Closed Bug 590083 Opened 10 years ago Closed 10 years ago

JM: Crash [@ js_DeflateString]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: gkw, Assigned: dvander)

References

Details

(Keywords: crash, regression, testcase, Whiteboard: fixed-in-tracemonkey)

Crash Data

Attachments

(1 file, 1 obsolete file)

fix
3.72 KB, patch
dmandelin
: review+
Details | Diff | Splinter Review 
L = ""
for (a = 0; a < 7; a++) {
  (eval("\
    (function() {\
      for each(var x in this) {\
        function x(){}\
        print(x)\
      }\
    })\
  "))()
}

crashes js opt shell on JM changeset e42b505b43f3 with -m but without -j at js_DeflateString

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_PROTECTION_FAILURE at address: 0x0027d000
0x000f2bcf in js_DeflateString ()
(gdb) bt
#0  0x000f2bcf in js_DeflateString ()
#1  0x0000f1bf in JS_EncodeString ()
#2  0x00004c6f in Print ()
#3  0x001d5a07 in js::mjit::stubs::SlowCall ()
#4  0x002d7868 in ?? ()
#5  0x00189152 in js::mjit::JaegerShot ()
#6  0x0006fdb1 in js::Execute ()
#7  0x00014bb8 in JS_ExecuteScript ()
#8  0x0000564c in Process ()
#9  0x000093c7 in shell ()
#10 0x000098f8 in main ()
(gdb) x/i $eip
0xf2bcf <_Z16js_DeflateStringP9JSContextPKtm+591>:      movzwl (%ecx,%edx,2),%eax
(gdb) x/b $ecx
0x233860 <js_FunctionClass>:    0x56
(gdb) x/b $edx
0x24bd0 <_ZNK9JSContext12generatorForEP12JSStackFrame+80>:      0x8b
(gdb) x/b $eax
0x0:    Cannot access memory at address 0x0
eval("\
  (function(){\
    for(var w in [0]) {\
     function w(){}\
     print(w)\
    }\
  })\
")()

crashes both debug and opt shells on Ubuntu 10.04 at js_DeflateString.


Program received signal SIGSEGV, Segmentation fault.
0x0816e56b in js_DeflateString (cx=0x8397bc8, chars=0x8336400, nchars=8624839) at ../jsstr.cpp:3704
3704	../jsstr.cpp: No such file or directory.
	in ../jsstr.cpp
(gdb) bt
#0  0x0816e56b in js_DeflateString (cx=0x8397bc8, chars=0x8336400, nchars=8624839) at ../jsstr.cpp:3704
#1  0x08071e1f in JS_EncodeString (cx=0x8397bc8, str=0xf7502540) at ../jsapi.cpp:5241
#2  0x0804d805 in Print (cx=0x8397bc8, argc=1, vp=0xf77ac178) at ../../shell/js.cpp:1090
#3  0x08262936 in js::mjit::stubs::SlowCall (f=..., argc=1) at ../methodjit/InvokeHelpers.cpp:394
#4  0xf76a46f9 in ?? ()
#5  0x0821aaa4 in EnterMethodJIT (cx=0x8397bc8, fp=0xf77ac0a8, code=0xf76a405c, safePoint=0x0) at ../methodjit/MethodJIT.cpp:757
#6  0x0821ac0a in js::mjit::JaegerShot (cx=0x8397bc8) at ../methodjit/MethodJIT.cpp:785
#7  0x080dddff in js::RunScript (cx=0x8397bc8, script=0x839d2f8, fun=0x0, scopeChain=0xf7502000) at ../jsinterp.cpp:465
#8  0x080ded75 in js::Execute (cx=0x8397bc8, chain=0xf7502000, script=0x839d2f8, down=0x0, flags=0, result=0xffffd200) at ../jsinterp.cpp:945
#9  0x08070f46 in JS_ExecuteScript (cx=0x8397bc8, obj=0xf7502000, script=0x839d2f8, rval=0xffffd200) at ../jsapi.cpp:4762
#10 0x0804c42b in Process (cx=0x8397bc8, obj=0xf7502000, filename=0x0, forceTTY=0) at ../../shell/js.cpp:535
#11 0x0804cfbd in ProcessArgs (cx=0x8397bc8, obj=0xf7502000, argv=0xffffd408, argc=1) at ../../shell/js.cpp:862
#12 0x08055c2d in shell (cx=0x8397bc8, argc=1, argv=0xffffd408, envp=0xffffd410) at ../../shell/js.cpp:5151
#13 0x08055d49 in main (argc=1, argv=0xffffd408, envp=0xffffd410) at ../../shell/js.cpp:5247
(gdb) x/i $eip
=> 0x816e56b <_Z16js_DeflateStringP9JSContextPKtj+316>:	movzwl (%eax),%eax
(gdb) x/b $eax
0x83bc000:	Cannot access memory at address 0x83bc000
This is related to, but not a duplicate of, bug 584603. The compiler doesn't know the DEFFUN aliases a local slot, and thus the variable is not tracked properly.
This will be security sensitive by the time JM lands, so we should fix. Three possibilities, I'm leaning toward #2 or #3 as a fast fallback.

1) Parser: Fix both bugs at once, by introducing the planned new binding for function statements.
2) Compiler: Spot-fix by peeking at the name in DEFFUN, and checking for intervening names on the scope chain.
3) Parser: Rewrite the DEFFUN to LAMBDA+SETLOCAL if we detect that it aliases a local variable in the parser.
Attached patch fix (obsolete) — Splinter Review 
This needs a quick fix, so I'm taking approach #2
Assignee: general → dvander
Status: NEW → ASSIGNED
Attachment #472671 - Flags: review?(dmandelin)
Attached patch fixSplinter Review
Attachment #472671 - Attachment is obsolete: true
Attachment #472677 - Flags: review?(dmandelin)
Attachment #472671 - Flags: review?(dmandelin)
Attachment #472677 - Flags: review?(dmandelin) → review+
Hrm, it's hard to tell from that, but it might.
Depends on: 595336
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Crash Signature: [@ js_DeflateString]
A testcase for this bug was automatically identified at js/src/jit-test/tests/jaeger/bug590083.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.