Closed
Bug 1322319
Opened 9 years ago
Closed 9 years ago
Crash [@ js::IsSelfHostedFunctionWithName]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla53
| Tracking | Status | |
|---|---|---|
| firefox-esr45 | --- | unaffected |
| firefox50 | --- | unaffected |
| firefox51 | --- | unaffected |
| firefox52 | --- | fixed |
| firefox53 | --- | fixed |
People
(Reporter: decoder, Assigned: arai)
References
Details
(4 keywords, Whiteboard: [jsbugmon:update])
Crash Data
Attachments
(2 files)
|
1.54 KB,
patch
|
h4writer
:
review+
|
Details | Diff | Splinter Review |
|
1.55 KB,
patch
|
arai
:
review+
jcristau
:
approval-mozilla-aurora+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision 8103c612b79c (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug --enable-optimize, run with --fuzzing-safe):
(function(global) {
var dump = global.dump;
global.dump = dump;
})(this);
var gTestcases = new Array();
function TestCase(n, d, e, a) {
({}).constructor.defineProperty(gTestcases, gTc++, {
value: this,
});
TestCase.prototype.dump = function() {
dump('\njstest: ' + this.path + ' ' + 'reason: ' + toPrinted(this.reason) + '\n');
}
}
function toPrinted(value) {
value = String(value);
value = value.replace(/\\n/g, 'NL')
}
for (gTc = 0; gTc < gTestcases.length; gTc++) {}
function jsTestDriverEnd() {
for (var i = 0; i < gTestcases.length; i++) {
gTestcases[i].dump();
}
}
var SECTION = "11.4.7";
new TestCase(SECTION, "-('')", -0, -(""));
5 * (this) + delete RegExp.prototype.flags + (0.0).toLocaleString() + (this);
jsTestDriverEnd();
Backtrace:
received signal SIGSEGV, Segmentation fault.
js::IsSelfHostedFunctionWithName (fun=0x0, name=0x7ffff06245b0) at js/src/vm/SelfHosting.cpp:3095
#0 js::IsSelfHostedFunctionWithName (fun=0x0, name=0x7ffff06245b0) at js/src/vm/SelfHosting.cpp:3095
#1 0x0000000000f858fe in js::RegExpPrototypeOptimizableRaw (cx=cx@entry=0x7ffff695f000, proto=0x7ffff068a100, result=result@entry=0x7fffffffb56f "") at js/src/builtin/RegExp.cpp:1611
#2 0x0000000000f85beb in js::RegExpPrototypeOptimizable (cx=cx@entry=0x7ffff695f000, argc=<optimized out>, vp=<optimized out>) at js/src/builtin/RegExp.cpp:1583
#3 0x0000000000b71899 in js::CallJSNative (cx=cx@entry=0x7ffff695f000, native=0xf85ba0 <js::RegExpPrototypeOptimizable(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:239
#4 0x0000000000b62c4b in js::InternalCallOrConstruct (cx=0x7ffff695f000, args=..., construct=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:457
#5 0x0000000000b5598e in js::CallFromStack (args=..., cx=<optimized out>) at js/src/vm/Interpreter.cpp:508
#6 Interpret (cx=0x7ffff695f000, state=...) at js/src/vm/Interpreter.cpp:2919
#7 0x0000000000b629c5 in js::RunScript (cx=cx@entry=0x7ffff695f000, state=...) at js/src/vm/Interpreter.cpp:403
#8 0x0000000000b62d59 in js::InternalCallOrConstruct (cx=0x7ffff695f000, args=..., construct=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:475
#9 0x0000000000b5598e in js::CallFromStack (args=..., cx=<optimized out>) at js/src/vm/Interpreter.cpp:508
#10 Interpret (cx=0x7ffff695f000, state=...) at js/src/vm/Interpreter.cpp:2919
#11 0x0000000000b629c5 in js::RunScript (cx=cx@entry=0x7ffff695f000, state=...) at js/src/vm/Interpreter.cpp:403
#12 0x0000000000b62d59 in js::InternalCallOrConstruct (cx=0x7ffff695f000, args=..., construct=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:475
#13 0x0000000000b5598e in js::CallFromStack (args=..., cx=<optimized out>) at js/src/vm/Interpreter.cpp:508
#14 Interpret (cx=0x7ffff695f000, state=...) at js/src/vm/Interpreter.cpp:2919
#15 0x0000000000b629c5 in js::RunScript (cx=cx@entry=0x7ffff695f000, state=...) at js/src/vm/Interpreter.cpp:403
#16 0x0000000000b62d59 in js::InternalCallOrConstruct (cx=0x7ffff695f000, args=..., construct=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:475
#17 0x0000000000b5598e in js::CallFromStack (args=..., cx=<optimized out>) at js/src/vm/Interpreter.cpp:508
#18 Interpret (cx=0x7ffff695f000, state=...) at js/src/vm/Interpreter.cpp:2919
#19 0x0000000000b629c5 in js::RunScript (cx=0x7ffff695f000, state=...) at js/src/vm/Interpreter.cpp:403
#20 0x0000000000b6aa99 in js::ExecuteKernel (cx=0x7ffff695f000, script=..., script@entry=..., envChainArg=..., newTargetValue=..., evalInFrame=..., evalInFrame@entry=..., result=result@entry=0x0) at js/src/vm/Interpreter.cpp:684
#21 0x0000000000b6ae78 in js::Execute (cx=cx@entry=0x7ffff695f000, script=script@entry=..., envChainArg=..., rval=rval@entry=0x0) at js/src/vm/Interpreter.cpp:717
#22 0x000000000090915b in ExecuteScript (cx=0x7ffff695f000, scope=scope@entry=..., script=script@entry=..., rval=rval@entry=0x0) at js/src/jsapi.cpp:4391
#23 0x0000000000917ab0 in JS_ExecuteScript (cx=0x7ffff695f000, scriptArg=scriptArg@entry=...) at js/src/jsapi.cpp:4424
#24 0x000000000042c2de in RunFile (compileOnly=<optimized out>, file=0x7ffff6952c00, filename=<optimized out>, cx=0x7ffff695f000) at js/src/shell/js.cpp:652
#25 Process (cx=<optimized out>, filename=<optimized out>, forceTTY=forceTTY@entry=false, kind=kind@entry=FileScript) at js/src/shell/js.cpp:1076
#26 0x0000000000438069 in ProcessArgs (op=0x7fffffffdaa0, cx=0x7ffff695f000) at js/src/shell/js.cpp:7202
#27 Shell (envp=<optimized out>, op=0x7fffffffdaa0, cx=0x7ffff695f000) at js/src/shell/js.cpp:7564
#28 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:7944
rax 0x7ffff6995000 140737330630656
rbx 0x7ffff068a100 140737226776832
rcx 0x7ffff695f000 140737330409472
rdx 0x7ffff06842b0 140737226752688
rsi 0x7ffff06245b0 140737226360240
rdi 0x0 0
rbp 0x7fffffffb550 140737488336208
rsp 0x7fffffffb4b8 140737488336056
r8 0x7ffff02354e0 140737222235360
r9 0x1b 27
r10 0x7ffff06d88a8 140737227098280
r11 0x7ffff06d8881 140737227098241
r12 0x7fffffffb500 140737488336128
r13 0x7ffff695f000 140737330409472
r14 0x7fffffffb56f 140737488336239
r15 0x7ffff692c000 140737330200576
rip 0xbbe9c0 <js::IsSelfHostedFunctionWithName(JSFunction*, JSAtom*)>
=> 0xbbe9c0 <js::IsSelfHostedFunctionWithName(JSFunction*, JSAtom*)>: movzwl 0x22(%rdi),%edx
0xbbe9c4 <js::IsSelfHostedFunctionWithName(JSFunction*, JSAtom*)+4>: xor %eax,%eax
|
||
Updated•9 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
|
|
||
Comment 1•9 years ago
|
||
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/2d56da58f489
user: Tooru Fujisawa
date: Tue Oct 25 19:09:13 2016 +0900
summary: Bug 1263340 - Part 5: Check RegExp.prototype.flags getter in RegExpPrototypeOptimizable. r=till
This iteration took 239.772 seconds to run.
Arai-san, is bug 1263340 a likely regressor?
Blocks: 1263340
Flags: needinfo?(arai.unmht)
|
Assignee | |
Comment 3•9 years ago
|
||
Thanks, yes
I'll fix it today
|
|
Assignee | |
Comment 4•9 years ago
|
||
|
|
Assignee | |
Updated•9 years ago
|
Assignee: nobody → arai.unmht
Status: NEW → ASSIGNED
|
|
Assignee | |
Comment 5•9 years ago
|
||
Comment on attachment 8817580 [details] [diff] [review]
Check the result of GetGetterPure
The issue is that GetGetterPure may return true with out-patameter null.
Added the check.
Result<> may improve the situation, but I'll leave it to other bug.
Flags: needinfo?(arai.unmht)
Attachment #8817580 -
Flags: review?(hv1989)
|
||
Comment 6•9 years ago
|
||
Comment on attachment 8817580 [details] [diff] [review]
Check the result of GetGetterPure
Review of attachment 8817580 [details] [diff] [review]:
-----------------------------------------------------------------
lgtm
::: js/src/builtin/RegExp.cpp
@@ +1610,5 @@
>
> + if (!flagsGetter) {
> + *result = false;
> + return true;
> + }
Another solution would be to support nullptr in IsSelfHostedFunctionWithName and return false for that?
Attachment #8817580 -
Flags: review?(hv1989) → review+
|
|
Assignee | |
Comment 7•9 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/c9d3669dc5133a29944acb1353101c7bf905e914
Bug 1322319 - Check the result of GetGetterPure. r=h4writer
|
||
Comment 8•9 years ago
|
||
we should use GetOwnGetterPure (add it if not exist) to check flags getter, instead of GetGetterPure.
Flags: needinfo?(arai.unmht)
|
||
Comment 9•9 years ago
|
||
| bugherder | ||
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla53
|
|
Assignee | |
Updated•9 years ago
|
status-firefox50:
--- → unaffected
status-firefox51:
--- → unaffected
status-firefox52:
--- → affected
status-firefox-esr45:
--- → unaffected
|
|
Assignee | |
Comment 10•9 years ago
|
||
Approval Request Comment
> [Feature/Bug causing the regression]
bug 1263340
> [User impact if declined]
crash by executing JavaScript
> [Is this code covered by automated tests?]
Yes
> [Has the fix been verified in Nightly?]
Yes
> [Needs manual test from QE? If yes, steps to reproduce]
No
> [List of other uplifts needed for the feature/fix]
Bug 1323108 needs to be uplifted *after* this.
> [Is the change risky?]
No
> [Why is the change risky/not risky?]
It adds null check
> [String changes made/needed]
None
Attachment #8820507 -
Flags: review+
Attachment #8820507 -
Flags: approval-mozilla-aurora?
|
||
Comment 11•9 years ago
|
||
Comment on attachment 8820507 [details] [diff] [review]
(mozilla-aurora) Check the result of GetGetterPure. r=h4writer
add null check to fix js crash in aurora52
Attachment #8820507 -
Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
|
||
Comment 12•9 years ago
|
||
| bugherder uplift | ||
You need to log in
before you can comment on or make changes to this bug.
Description
•