Closed
Bug 590083
Opened 15 years ago
Closed 15 years ago
JM: Crash [@ js_DeflateString]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: gkw, Assigned: dvander)
References
Details
(Keywords: crash, regression, testcase, Whiteboard: fixed-in-tracemonkey)
Crash Data
Attachments
(1 file, 1 obsolete file)
3.72 KB,
patch
|
dmandelin
:
review+
|
Details | Diff | Splinter Review |
L = ""
for (a = 0; a < 7; a++) {
(eval("\
(function() {\
for each(var x in this) {\
function x(){}\
print(x)\
}\
})\
"))()
}
crashes js opt shell on JM changeset e42b505b43f3 with -m but without -j at js_DeflateString
Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_PROTECTION_FAILURE at address: 0x0027d000
0x000f2bcf in js_DeflateString ()
(gdb) bt
#0 0x000f2bcf in js_DeflateString ()
#1 0x0000f1bf in JS_EncodeString ()
#2 0x00004c6f in Print ()
#3 0x001d5a07 in js::mjit::stubs::SlowCall ()
#4 0x002d7868 in ?? ()
#5 0x00189152 in js::mjit::JaegerShot ()
#6 0x0006fdb1 in js::Execute ()
#7 0x00014bb8 in JS_ExecuteScript ()
#8 0x0000564c in Process ()
#9 0x000093c7 in shell ()
#10 0x000098f8 in main ()
(gdb) x/i $eip
0xf2bcf <_Z16js_DeflateStringP9JSContextPKtm+591>: movzwl (%ecx,%edx,2),%eax
(gdb) x/b $ecx
0x233860 <js_FunctionClass>: 0x56
(gdb) x/b $edx
0x24bd0 <_ZNK9JSContext12generatorForEP12JSStackFrame+80>: 0x8b
(gdb) x/b $eax
0x0: Cannot access memory at address 0x0
![]() |
Reporter | |
Comment 1•15 years ago
|
||
eval("\
(function(){\
for(var w in [0]) {\
function w(){}\
print(w)\
}\
})\
")()
crashes both debug and opt shells on Ubuntu 10.04 at js_DeflateString.
Program received signal SIGSEGV, Segmentation fault.
0x0816e56b in js_DeflateString (cx=0x8397bc8, chars=0x8336400, nchars=8624839) at ../jsstr.cpp:3704
3704 ../jsstr.cpp: No such file or directory.
in ../jsstr.cpp
(gdb) bt
#0 0x0816e56b in js_DeflateString (cx=0x8397bc8, chars=0x8336400, nchars=8624839) at ../jsstr.cpp:3704
#1 0x08071e1f in JS_EncodeString (cx=0x8397bc8, str=0xf7502540) at ../jsapi.cpp:5241
#2 0x0804d805 in Print (cx=0x8397bc8, argc=1, vp=0xf77ac178) at ../../shell/js.cpp:1090
#3 0x08262936 in js::mjit::stubs::SlowCall (f=..., argc=1) at ../methodjit/InvokeHelpers.cpp:394
#4 0xf76a46f9 in ?? ()
#5 0x0821aaa4 in EnterMethodJIT (cx=0x8397bc8, fp=0xf77ac0a8, code=0xf76a405c, safePoint=0x0) at ../methodjit/MethodJIT.cpp:757
#6 0x0821ac0a in js::mjit::JaegerShot (cx=0x8397bc8) at ../methodjit/MethodJIT.cpp:785
#7 0x080dddff in js::RunScript (cx=0x8397bc8, script=0x839d2f8, fun=0x0, scopeChain=0xf7502000) at ../jsinterp.cpp:465
#8 0x080ded75 in js::Execute (cx=0x8397bc8, chain=0xf7502000, script=0x839d2f8, down=0x0, flags=0, result=0xffffd200) at ../jsinterp.cpp:945
#9 0x08070f46 in JS_ExecuteScript (cx=0x8397bc8, obj=0xf7502000, script=0x839d2f8, rval=0xffffd200) at ../jsapi.cpp:4762
#10 0x0804c42b in Process (cx=0x8397bc8, obj=0xf7502000, filename=0x0, forceTTY=0) at ../../shell/js.cpp:535
#11 0x0804cfbd in ProcessArgs (cx=0x8397bc8, obj=0xf7502000, argv=0xffffd408, argc=1) at ../../shell/js.cpp:862
#12 0x08055c2d in shell (cx=0x8397bc8, argc=1, argv=0xffffd408, envp=0xffffd410) at ../../shell/js.cpp:5151
#13 0x08055d49 in main (argc=1, argv=0xffffd408, envp=0xffffd410) at ../../shell/js.cpp:5247
(gdb) x/i $eip
=> 0x816e56b <_Z16js_DeflateStringP9JSContextPKtj+316>: movzwl (%eax),%eax
(gdb) x/b $eax
0x83bc000: Cannot access memory at address 0x83bc000
![]() |
Assignee | |
Comment 2•15 years ago
|
||
This is related to, but not a duplicate of, bug 584603. The compiler doesn't know the DEFFUN aliases a local slot, and thus the variable is not tracked properly.
![]() |
Assignee | |
Comment 3•15 years ago
|
||
This will be security sensitive by the time JM lands, so we should fix. Three possibilities, I'm leaning toward #2 or #3 as a fast fallback.
1) Parser: Fix both bugs at once, by introducing the planned new binding for function statements.
2) Compiler: Spot-fix by peeking at the name in DEFFUN, and checking for intervening names on the scope chain.
3) Parser: Rewrite the DEFFUN to LAMBDA+SETLOCAL if we detect that it aliases a local variable in the parser.
![]() |
Assignee | |
Comment 4•15 years ago
|
||
This needs a quick fix, so I'm taking approach #2
![]() |
Assignee | |
Comment 5•15 years ago
|
||
Attachment #472671 -
Attachment is obsolete: true
Attachment #472677 -
Flags: review?(dmandelin)
Attachment #472671 -
Flags: review?(dmandelin)
Updated•15 years ago
|
Attachment #472677 -
Flags: review?(dmandelin) → review+
![]() |
Assignee | |
Comment 6•15 years ago
|
||
Whiteboard: fixed-in-tracemonkey
Comment 7•15 years ago
|
||
dvander: Will this bug fix crashes such as https://crash-stats.mozilla.com/report/index/5ff8363b-62f3-4042-922e-87d1d2100902?
![]() |
Assignee | |
Comment 8•15 years ago
|
||
Hrm, it's hard to tell from that, but it might.
![]() |
Assignee | |
Updated•15 years ago
|
Status: ASSIGNED → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Updated•14 years ago
|
Crash Signature: [@ js_DeflateString]
Comment 9•12 years ago
|
||
A testcase for this bug was automatically identified at js/src/jit-test/tests/jaeger/bug590083.js.
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•