563034 - Crash [@ js_GetUpvar]

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect, P1)

Description

[Jesse Ruderman]

Removing the line "a = 3;" from bug560234b.js leads to a crash [@ js_GetUpvar].  This bug exists even in an older version, before the fix for bug 560234.

Here's a slightly simpler testcase:

function f(a) {
   function g() {
       yield function () a;
   }
   return g();
}
var x;
f(7).next()();

Comment 1

[Jesse Ruderman]

Simpler:

function f(a) {
   function g() {
       yield function () a;
   }
   return g();
}
f(7).next()();

Comment 2

[Brendan Eich [:brendan]]

Does this go back to the upvar2 bug, or a more recent regressing change?

/be

Comment 3

[Brendan Eich [:brendan]]

Attachment: fix

Comment 4

[Jason Orendorff [:jorendorff]]

Comment on attachment 442853 [details] [diff] [review]
fix

Looks like a strict improvement, but as mentioned on IRC, I'm not sure ->isFunArg() means what we're using it to mean. As Waldo suggests, we'd probably be better off adding another method with the right name and semantics.

Comment 5

[Brendan Eich [:brendan]]

http://hg.mozilla.org/tracemonkey/rev/910e40e2f0ef

/be

Comment 6

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

(In reply to comment #2)
> Does this go back to the upvar2 bug, or a more recent regressing change?
> 
> /be

autoBisect shows this is probably related to bug 492914:

The first bad revision is:
changeset:   28181:010768e6119c
user:        Brendan Eich
date:        Wed May 13 23:01:08 2009 -0700
summary:     Bug 492914 - TM: trace aborts due to flat closure analysis bug (r=mrbkap).

Stack:

Exception Type:  EXC_BAD_ACCESS (SIGBUS)
Exception Codes: KERN_PROTECTION_FAILURE at 0x0000000000000018
Crashed Thread:  0  Dispatch queue: com.apple.main-thread

Thread 0 Crashed:  Dispatch queue: com.apple.main-thread
0   js-opt-32-tm-darwin           	0x000631db js_GetUpvar + 27
1   js-opt-32-tm-darwin           	0x0004ead0 js_NewFlatClosure + 544
2   js-opt-32-tm-darwin           	0x0005a169 js_Interpret + 22073
3   js-opt-32-tm-darwin           	0x00066f9f SendToGenerator(JSContext*, JSGeneratorOp, JSObject*, JSGenerator*, long) + 159
4   js-opt-32-tm-darwin           	0x000673fa generator_op(JSContext*, JSGeneratorOp, long*, unsigned int) + 218
5   js-opt-32-tm-darwin           	0x0005daec js_Interpret + 36796
6   js-opt-32-tm-darwin           	0x00064383 js_Execute + 531
7   js-opt-32-tm-darwin           	0x0000f1cc JS_ExecuteScript + 60
8   js-opt-32-tm-darwin           	0x00004c3f Process(JSContext*, JSObject*, char*, int) + 1647
9   js-opt-32-tm-darwin           	0x00008c7a main + 1626
10  js-opt-32-tm-darwin           	0x0000276d _start + 208
11  js-opt-32-tm-darwin           	0x0000269c start + 40

gdb info:

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_PROTECTION_FAILURE at address: 0x00000018
0x000631db in js_GetUpvar ()
(gdb) bt
#0  0x000631db in js_GetUpvar ()
#1  0x0004ead0 in js_NewFlatClosure ()
#2  0x0005a169 in js_Interpret ()
#3  0x00066f9f in SendToGenerator ()
#4  0x000673fa in generator_op ()
#5  0x0005daec in js_Interpret ()
#6  0x00064383 in js_Execute ()
#7  0x0000f1cc in JS_ExecuteScript ()
#8  0x00004c3f in Process ()
#9  0x00008c7a in main ()
(gdb) x/i $eip
0x631db <js_GetUpvar+27>:       mov    0x18(%edx),%eax
(gdb) x/1b $edx
0x0:    Cannot access memory at address 0x0

Looks like a null +18 dereference.

Comment 7

[Robert Sayre]

http://hg.mozilla.org/mozilla-central/rev/910e40e2f0ef

Comment 8

[Daniel Veditz [:dveditz]]

Can't remember why we marked it "needed" -- doesn't appear to be a topcrash or a security problem. Lowering to "wanted", if you want to patch the branch please request approval.

Comment 9

[Christian Holler (:decoder)]

Automatically extracted testcase for this bug was committed:

https://hg.mozilla.org/mozilla-central/rev/efaf8960a929