Closed
Bug 851474
Opened 11 years ago
Closed 11 years ago
Rooting Analysis: Crash [@ js::CompartmentChecker::check] with uninitialized values [@ CheckStackRoot]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
INVALID
People
(Reporter: decoder, Unassigned)
References
Details
(Keywords: crash, testcase, Whiteboard: [jsbugmon:ignore])
Crash Data
The following testcase crashes on mozilla-central built with --enable-root-analysis, revision 8e68f4d73ec4 (run with --ion-eager): gczeal(6); var t = true; x = []; for (var i = 0; i < 10; ++i) { x[0] = t == i + - {} + "o = {}; o.toString()"; }
Reporter | ||
Comment 1•11 years ago
|
||
Trace: ==7900== Use of uninitialised value of size 4 ==7900== at 0x8452051: CheckStackRoot(JSRuntime*, unsigned int*, Rooter*, Rooter*) (Verifier.cpp:61) ==7900== by 0x8453896: JS::CheckStackRoots(JSContext*) (Verifier.cpp:104) ==7900== by 0x819083C: js::MulValues(JSContext*, JS::Handle<JSScript*>, unsigned char*, JS::MutableHandle<JS::Value>, JS::MutableHandle<JS::Value>, JS::Value*) (RootingAPI.h:783) ==7900== by 0x7D40AD3: ??? ==7900== ==7900== Invalid read of size 1 ==7900== at 0x807222A: _ZN2js18CompartmentChecker5checkERKN2JS5ValueE.constprop.545 (jscntxtinlines.h:185) ==7900== by 0x808593B: JS::AssertArgumentsAreSane(JSContext*, JS::Value const&) (jscntxtinlines.h:256) ==7900== by 0x8192DA0: js::LooselyEqual(JSContext*, JS::Value const&, JS::Value const&, bool*) (jsapi.h:1692) ==7900== by 0x867FC61: bool js::ion::LooselyEqual<true>(JSContext*, JS::MutableHandle<JS::Value>, JS::MutableHandle<JS::Value>, int*) (VMFunctions.cpp:175) ==7900== by 0x7D4060F: ??? ==7900== Address 0xda431060 is not stack'd, malloc'd or (recently) free'd And a lot more of the use of uninitialized value warnings here. Note that this is a Valgrind build :)
Reporter | ||
Updated•11 years ago
|
Crash Signature: [@ js::CompartmentChecker::check] with uninitialized values [@ CheckStackRoot] → [@ js::CompartmentChecker::check]
Comment 2•11 years ago
|
||
This analysis explicitly reads uninitialized memory. For this reason and others we have switched to a static analysis and zeal mode 7.
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → INVALID
You need to log in
before you can comment on or make changes to this bug.
Description
•