Closed Bug 452491 Opened 16 years ago Closed 16 years ago

TM: Null deref [@ JITted code] with |new|

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: jruderman, Unassigned)

References

Details

(Keywords: crash, testcase)

Crash Data

./js -j c.js
Bus error

I can only reproduce by giving ./js a file, not by pasting into the interactive shell.  c.js is:

for (var j=0;j<5;++j) (new (function(q) q)).a;

I'm testing using the tracemonkey branch.
Quick analysis: we're shoving a JSVAL_VOID (2) into the tracker, and somewhere that value is turning into an Object without being updated in the tracker.

Eventually, getProp() sees JSVAL_IS_PRIMITIVE(v) being false but gets a 2 from the tracker and performs a load against it which fails.

Will look more into it tomorrow.
Pushed fix as changeset da0c32f2b9a2.
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
Summary: Null deref [@ JITted code] with |new| → TM: Null deref [@ JITted code] with |new|
/cvsroot/mozilla/js/tests/js1_5/Regress/regress-452491.js,v  <--  regress-452491.js
initial revision: 1.1

http://hg.mozilla.org/mozilla-central/rev/432b17b45f82
Flags: in-testsuite+
Flags: in-litmus-
this test should have been in js18

Removing js1_5/Regress/regress-452491.js;
/cvsroot/mozilla/js/tests/js1_5/Regress/regress-452491.js,v  <--  regress-452491.js
new revision: delete; previous revision: 1.1
done
RCS file: /cvsroot/mozilla/js/tests/js1_8/regress/regress-452491.js,v
done
Checking in js1_8/regress/regress-452491.js;
/cvsroot/mozilla/js/tests/js1_8/regress/regress-452491.js,v  <--  regress-452491.js
initial revision: 1.1
done


http://hg.mozilla.org/mozilla-central/rev/e00cb9492acb
Crash Signature: [@ JITted code]
You need to log in before you can comment on or make changes to this bug.