Closed Bug 790921 Opened 12 years ago Closed 12 years ago

Crash [@ js::ion::IonCode::raw] with OOM

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla18

People

(Reporter: decoder, Unassigned)

References

Details

(Keywords: crash, testcase, Whiteboard: [ion:p2])

Crash Data

Attachments

(1 file)

fix
1.33 KB, patch
dvander
: review+
Details | Diff | Splinter Review 
The following testcase crashes on mozilla-central revision fdfaef738a00 (run with --ion-eager):


evaluate("\
gcparam(\"maxBytes\", gcparam(\"gcBytes\") + 4 );\n\
test();\n\
function test() {\n\
  function flatten(arr)\n\
  actual = flatten([1, [2], 3]);\
}\n\
");
try {} catch (lfVare) {}
Valgrind shows:


==48471== Invalid read of size 8
==48471==    at 0x88CD9A: js::ion::IonCode::raw() const (IonCode.h:78)
==48471==    by 0x8DBC5A: js::ion::Assembler::call(js::ion::IonCode*) (Assembler-x64.h:515)
==48471==    by 0x8E5473: void js::ion::MacroAssembler::callPreBarrier<js::ion::Address>(js::ion::Address const&, js::ion::MIRType) (IonMacroAssembler.h:353)
==48471==    by 0x9F4B84: js::ion::CodeOffsetLabel js::ion::MacroAssembler::patchableCallPreBarrier<js::ion::Address>(js::ion::Address const&, js::ion::MIRType) (IonMacroAssembler.h:369)
==48471==    by 0x9F3ADC: js::ion::CodeGeneratorShared::emitPreBarrier(js::ion::Address, js::ion::MIRType) (CodeGenerator-shared.cpp:458)
==48471==    by 0x9E1E8E: js::ion::CodeGenerator::visitStoreFixedSlotT(js::ion::LStoreFixedSlotT*) (CodeGenerator.cpp:3034)
==48471==    by 0x91501A: js::ion::LStoreFixedSlotT::accept(js::ion::LInstructionVisitor*) (LIR-Common.h:2381)
==48471==    by 0x9D8EF5: js::ion::CodeGenerator::generateBody() (CodeGenerator.cpp:1287)
==48471==    by 0x9E0C7F: js::ion::CodeGenerator::generate() (CodeGenerator.cpp:2803)
==48471==    by 0x8972D0: js::ion::TestCompiler(js::ion::IonBuilder*, js::ion::MIRGraph*, js::ion::AutoDestroyAllocator&) (Ion.cpp:917)
==48471==    by 0x89C98C: bool js::ion::IonCompile<&(js::ion::TestCompiler(js::ion::IonBuilder*, js::ion::MIRGraph*, js::ion::AutoDestroyAllocator&))>(JSContext*, JSScript*, JSFunction*, unsigned char*, bool) (Ion.cpp:1022)
==48471==    by 0x89CC25: js::ion::MethodStatus js::ion::Compile<&(js::ion::TestCompiler(js::ion::IonBuilder*, js::ion::MIRGraph*, js::ion::AutoDestroyAllocator&))>(JSContext*, JSScript*, JSFunction*, unsigned char*, bool) (Ion.cpp:1154)
==48471==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
Attached patch fixSplinter Review 
Easy fix -- don't dereference a known-NULL value.
Attachment #660988 - Flags: review?(dvander)
Attachment #660988 - Flags: review?(dvander) → review+
https://hg.mozilla.org/mozilla-central/rev/d39c810749ce
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla18
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: