Closed Bug 1198673 Opened 9 years ago Closed 9 years ago

Crash [@ ??] with shell-function parseModule

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla43
Tracking Flags:
Tracking Status
firefox43 --- fixed

People

(Reporter: decoder, Assigned: jonco)

References

(Blocks 1 open bug)

Details

(Keywords: crash, regression, testcase, Whiteboard: [jsbugmon:update,bisect][fuzzblocker])

Crash Data

Attachments

(1 file)

bug1198673
1.29 KB, patch
jandem
: review+
Details | Diff | Splinter Review 
The following testcase crashes on mozilla-central revision 04b8c412d9f5 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --target=i686-pc-linux-gnu --disable-tests --enable-debug, run with --fuzzing-safe --thread-count=2):

parseModule((1));



Backtrace:

Program terminated with signal 11, Segmentation fault.
#0  0xf74dae86 in ?? () from /lib/i386-linux-gnu/libc.so.6
#1  0x087f7270 in cvt_s<char> (flags=0, prec=-1, width=0, s=0x4 <Address 0x4 out of bounds>, ss=0xff927650) at js/src/jsprf.cpp:337
#2  dosprintf (ss=ss@entry=0xff927650, fmt=0x8b07a32 "", fmt@entry=0x8b07a10 "expected string to compile, got %s", ap=0xff92773c "\200w\222\377", ap@entry=0xff927738 "\004") at js/src/jsprf.cpp:866
#3  0x087f7d21 in JS_vsmprintf (fmt=fmt@entry=0x8b07a10 "expected string to compile, got %s", ap=ap@entry=0xff927738 "\004") at js/src/jsprf.cpp:966
#4  0x0875a094 in js::ReportErrorVA (cx=0xf7203240, flags=flags@entry=0, format=format@entry=0x8b07a10 "expected string to compile, got %s", ap=ap@entry=0xff927738 "\004") at js/src/jscntxt.cpp:430
#5  0x0875a15f in JS_ReportError (cx=cx@entry=0xf7203240, format=format@entry=0x8b07a10 "expected string to compile, got %s") at js/src/jsapi.cpp:5342
#6  0x080e2179 in ParseModule (cx=0xf7203240, argc=1, vp=0xf50b80e8) at js/src/shell/js.cpp:3078
#7  0x08323caa in js::CallJSNative (cx=0xf7203240, native=0x80e2120 <ParseModule(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235
#8  0x08313676 in js::Invoke (cx=0xf7203240, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:763
#9  0x0830c8fb in Interpret (cx=cx@entry=0xf7203240, state=...) at js/src/vm/Interpreter.cpp:3054
#10 0x08312d31 in js::RunScript (cx=cx@entry=0xf7203240, state=...) at js/src/vm/Interpreter.cpp:704
#11 0x08313790 in js::Invoke (cx=cx@entry=0xf7203240, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:781
#12 0x0831579d in js::Invoke (cx=cx@entry=0xf7203240, thisv=..., fval=..., argc=argc@entry=0, argv=argv@entry=0xff928310, rval=rval@entry=...) at js/src/vm/Interpreter.cpp:818
#13 0x08569502 in js::jit::DoCallFallback (cx=0xf7203240, frame=0xff928330, stub_=0xf729b510, argc=0, vp=0xff928300, res=...) at js/src/jit/BaselineIC.cpp:9361
#14 0xf744cf6e in ?? ()
#15 0xf729b510 in ?? ()
#16 0xf7450d2a in ?? ()
#17 0xf729b3c8 in ?? ()
#18 0xf7448c5c in ?? ()
#19 0x084dd455 in EnterBaseline (cx=0xf729b510, cx@entry=0xf7203240, data=...) at js/src/jit/BaselineJIT.cpp:126
#20 0x0855279f in js::jit::EnterBaselineAtBranch (cx=0xf7203240, fp=0xf50b8028, pc=0xf723e9c1 "\343\201C\b\377\377\377Z\231\230&\210\004\235)\210\bʘ5\210\t\230\001\220א\210\004\226\210\004\226\210\004\226\210\004\225\210\bʐ\210\bʐ\210\bϘ\002\234\v\210\003\230\016Ј\026\220Ј\027\220Ј \220Ј\027\220Ј?\220Ј\024\220Ј\030\230\027Ј,\230\031\210\004\314\b\225\210\002Έ\020\230&\210\004͈\020\230((\200") at js/src/jit/BaselineJIT.cpp:229
#21 0x0830fd3f in Interpret (cx=cx@entry=0xf7203240, state=...) at js/src/vm/Interpreter.cpp:2102
#22 0x08312d31 in js::RunScript (cx=cx@entry=0xf7203240, state=...) at js/src/vm/Interpreter.cpp:704
#23 0x0831df4e in js::ExecuteKernel (cx=cx@entry=0xf7203240, script=..., script@entry=..., scopeChainArg=..., thisv=..., newTargetValue=..., type=type@entry=js::EXECUTE_GLOBAL, evalInFrame=evalInFrame@entry=..., result=result@entry=0x0) at js/src/vm/Interpreter.cpp:978
#24 0x08320454 in js::Execute (cx=cx@entry=0xf7203240, script=script@entry=..., scopeChainArg=..., rval=rval@entry=0x0) at js/src/vm/Interpreter.cpp:1012
#25 0x0875f27d in ExecuteScript (cx=cx@entry=0xf7203240, scope=..., script=script@entry=..., rval=rval@entry=0x0) at js/src/jsapi.cpp:4353
#26 0x0875f406 in JS_ExecuteScript (cx=cx@entry=0xf7203240, scriptArg=scriptArg@entry=...) at js/src/jsapi.cpp:4384
#27 0x0806b399 in RunFile (compileOnly=false, file=0xf72e29e0, filename=0xff929c0f "driver.js", cx=0xf7203240) at js/src/shell/js.cpp:460
#28 Process (cx=cx@entry=0xf7203240, filename=0xff929c0f "driver.js", forceTTY=forceTTY@entry=false) at js/src/shell/js.cpp:578
#29 0x080d1914 in ProcessArgs (op=0xff929140, cx=<optimized out>) at js/src/shell/js.cpp:5809
#30 Shell (envp=<optimized out>, op=0xff929140, cx=<optimized out>) at js/src/shell/js.cpp:6109
#31 main (argc=5, argv=0xff929294, envp=0xff9292ac) at js/src/shell/js.cpp:6455
eax	0x0	0
ebx	0x97a2c0c	159001612
ecx	0x4	4
edx	0xffffffff	-1
esi	0x0	0
edi	0x4	4
ebp	0xff927638	4287788600
esp	0xff927444	4287788100
eip	0xf74dae86	4149063302
=> 0xf74dae86:	movdqu (%edi),%xmm1
   0xf74dae8a:	pcmpeqb %xmm1,%xmm0


This happens very frequently, marking as a fuzzblocker.
Assignee: nobody → jcoppeard
Attached patch bug1198673Splinter Review 
Fix dumb error in error handling.
Attachment #8652798 - Flags: review?(jdemooij)
Attachment #8652798 - Flags: review?(jdemooij) → review+
https://hg.mozilla.org/mozilla-central/rev/0a6629904b68
Status: NEW → RESOLVED
Closed: 9 years ago
status-firefox43: affectedfixed
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla43
Blocks: 1223846
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: