Minimal embedding crash in JS_NewContext

RESOLVED DUPLICATE of bug 1176787

Status

()

Core
JavaScript Engine
RESOLVED DUPLICATE of bug 1176787
9 months ago
9 months ago

People

(Reporter: ptomato, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

9 months ago
User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36

Steps to reproduce:

I am compiling and running this minimal embedding program with SpiderMonkey 45.0.2:

    #include "js-config.h"
    #include "jsapi.h"
    #include "js/Initialization.h"

    int main(int argc, const char *argv[])
    {
        JS_Init();

        JSRuntime *rt = JS_NewRuntime(8L * 1024 * 1024);
        if (!rt)
            return 1;

        JSContext *cx = JS_NewContext(rt, 8192);
        if (!cx)
            return 1;

        JS_DestroyContext(cx);
        JS_DestroyRuntime(rt);
        JS_ShutDown();
        return 0;
    }

I have tried it both with and without --enable-debug. The program segfaults.


Actual results:

Here is the backtrace:

#0  0x0000000000000000 in ?? ()
#1  0x00007ffff787a411 in hash (l=..., l=...)
    at /home/philip/checkout/mozjs-45.0.2/js/src/jsscript.h:2411
#2  prepareHash (l=<synthetic pointer>)
    at ../../dist/include/js/HashTable.h:1126
#3  lookupForAdd (l=<synthetic pointer>, this=0x60a790)
    at ../../dist/include/js/HashTable.h:1638
#4  lookupForAdd (l=<synthetic pointer>, this=<optimized out>)
    at ../../dist/include/js/HashTable.h:386
#5  SaveSharedScriptData (cx=cx@entry=0x6210a0, script=..., ssd=0x62c870, 
    nsrcnotes=1) at /home/philip/checkout/mozjs-45.0.2/js/src/jsscript.cpp:2502
#6  0x00007ffff787ae7f in JSScript::fullyInitTrivial (cx=cx@entry=0x6210a0, 
    script=..., script@entry=...)
    at /home/philip/checkout/mozjs-45.0.2/js/src/jsscript.cpp:2886
#7  0x00007ffff78115e1 in CreateFunctionPrototype (cx=0x6210a0, 
    key=<optimized out>)
    at /home/philip/checkout/mozjs-45.0.2/js/src/jsfun.cpp:785
#8  0x00007ffff7930ec5 in js::GlobalObject::resolveConstructor (
    cx=cx@entry=0x6210a0, global=..., key=key@entry=JSProto_Function)
    at /home/philip/checkout/mozjs-45.0.2/js/src/vm/GlobalObject.cpp:158
#9  0x00007ffff7931563 in js::GlobalObject::ensureConstructor (
    cx=cx@entry=0x6210a0, global=..., global@entry=..., 
    key=key@entry=JSProto_Function)
    at /home/philip/checkout/mozjs-45.0.2/js/src/vm/GlobalObject.cpp:98
#10 0x00007ffff76f29b9 in CreateObjectConstructor (cx=0x6210a0, 
    key=<optimized out>)
    at /home/philip/checkout/mozjs-45.0.2/js/src/builtin/Object.cpp:1035
#11 0x00007ffff7930f54 in js::GlobalObject::resolveConstructor (
    cx=cx@entry=0x6210a0, global=..., key=key@entry=JSProto_Object)
    at /home/philip/checkout/mozjs-45.0.2/js/src/vm/GlobalObject.cpp:166
#12 0x00007ffff7931563 in js::GlobalObject::ensureConstructor (
    cx=cx@entry=0x6210a0, global=..., global@entry=..., 
    key=key@entry=JSProto_Object)
    at /home/philip/checkout/mozjs-45.0.2/js/src/vm/GlobalObject.cpp:98
#13 0x00007ffff73a1f2a in getOrCreateObjectPrototype (cx=0x6210a0, 
    this=<optimized out>)
    at /home/philip/checkout/mozjs-45.0.2/js/src/vm/GlobalObject.h:342
#14 CreateArrayPrototype (cx=0x6210a0, key=<optimized out>)
    at /home/philip/checkout/mozjs-45.0.2/js/src/jsarray.cpp:3235
#15 0x00007ffff7935cfa in InitBareBuiltinCtor (cx=cx@entry=0x6210a0, 
    global=..., global@entry=..., protoKey=protoKey@entry=JSProto_Array)
    at /home/philip/checkout/mozjs-45.0.2/js/src/vm/GlobalObject.cpp:368
#16 0x00007ffff7936038 in js::GlobalObject::initSelfHostingBuiltins (
    cx=cx@entry=0x6210a0, global=global@entry=..., 
    builtins=builtins@entry=0x7ffff7dc7080 <intrinsic_functions>)
    at /home/philip/checkout/mozjs-45.0.2/js/src/vm/GlobalObject.cpp:413
#17 0x00007ffff7a169c6 in JSRuntime::createSelfHostingGlobal (
    cx=cx@entry=0x6210a0)
    at /home/philip/checkout/mozjs-45.0.2/js/src/vm/SelfHosting.cpp:1730
#18 0x00007ffff7a16c56 in JSRuntime::initSelfHosting (
    this=this@entry=0x601e10, cx=cx@entry=0x6210a0)
    at /home/philip/checkout/mozjs-45.0.2/js/src/vm/SelfHosting.cpp:1754
#19 0x00007ffff77b7153 in js::NewContext (rt=0x601e10, 
    stackChunkSize=<optimized out>)
    at /home/philip/checkout/mozjs-45.0.2/js/src/jscntxt.cpp:122
#20 0x00000000004008b1 in main (argc=1, argv=0x7fffffffd978) at test45.cpp:13

Looks like mozilla::HashBytes() is never reached because of stack corruption. Also, the hash(l=..., l=...) in frame 1 looks suspicious because as far as I can tell that function only has one argument.


Expected results:

I would expect this program to do nothing and exit successfully.
(Reporter)

Comment 1

9 months ago
The patch in bug 1176787 fixes this.
(Reporter)

Updated

9 months ago
Status: UNCONFIRMED → RESOLVED
Last Resolved: 9 months ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1176787
You need to log in before you can comment on or make changes to this bug.