Closed Bug 657225 Opened 13 years ago Closed 13 years ago

TI: Crash [@ JSString::length]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: decoder, Unassigned)

References

Details

(Keywords: crash, testcase)

Crash Data

The following testcase crashes on TI revision 693a36f402ee (run with -m -n -a),
tested on 64 bit:

function reportCompare(expected, actual, description) + ++actual + "'";
var summary = 'Object.prototype.toLocaleString() should track Object.prototype.toString() ';
var o = {
    toString: function () {}
};
expect = o;
actual = o.toLocaleString();
reportCompare(expect, actual, summary);


Backtrace:

==841== Invalid read of size 8
==841==    at 0x413D3E: JSString::length() const (jsstr.h:250)
==841==    by 0x505D4D: bool js::StringToNumberType<double>(JSContext*, JSString*, double*) (jsnum.h:646)
==841==    by 0x5053B2: js::ValueToNumberSlow(JSContext*, js::Value, double*) (jsnum.cpp:1293)
==841==    by 0x439D70: js::ValueToNumber(JSContext*, js::Value const&, double*) (jsnum.h:269)
==841==    by 0x795E71: js::mjit::stubs::Sub(js::VMFrame&) (StubCalls.cpp:1171)
==841==    by 0x41AEC1A: ???
==841==    by 0x6936D9: js::mjit::EnterMethodJIT(JSContext*, js::StackFrame*, void*, js::Value*) (MethodJIT.cpp:880)
==841==    by 0x69381E: CheckStackAndEnterMethodJIT(JSContext*, js::StackFrame*, void*) (MethodJIT.cpp:910)
==841==    by 0x6938FA: js::mjit::JaegerShot(JSContext*) (MethodJIT.cpp:927)
==841==    by 0x4EE66F: js::RunScript(JSContext*, JSScript*, js::StackFrame*) (jsinterp.cpp:604)
==841==    by 0x4EFC4C: js::Execute(JSContext*, JSObject&, JSScript*, js::StackFrame*, unsigned int, js::Value*) (jsinterp.cpp:990)
==841==    by 0x434CE2: JS_ExecuteScript (jsapi.cpp:5166)
==841==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
==841== 
==841== 
==841== Process terminating with default action of signal 11 (SIGSEGV)
Wrong type handler on Object.toLocaleString, it wraps the 'toString' property and is not guaranteed to produce a string.

http://hg.mozilla.org/projects/jaegermonkey/rev/efe5cf75d033
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Crash Signature: [@ JSString::length]
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/bug657225.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.