Closed Bug 577580 Opened 14 years ago Closed 14 years ago

JM: Crash [@ JSObject::isNative] or [@ js::mjit::ic::Name]

Tracking

()

Status:

RESOLVED FIXED

People

(Reporter: gkw, Unassigned)

References

Details

(Keywords: crash, regression, testcase)

Crash Data

Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)

Reporter

Description

•

14 years ago

(function() {
  for (; i;) {
    eval(/@/, "")
  }
})()

crashes js debug shell on JM tip with -m at JSObject::isNative or at js::mjit::ic::Name with a js opt shell with -m.

(Seems to be a null dereference)

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_PROTECTION_FAILURE at address: 0x00000000
0x0012b14d in JSObject::isNative (this=0x0) at jsobj.h:295
295         bool isNative() const { return map->ops->isNative(); }
(gdb) bt
#0  0x0012b14d in JSObject::isNative (this=0x0) at jsobj.h:295
#1  0x00228dc4 in js::mjit::ic::Name (f=@0xbffff4a0, index=0) at ../methodjit/PolyIC.cpp:1521
#2  0x006412dc in ?? ()
#3  0x001f1373 in js::mjit::JaegerShot (cx=0x809200) at ../methodjit/MethodJIT.cpp:638
#4  0x000b4a92 in js::RunScript (cx=0x809200, script=0x50d9c0, fun=0x0, scopeChain=0x701000) at jsinterp.cpp:466
#5  0x000b6002 in js::Execute (cx=0x809200, chain=0x701000, script=0x50d9c0, down=0x0, flags=0, result=0xbffff6c0) at jsinterp.cpp:931
#6  0x000173d6 in JS_ExecuteScript (cx=0x809200, obj=0x701000, script=0x50d9c0, rval=0xbffff6c0) at ../jsapi.cpp:4637
#7  0x0000c188 in Process (cx=0x809200, obj=0x701000, filename=0x0, forceTTY=0) at ../../shell/js.cpp:533
#8  0x0000cb8b in ProcessArgs (cx=0x809200, obj=0x701000, argv=0xbffff88c, argc=1) at ../../shell/js.cpp:860
#9  0x0000cca4 in shell (cx=0x809200, argc=1, argv=0xbffff88c, envp=0xbffff894) at ../../shell/js.cpp:5038
#10 0x0000cdc8 in main (argc=1, argv=0xbffff88c, envp=0xbffff894) at ../../shell/js.cpp:5129
(gdb) x/i $eip
0x12b14d <_ZNK8JSObject8isNativeEv+9>:  mov    (%eax),%eax
(gdb) x/b $eax
0x0:    Cannot access memory at address 0x0

Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)

Reporter

Comment 1

•

14 years ago

During the course of the reduction of the testcase, the following assertion was seen:

Assertion failure: -int32(uint8(-distance)) == distance, at ../methodjit/Compiler.cpp:319

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_PROTECTION_FAILURE at address: 0x00000000
0x0015f9ad in JS_Assert (s=0x2599f4 "-int32(uint8(-distance)) == distance", file=0x259310 "../methodjit/Compiler.cpp", ln=319) at ../jsutil.cpp:77
77          *((int *) NULL) = 0;  /* To continue from here in GDB: "return" then "continue". */
(gdb) bt
#0  0x0015f9ad in JS_Assert (s=0x2599f4 "-int32(uint8(-distance)) == distance", file=0x259310 "../methodjit/Compiler.cpp", ln=319) at ../jsutil.cpp:77
#1  0x0020e1b4 in js::mjit::Compiler::finishThisUp (this=0xbfffdbd0) at ../methodjit/Compiler.cpp:319
#2  0x0020e783 in js::mjit::Compiler::Compile (this=0xbfffdbd0) at ../methodjit/Compiler.cpp:142
#3  0x0020ea36 in js::mjit::TryCompile (cx=0x809200, script=0x52dd90, fun=0x711aa0, scopeChain=0x701000) at ../methodjit/Compiler.cpp:170
#4  0x00235f3c in InlineCall (f=@0xbffff470, flags=0, pret=0xbffff414, argc=2) at ../methodjit/InvokeHelpers.cpp:274
#5  0x00236347 in js::mjit::stubs::SlowCall (f=@0xbffff470, argc=2) at ../methodjit/InvokeHelpers.cpp:374
#6  0x006918b6 in ?? ()
#7  0x001f1373 in js::mjit::JaegerShot (cx=0x809200) at ../methodjit/MethodJIT.cpp:638
#8  0x000b4a92 in js::RunScript (cx=0x809200, script=0x93ec00, fun=0x0, scopeChain=0x701000) at jsinterp.cpp:466
#9  0x000b6002 in js::Execute (cx=0x809200, chain=0x701000, script=0x93ec00, down=0x0, flags=0, result=0x0) at jsinterp.cpp:931
#10 0x000173d6 in JS_ExecuteScript (cx=0x809200, obj=0x701000, script=0x93ec00, rval=0x0) at ../jsapi.cpp:4637
#11 0x0000be19 in Process (cx=0x809200, obj=0x701000, filename=0xbffff97b "tmp1/original.js", forceTTY=0) at ../../shell/js.cpp:440
#12 0x0000cb8b in ProcessArgs (cx=0x809200, obj=0x701000, argv=0xbffff868, argc=2) at ../../shell/js.cpp:860
#13 0x0000cca4 in shell (cx=0x809200, argc=2, argv=0xbffff868, envp=0xbffff874) at ../../shell/js.cpp:5038
#14 0x0000cdc8 in main (argc=2, argv=0xbffff868, envp=0xbffff874) at ../../shell/js.cpp:5129

David Anderson [:dvander] - inactive, e-mail if emergency

Comment 2

•

14 years ago

http://hg.mozilla.org/users/danderson_mozilla.com/moo/rev/9ba6da86ba7b

Status: NEW → RESOLVED

Closed: 14 years ago

Resolution: --- → FIXED

Nobody; OK to take it and work on it

Updated

•

13 years ago

Crash Signature: [@ JSObject::isNative] [@ js::mjit::ic::Name]

Christian Holler (:decoder)

Comment 3

•

11 years ago

A testcase for this bug was automatically identified at js/src/jit-test/tests/jaeger/bug577580.js.

Flags: in-testsuite+

You need to log in before you can comment on or make changes to this bug.

Bugzilla

Quick Search

JM: Crash [@ JSObject::isNative] or [@ js::mjit::ic::Name]

Categories

(Core :: JavaScript Engine, defect)

Tracking

()

People

(Reporter: gkw, Unassigned)

References

Details

(Keywords: crash, regression, testcase)

Crash Data

Security

(public)

User Story

Description

Comment 1

Comment 2

Updated

Comment 3