Closed Bug 543436 Opened 14 years ago Closed 14 years ago

Crash [@ JSFunctionBox::joinable] or [@ JSCompiler::setFunctionKinds]

Categories

(Core :: JavaScript Engine, defect, P1)

Product:
Core
Component:
JavaScript Engine
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla1.9.3a2

People

(Reporter: gkw, Assigned: brendan)

References

Details

(Keywords: crash, regression, testcase, Whiteboard: fixed-in-tracemonkey [ccbr])

Crash Data

Attachments

(1 file, 1 obsolete file)

fix, v2
1.31 KB, patch
jorendorff
: review+
Details | Diff | Splinter Review 
(function() {
  try {
    eval("\
      function() {\
        if (3)\
        (1 for (x in []));\
        else \
        (this._ = function(){})\
      }\
    ");
  } catch(e) {}
})()


crashes js debug shell on TM tip without -j at JSFunctionBox::joinable near null and crashes js opt shell on TM tip without -j at JSCompiler::setFunctionKinds near null.

autoBisect shows this is probably related to bug 536564:

The first bad revision is:
changeset:   37039:f6b37dc8709e
user:        Brendan Eich
date:        Thu Jan 14 14:22:00 2010 -0800
summary:     Fast followup fix for thinko (536564, r=jorendorff).

===

js opt shell stacktrace:

Exception Type:  EXC_BAD_ACCESS (SIGBUS)
Exception Codes: KERN_PROTECTION_FAILURE at 0x0000000000000008
Crashed Thread:  0  Dispatch queue: com.apple.main-thread

Thread 0 Crashed:  Dispatch queue: com.apple.main-thread
0   js-opt-32-tm-darwin           	0x0008f64d JSCompiler::setFunctionKinds(JSFunctionBox*, unsigned int&) + 429
1   js-opt-32-tm-darwin           	0x000a2b7b JSCompiler::compileScript(JSContext*, JSObject*, JSStackFrame*, JSPrincipals*, unsigned int, unsigned short const*, unsigned long, __sFILE*, char const*, unsigned int, JSString*, unsigned int) + 955
2   js-opt-32-tm-darwin           	0x0007367a obj_eval(JSContext*, JSObject*, unsigned int, long*, long*) + 2362
3   js-opt-32-tm-darwin           	0x0005f8ac js_Invoke + 1180
4   js-opt-32-tm-darwin           	0x0005540f js_Interpret + 25007
5   js-opt-32-tm-darwin           	0x0005f0c1 js_Execute + 625
6   js-opt-32-tm-darwin           	0x0000debc JS_ExecuteScript + 60
7   js-opt-32-tm-darwin           	0x00004c28 Process(JSContext*, JSObject*, char*, int) + 1336
8   js-opt-32-tm-darwin           	0x00008ca6 main + 1734
9   js-opt-32-tm-darwin           	0x00002bcd _start + 208
10  js-opt-32-tm-darwin           	0x00002afc start + 40
Attached patch fix (obsolete) — Splinter Review 
D'oh.

/be
Assignee: general → brendan
Status: NEW → ASSIGNED
Attachment #427694 - Flags: review?(jorendorff)
Thanks, Gary -- could not do it without your fuzzing efforts.

/be
OS: Mac OS X → All
Priority: -- → P1
Hardware: x86 → All
Target Milestone: --- → mozilla1.9.3a2
Attached patch fix, v2Splinter Review 
I had this patch originally, and then "simplified" too much without running trace-test. Writing "I will not [do that again]" 100x on the blackboard...

/be
Attachment #427694 - Attachment is obsolete: true
Attachment #427698 - Flags: review?(jorendorff)
Attachment #427694 - Flags: review?(jorendorff)
Attachment #427698 - Flags: review?(jorendorff) → review+
Gotta keep the fuzzer happy.

http://hg.mozilla.org/tracemonkey/rev/61d3e2eec985

/be
Whiteboard: [ccbr] → fixed-in-tracemonkey [ccbr]
Rats, wrong words in commit message, right bug number. See bug 546069.

/be
http://hg.mozilla.org/mozilla-central/rev/61d3e2eec985
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Crash Signature: [@ JSFunctionBox::joinable] [@ JSCompiler::setFunctionKinds]
Automatically extracted testcase for this bug was committed:

https://hg.mozilla.org/mozilla-central/rev/efaf8960a929
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: