Closed
Bug 590083
Opened 13 years ago
Closed 13 years ago
JM: Crash [@ js_DeflateString]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: gkw, Assigned: dvander)
References
Details
(Keywords: crash, regression, testcase, Whiteboard: fixed-in-tracemonkey)
Crash Data
Attachments
(1 file, 1 obsolete file)
3.72 KB,
patch
|
dmandelin
:
review+
|
Details | Diff | Splinter Review |
L = "" for (a = 0; a < 7; a++) { (eval("\ (function() {\ for each(var x in this) {\ function x(){}\ print(x)\ }\ })\ "))() } crashes js opt shell on JM changeset e42b505b43f3 with -m but without -j at js_DeflateString Program received signal EXC_BAD_ACCESS, Could not access memory. Reason: KERN_PROTECTION_FAILURE at address: 0x0027d000 0x000f2bcf in js_DeflateString () (gdb) bt #0 0x000f2bcf in js_DeflateString () #1 0x0000f1bf in JS_EncodeString () #2 0x00004c6f in Print () #3 0x001d5a07 in js::mjit::stubs::SlowCall () #4 0x002d7868 in ?? () #5 0x00189152 in js::mjit::JaegerShot () #6 0x0006fdb1 in js::Execute () #7 0x00014bb8 in JS_ExecuteScript () #8 0x0000564c in Process () #9 0x000093c7 in shell () #10 0x000098f8 in main () (gdb) x/i $eip 0xf2bcf <_Z16js_DeflateStringP9JSContextPKtm+591>: movzwl (%ecx,%edx,2),%eax (gdb) x/b $ecx 0x233860 <js_FunctionClass>: 0x56 (gdb) x/b $edx 0x24bd0 <_ZNK9JSContext12generatorForEP12JSStackFrame+80>: 0x8b (gdb) x/b $eax 0x0: Cannot access memory at address 0x0
![]() |
Reporter | |
Comment 1•13 years ago
|
||
eval("\ (function(){\ for(var w in [0]) {\ function w(){}\ print(w)\ }\ })\ ")() crashes both debug and opt shells on Ubuntu 10.04 at js_DeflateString. Program received signal SIGSEGV, Segmentation fault. 0x0816e56b in js_DeflateString (cx=0x8397bc8, chars=0x8336400, nchars=8624839) at ../jsstr.cpp:3704 3704 ../jsstr.cpp: No such file or directory. in ../jsstr.cpp (gdb) bt #0 0x0816e56b in js_DeflateString (cx=0x8397bc8, chars=0x8336400, nchars=8624839) at ../jsstr.cpp:3704 #1 0x08071e1f in JS_EncodeString (cx=0x8397bc8, str=0xf7502540) at ../jsapi.cpp:5241 #2 0x0804d805 in Print (cx=0x8397bc8, argc=1, vp=0xf77ac178) at ../../shell/js.cpp:1090 #3 0x08262936 in js::mjit::stubs::SlowCall (f=..., argc=1) at ../methodjit/InvokeHelpers.cpp:394 #4 0xf76a46f9 in ?? () #5 0x0821aaa4 in EnterMethodJIT (cx=0x8397bc8, fp=0xf77ac0a8, code=0xf76a405c, safePoint=0x0) at ../methodjit/MethodJIT.cpp:757 #6 0x0821ac0a in js::mjit::JaegerShot (cx=0x8397bc8) at ../methodjit/MethodJIT.cpp:785 #7 0x080dddff in js::RunScript (cx=0x8397bc8, script=0x839d2f8, fun=0x0, scopeChain=0xf7502000) at ../jsinterp.cpp:465 #8 0x080ded75 in js::Execute (cx=0x8397bc8, chain=0xf7502000, script=0x839d2f8, down=0x0, flags=0, result=0xffffd200) at ../jsinterp.cpp:945 #9 0x08070f46 in JS_ExecuteScript (cx=0x8397bc8, obj=0xf7502000, script=0x839d2f8, rval=0xffffd200) at ../jsapi.cpp:4762 #10 0x0804c42b in Process (cx=0x8397bc8, obj=0xf7502000, filename=0x0, forceTTY=0) at ../../shell/js.cpp:535 #11 0x0804cfbd in ProcessArgs (cx=0x8397bc8, obj=0xf7502000, argv=0xffffd408, argc=1) at ../../shell/js.cpp:862 #12 0x08055c2d in shell (cx=0x8397bc8, argc=1, argv=0xffffd408, envp=0xffffd410) at ../../shell/js.cpp:5151 #13 0x08055d49 in main (argc=1, argv=0xffffd408, envp=0xffffd410) at ../../shell/js.cpp:5247 (gdb) x/i $eip => 0x816e56b <_Z16js_DeflateStringP9JSContextPKtj+316>: movzwl (%eax),%eax (gdb) x/b $eax 0x83bc000: Cannot access memory at address 0x83bc000
![]() |
Assignee | |
Comment 2•13 years ago
|
||
This is related to, but not a duplicate of, bug 584603. The compiler doesn't know the DEFFUN aliases a local slot, and thus the variable is not tracked properly.
![]() |
Assignee | |
Comment 3•13 years ago
|
||
This will be security sensitive by the time JM lands, so we should fix. Three possibilities, I'm leaning toward #2 or #3 as a fast fallback. 1) Parser: Fix both bugs at once, by introducing the planned new binding for function statements. 2) Compiler: Spot-fix by peeking at the name in DEFFUN, and checking for intervening names on the scope chain. 3) Parser: Rewrite the DEFFUN to LAMBDA+SETLOCAL if we detect that it aliases a local variable in the parser.
![]() |
Assignee | |
Comment 4•13 years ago
|
||
This needs a quick fix, so I'm taking approach #2
![]() |
Assignee | |
Comment 5•13 years ago
|
||
Attachment #472671 -
Attachment is obsolete: true
Attachment #472677 -
Flags: review?(dmandelin)
Attachment #472671 -
Flags: review?(dmandelin)
Updated•13 years ago
|
Attachment #472677 -
Flags: review?(dmandelin) → review+
![]() |
Assignee | |
Comment 6•13 years ago
|
||
http://hg.mozilla.org/tracemonkey/rev/5a12156930e9
Whiteboard: fixed-in-tracemonkey
Comment 7•13 years ago
|
||
dvander: Will this bug fix crashes such as https://crash-stats.mozilla.com/report/index/5ff8363b-62f3-4042-922e-87d1d2100902?
![]() |
Assignee | |
Comment 8•13 years ago
|
||
Hrm, it's hard to tell from that, but it might.
![]() |
Assignee | |
Updated•13 years ago
|
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Updated•12 years ago
|
Crash Signature: [@ js_DeflateString]
Comment 9•10 years ago
|
||
A testcase for this bug was automatically identified at js/src/jit-test/tests/jaeger/bug590083.js.
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•