Closed Bug 1161605 Opened 9 years ago Closed 9 years ago

Poisonned value after one call to js::jit::SetPropertyIC::update.

Categories

(Core :: JavaScript Engine: JIT, defect)

Product:
Core
Component:
JavaScript Engine: JIT
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: nbp, Unassigned)

References

Details

With the latest patch from Bug 923717 and Bug 1161584, I noticed that there is a rooting issue which is probably related to SetPropertyIC::update.

Running the following test case with JIT_OPTION_forceInlineCaches=true, and the --baseline-eager ,


var x = gc;
var obj = {};
for (var i = 0; i != 16 * 1024; ++i)
  obj.a = function f() { };
x();


cause a crash in the explicit call to the gc:


(gdb) bt
#0  js::ObjectGroup::compartment (this=0x2b2b2b2b2b2b2b2b) at /home/nicolas/mozilla/wksp-5-dev/js/src/shell/../vm/ObjectGroup.h:220
#1  0x0000000000466f6d in JSObject::compartment (this=(const JSObject *) 0x7fffee901900 Cannot access memory at address 0x2b2b2b2b2b2b2b2b) at /home/nicolas/mozilla/wksp-5-dev/js/src/shell/../jsobj.h:159
#2  0x000000000073a467 in js::GCMarker::processMarkStackTop (this=0x15e3738, budget=...) at /home/nicolas/mozilla/wksp-5-dev/js/src/gc/Marking.cpp:1166
#3  0x00000000007083e1 in js::GCMarker::drainMarkStack (this=0x15e3738, budget=...) at /home/nicolas/mozilla/wksp-5-dev/js/src/gc/Marking.cpp:1063
#4  0x0000000000eea5ce in js::gc::GCRuntime::drainMarkStack (this=0x15db8c8, sliceBudget=..., phase=js::gcstats::PHASE_MARK) at /home/nicolas/mozilla/wksp-5-dev/js/src/jsgc.cpp:5098
#5  0x0000000000eed5c8 in js::gc::GCRuntime::incrementalCollectSlice (this=0x15db8c8, budget=..., reason=JS::gcreason::API) at /home/nicolas/mozilla/wksp-5-dev/js/src/jsgc.cpp:5793
#6  0x0000000000eedf85 in js::gc::GCRuntime::gcCycle (this=0x15db8c8, incremental=false, budget=..., reason=JS::gcreason::API) at /home/nicolas/mozilla/wksp-5-dev/js/src/jsgc.cpp:6014
#7  0x0000000000eee76a in js::gc::GCRuntime::collect (this=0x15db8c8, incremental=false, budget=..., reason=JS::gcreason::API) at /home/nicolas/mozilla/wksp-5-dev/js/src/jsgc.cpp:6126
#8  0x0000000000ee2290 in js::gc::GCRuntime::gc (this=0x15db8c8, gckind=GC_NORMAL, reason=JS::gcreason::API) at /home/nicolas/mozilla/wksp-5-dev/js/src/jsgc.cpp:6187
#9  0x0000000000ef1b26 in JS::GCForReason (rt=0x15db580, gckind=GC_NORMAL, reason=JS::gcreason::API) at /home/nicolas/mozilla/wksp-5-dev/js/src/jsgc.cpp:7016
#10 0x00000000005dea86 in GC (cx=0x16038b0, argc=0, vp=0x7fffffffb348) at /home/nicolas/mozilla/wksp-5-dev/js/src/builtin/TestingFunctions.cpp:264
This was an issue with Bug 923717 patch.
Thanks Jon for the pointer to the post-barrier :)
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → INVALID
Group: javascript-core-security
You need to log in before you can comment on or make changes to this bug.