Closed Bug 680217 Opened 13 years ago Closed 13 years ago

TI: Crash [@ js::gc::ChunkBitmap::isMarked]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: decoder, Unassigned)

References

Details

(Keywords: crash, testcase)

Crash Data

Attachments

(1 file)

patch
7.14 KB, patch
dvander
: review+
Details | Diff | Splinter Review 
The following testcase crashes on TI revision 7dae91c263cf (run with -j -m -n), tested on 64 bit:


try {
for (var BUGNUMBER = 0, sz = Math.pow(2, 21); i < sz; i++)
  str += '0,';
} catch (exc1) {}
var str = '[';
for (var i = 0, BUGNUMBER; i < sz; i++)
  str += '0,'; 
  var obj = {
    p: { __proto__: null },
  };
for (var i = 0, sz = Math.pow(2, 21); i < sz; i++)
  str += '0,';
I got this to crash when the address space is randomized, but it won't crash in gdb.  I turned off aslr and now it won't crash at all.  Can you get this to crash in gdb?  If so, do you have a shell I can ssh to?
No, this does not crash in GDB for me as well, but in Valgrind. Maybe it's possible to turn on ASLR in GDB? I'm on a train right now but can check later maybe.
Attached patch patchSplinter Review 
There is a static type object which serves as the default type object for objects with no prototype.  Similar to static strings, isMarked() cannot be called on this (its property types are unknown and it cannot have empty shapes, so nothing ever mutates it).  When sweeping compartment tables for the types to associate with singleton/JSON objects, we didn't check for this static type object, under the assumption that elements of such objects were not mutants with non-standard prototypes.  This situation was possible, though, as singletons were allowed to change their __proto__ so long as that prototype was itself a constant.  This latter behavior is pretty goofy and liable to cause problems elsewhere, so the fix just treats any initializer mutating __proto__ as not constant.

http://hg.mozilla.org/projects/jaegermonkey/rev/7ef2e842650c
Attachment #554495 - Flags: review?(dvander)
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Comment on attachment 554495 [details] [diff] [review]
patch

Review of attachment 554495 [details] [diff] [review]:
-----------------------------------------------------------------

::: js/src/jsinfer.cpp
@@ +2323,5 @@
>          && (b.isPrimitive(JSVAL_TYPE_INT32) || b.isPrimitive(JSVAL_TYPE_DOUBLE));
>  }
>  
> +/*
> + * As for GetValueType, but requires object types to be non-singletons with

Was this meant to be "Same as for GetValueType"?
Attachment #554495 - Flags: review?(dvander) → review+
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/bug680217.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: