Closed Bug 496987 Opened 15 years ago Closed 15 years ago

TM: Crash [@ js_StringToNumber]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Version:
1.9.1 Branch
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 496251

People

(Reporter: gkw, Unassigned)

References

Details

(Keywords: crash, regression, testcase, Whiteboard: [sg:dupe 496251])

Crash Data

for each(let a in ["", "", true, "", true, "", true]) {
    print((function() {
        for (var e in [0]) {
            print( + a)
        }
    })())
}

crash js debug and opt shell with -j (revision 25910:2d0f0efc8f14 ) at js_StringToNumber. gdb stack seems scary, so setting security-sensitive:

[Thread debugging using libthread_db enabled]
js> for each(let a in ["", "", true, "", true, "", true]) {
    print((function() {
        for (var e in [0]) {
            print( + a)
        }
    })())
}
0
undefined
0
undefined
1
undefined
0
undefined
1
undefined
0
undefined
[New Thread 0xb7d706d0 (LWP 4427)]

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0xb7d706d0 (LWP 4427)]
0x081e5a20 in js_StringToNumber (cx=0x873b9e8, str=0x1) at ../jsbuiltins.cpp:172
172	../jsbuiltins.cpp: No such file or directory.
	in ../jsbuiltins.cpp
(gdb) bt
#0  0x081e5a20 in js_StringToNumber (cx=0x873b9e8, str=0x1) at ../jsbuiltins.cpp:172
#1  0xb7c43eb4 in ?? ()
#2  0xbfd430c8 in ?? ()
#3  0xb7c3ae95 in ?? ()
#4  0xbfd45748 in ?? ()
#5  0x081a1846 in js_MonitorLoopEdge (cx=0x873b9e8, inlineCallCount=@0xbfd45f8c) at ../jstracer.cpp:4804
#6  0x080b39bf in js_Interpret (cx=0x873b9e8) at ../jsinterp.cpp:3308
#7  0x080dddfa in js_Execute (cx=0x873b9e8, chain=0x873f000, script=0x87451c8, down=0x0, flags=0, result=0xbfd46134) at ../jsinterp.cpp:1622
#8  0x08055728 in JS_ExecuteScript (cx=0x873b9e8, obj=0x873f000, script=0x87451c8, rval=0xbfd46134) at ../jsapi.cpp:5036
#9  0x08051ae6 in Process (cx=0x873b9e8, obj=0x873f000, filename=0x0, forceTTY=0) at ../js.cpp:498
#10 0x0805230b in ProcessArgs (cx=0x873b9e8, obj=0x873f000, argv=0xbfd462a8, argc=1) at ../js.cpp:767
#11 0x080526d2 in main (argc=1, argv=0xbfd462a8, envp=0xbfd462b0) at ../js.cpp:4696
(gdb)
Flags: blocking1.9.1?
autoBisect shows this is probably related to bug 495907 :

The first bad revision is:
changeset:   28891:b9e104ec562f
user:        David Mandelin
date:        Tue Jun 02 11:52:24 2009 -0700
summary:     Bug 495907: use more reliable code to get outermost tree script nest level, r=gal

However this also seems fixed by the patch in bug 496251.

Dupe of bug 496251, just like bug 496867?
Blocks: 495907
Keywords: regression
(In reply to comment #1)
> Dupe of bug 496251, just like bug 496867?

Yes, it looks like the same: upvar defined in trace entry frame, and types vary so the typemap bug matters.
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → DUPLICATE
Whiteboard: [sg:dupe 496251]
Flags: blocking1.9.1? → blocking1.9.1+
Group: core-security
Flags: wanted1.9.0.x-
Flags: in-testsuite?
Crash Signature: [@ js_StringToNumber]
A testcase for this bug was automatically identified at js/src/jit-test/tests/closures/bug496987.js.
Flags: in-testsuite? → in-testsuite+
You need to log in before you can comment on or make changes to this bug.