Closed
Bug 858097
Opened 11 years ago
Closed 11 years ago
BaselineCompiler: Crash [@ Mark<js::types::TypeObject>] with OOM
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla23
People
(Reporter: decoder, Assigned: jandem)
References
(Blocks 1 open bug)
Details
(Keywords: crash, testcase, Whiteboard: [jsbugmon:])
Crash Data
Attachments
(1 file)
1.23 KB,
patch
|
Waldo
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on baseline compiler branch revision 5fd27c1b3943 (run with --ion-eager): function MyObject( value ) {} gcparam("maxBytes", gcparam("gcBytes") + 4*(1)); gczeal(4); function test() {} var obj = new test();
Reporter | ||
Updated•11 years ago
|
Whiteboard: [jsbugmon:update] → [jsbugmon:]
Reporter | ||
Comment 1•11 years ago
|
||
JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.
Assignee | ||
Comment 2•11 years ago
|
||
I was able to reproduce this on decoder's fuzzing machine. Baseline may have exposed the problem in this case, but I think it's a pre-existing issue. We call js::InvokeConstructorKernel: args.setThis(MagicValue(JS_IS_CONSTRUCTING)); Then in StackFrame::prologue: if (isConstructing()) { RootedObject callee(cx, &this->callee()); JSObject *obj = CreateThisForFunction(cx, callee, useNewType()); if (!obj) return false; functionThis() = ObjectValue(*obj); } If the CreateThisForFunction OOM's this will leave |this| == MagicValue(JS_IS_CONSTRUCTING). Then in StackFrame::epilogue: if (isConstructing() && returnValue().isPrimitive()) setReturnValue(ObjectValue(constructorThis())); This sets the frame's return value slot to ObjectValue(0xa). (JS_IS_CONSTRUCTING == 0xa). With a debug build this would assert isObject() I think, but this is an opt build.
Assignee | ||
Comment 3•11 years ago
|
||
See the analysis in comment 2. Let me know if you can think of a better fix.
Comment 4•11 years ago
|
||
Comment on attachment 733928 [details] [diff] [review] Patch Review of attachment 733928 [details] [diff] [review]: ----------------------------------------------------------------- Stealing, as Luke's out and this is clearly fine. ::: js/src/vm/Stack.cpp @@ +411,1 @@ > setReturnValue(ObjectValue(constructorThis())); Looking at this, we might also consider making constructorThis() just return a Value, and then there's no need for this extra check. The return value of a function *should be* considered meaningless in cases like these, but I could imagine mistakes being made.
Attachment #733928 -
Flags: review?(luke) → review+
Comment 5•11 years ago
|
||
...that is, using that return value as though it were real, not expecting this rare case where a MagicValue manifested itself.
Assignee | ||
Comment 6•11 years ago
|
||
Thanks for stealing the r? Waldo. https://hg.mozilla.org/integration/mozilla-inbound/rev/25323c442d1a
Comment 7•11 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/25323c442d1a
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla23
You need to log in
before you can comment on or make changes to this bug.
Description
•