JM: Crash [@ js_PutCallObject] or "Assertion failure: f.fp->callobj,"

RESOLVED FIXED

Status

()

Product:
Core
Component:
JavaScript Engine
--
critical
RESOLVED FIXED
Reported:
7 years ago
Modified:
5 years ago

People

(Reporter: gkw, Unassigned)

Tracking

(Blocks: 1 bug, {assertion, regression, testcase})

Version:
Trunk
x86
Mac OS X
Keywords:
assertion, regression, testcase
Points:
---
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details
(Reporter)

Description

7 years ago 
function f() {
  eval("function(){for(x in[]){}}")
  function() {} ("")()
}
f()

asserts js debug shell with -m on JM tip at Assertion failure: f.fp->callobj, at ../methodjit/InvokeHelpers.cpp:549

===

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_PROTECTION_FAILURE at address: 0x00000000
0x00154857 in JS_Assert (s=0x23e41a "f.fp->callobj", file=0x23e370 "../methodjit/InvokeHelpers.cpp", ln=549) at ../jsutil.cpp:77
77          *((int *) NULL) = 0;  /* To continue from here in GDB: "return" then "continue". */
(gdb) bt
#0  0x00154857 in JS_Assert (s=0x23e41a "f.fp->callobj", file=0x23e370 "../methodjit/InvokeHelpers.cpp", ln=549) at ../jsutil.cpp:77
#1  0x00216652 in js::mjit::stubs::PutCallObject (f=@0xbffff350) at ../methodjit/InvokeHelpers.cpp:549
#2  0x003ef2eb in ?? ()
#3  0x001df987 in js::mjit::JaegerShot (cx=0x809400) at ../methodjit/MethodJIT.cpp:638
#4  0x000ade2c in js::RunScript (cx=0x809400, script=0x40ce70, fun=0x0, scopeChain=0x701000) at jsinterp.cpp:458
#5  0x000ae3f8 in js::Execute (cx=0x809400, chain=0x701000, script=0x40ce70, down=0x0, flags=0, result=0xbffff570) at jsinterp.cpp:890
#6  0x00013717 in JS_ExecuteScript (cx=0x809400, obj=0x701000, script=0x40ce70, rval=0xbffff570) at ../jsapi.cpp:4485
#7  0x0000c00e in Process (cx=0x809400, obj=0x701000, filename=0x0, forceTTY=0) at ../../shell/js.cpp:519
#8  0x0000ca13 in ProcessArgs (cx=0x809400, obj=0x701000, argv=0xbffff744, argc=1) at ../../shell/js.cpp:846
#9  0x0000cb26 in shell (cx=0x809400, argc=1, argv=0xbffff744, envp=0xbffff74c) at ../../shell/js.cpp:5024
#10 0x0000cc4a in main (argc=1, argv=0xbffff744, envp=0xbffff74c) at ../../shell/js.cpp:5113
(Reporter)

Comment 1

7 years ago 
This also seems to cause a null dereference:

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_PROTECTION_FAILURE at address: 0x00000020
0x0005051e in js_PutCallObject ()
(gdb) bt
#0  0x0005051e in js_PutCallObject ()
#1  0x001b7a18 in js::mjit::stubs::PutCallObject ()
#2  0x002d3237 in ?? ()
#3  0x001860cd in js::mjit::JaegerShot ()
#4  0x0006eb7a in js::Execute ()
#5  0x000106e8 in JS_ExecuteScript ()
#6  0x00004940 in Process ()
#7  0x00008dd7 in shell ()
#8  0x00009208 in main ()
(gdb) x/i $eip
0x5051e <_Z16js_PutCallObjectP9JSContextP12JSStackFrame+206>:   mov    %ebx,0x20(%ecx)
(gdb) x/b $ebx 
0x0:    Cannot access memory at address 0x0
Summary: JM: "Assertion failure: f.fp->callobj," → JM: Crash [@ js_PutCallObject] or "Assertion failure: f.fp->callobj,"

Comment 2

7 years ago 
http://hg.mozilla.org/users/danderson_mozilla.com/moo/rev/977696225e6e

test-case pushed in a followup commit. thanks!
Status: NEW → RESOLVED
Last Resolved: 7 years ago
Resolution: --- → FIXED

Comment 3

5 years ago 
A testcase for this bug was automatically identified at js/src/jit-test/tests/jaeger/bug573433.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.