762cb96742, and the fix for bug 1364573 landed May 19.
(In reply to Shu-yu Guo [:shu] from comment #1) > Hi Iris, what revision did you reproduce the crash on? I can no longer > reproduce this -- my suspicion is that it's fixed by bug 1364573. I test on on mozilla-central revision d8762cb96742.
Flags: needinfo?(kangyan91)
|
||
Updated•7 years ago
|
Status: UNCONFIRMED → RESOLVED
Closed: 7 years ago
Resolution: --- → DUPLICATE
|
|
||
Updated•7 years ago
|
Group: javascript-core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•