Closed
Bug 600128
Opened 14 years ago
Closed 14 years ago
TM: Crash [@ js_DeflateString]
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
VERIFIED
FIXED
mozilla2.0b7
Tracking | Status | |
---|---|---|
blocking2.0 | --- | beta8+ |
status1.9.2 | --- | unaffected |
status1.9.1 | --- | unaffected |
People
(Reporter: gkw, Assigned: Waldo)
References
Details
(Keywords: crash, regression, testcase, Whiteboard: [sg:critical?][ccbr] fixed-in-tracemonkey)
Crash Data
Attachments
(1 file)
2.18 KB,
patch
|
jimb
:
review+
|
Details | Diff | Splinter Review |
__defineSetter__("x", Object.freeze) x = this; for (let z = 0; z < 5; z++) { for each(let y in [0, 0, 0]) { print(u = "") } } crashes js debug and opt shell on TM changeset 54700fad8cf9 with -j at js_DeflateString s-s because it seems to be accessing weird memory addresses. dbg gdb info: (gdb) bt #0 0x081857d0 in js_DeflateString (cx=0x83e0be8, chars=0x838e440, nchars=8652393) at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-tm-54576-54700fad8cf9/compilePath/jsstr.cpp:3920 #1 0x08072d12 in JS_EncodeString (cx=0x83e0be8, str=0xf7502038) at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-tm-54576-54700fad8cf9/compilePath/jsapi.cpp:5203 #2 0x0804db10 in Print (cx=0x83e0be8, argc=1, vp=0xffffc450) at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-tm-54576-54700fad8cf9/compilePath/shell/js.cpp:1110 #3 0xf76a2f64 in ?? () #4 0x081d553b in ExecuteTrace (cx=0x83e0be8, f=0x83dfdc4, state=...) at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-tm-54576-54700fad8cf9/compilePath/jstracer.cpp:6566 #5 0x081d5abb in ExecuteTree (cx=0x83e0be8, f=0x83dfdc4, inlineCallCount=@0xffffd0e8, innermostNestedGuardp=0xffffc5b8, lrp=0xffffc5bc) at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-tm-54576-54700fad8cf9/compilePath/jstracer.cpp:6667 #6 0x081d6e64 in js::MonitorLoopEdge (cx=0x83e0be8, inlineCallCount=@0xffffd0e8) at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-tm-54576-54700fad8cf9/compilePath/jstracer.cpp:7171 #7 0x082ac2ec in js::Interpret (cx=0x83e0be8, entryFrame=0xf77ac088, inlineCallCount=0, interpFlags=0) at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-tm-54576-54700fad8cf9/compilePath/jsinterp.cpp:2770 #8 0x080ec41b in js::RunScript (cx=0x83e0be8, script=0x8408bc8, fun=0x0, scopeChain=...) at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-tm-54576-54700fad8cf9/compilePath/jsinterp.cpp:485 #9 0x080ed275 in js::Execute (cx=0x83e0be8, chain=0xf7502038, script=0x8408bc8, prev=0x0, flags=0, result=0xffffd200) at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-tm-54576-54700fad8cf9/compilePath/jsinterp.cpp:750 #10 0x08071dac in JS_ExecuteScript (cx=0x83e0be8, obj=0xf7502038, script=0x8408bc8, rval=0xffffd200) at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-tm-54576-54700fad8cf9/compilePath/jsapi.cpp:4725 #11 0x0804c690 in Process (cx=0x83e0be8, obj=0xf7502038, filename=0x0, forceTTY=0) at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-tm-54576-54700fad8cf9/compilePath/shell/js.cpp:536 #12 0x0804d231 in ProcessArgs (cx=0x83e0be8, obj=0xf7502038, argv=0xffffd408, argc=1) at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-tm-54576-54700fad8cf9/compilePath/shell/js.cpp:867 #13 0x080561f1 in shell (cx=0x83e0be8, argc=1, argv=0xffffd408, envp=0xffffd410) at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-tm-54576-54700fad8cf9/compilePath/shell/js.cpp:5250 #14 0x0805630d in main (argc=1, argv=0xffffd408, envp=0xffffd410) at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-tm-54576-54700fad8cf9/compilePath/shell/js.cpp:5346 opt gdb info: (gdb) bt #0 0x08148630 in js_DeflateString(JSContext*, unsigned short const*, unsigned int) () #1 0xffffcb38 in ?? () Backtrace stopped: previous frame inner to this frame (corrupt stack?) (gdb) x/i $eip
Reporter | ||
Updated•14 years ago
|
blocking2.0: --- → ?
Reporter | ||
Comment 1•14 years ago
|
||
autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: 54277:1a49e9c79d5a user: Jim Blandy date: Tue Sep 21 11:35:29 2010 -0700 summary: Bug 492844: Implement Object.freeze, Object.isFrozen r=brendan,jorendorff
Blocks: 492844
Updated•14 years ago
|
Whiteboard: [sg:critical?][ccbr]
Updated•14 years ago
|
Assignee: general → jim
Updated•14 years ago
|
status1.9.1:
--- → unaffected
status1.9.2:
--- → unaffected
Assignee | ||
Updated•14 years ago
|
Assignee: jim → jwalden+bmo
Status: NEW → ASSIGNED
OS: Linux → All
Hardware: x86 → All
Assignee | ||
Comment 2•14 years ago
|
||
Minimized: (gdb) r Starting program: /home/jwalden/moz/shell-js/js/src/dbg/js -j [Thread debugging using libthread_db enabled] js> Object.freeze(this); for (let j = 0; j < 10; j++) print(u = ""); Program received signal SIGSEGV, Segmentation fault. 0x000000000054b775 in js_DeflateString (cx=0xa50fd0, chars=0x9ebec0, nchars=700043) at ../jsstr.cpp:3920 3920 bytes[i] = (char) chars[i]; (gdb) p i $1 = 469152 The let is very very much necessary (var quickly causes a non-extensible exception). Using 9 doesn't crash for me, but I think that's mostly execution-environment vagaries.
Assignee | ||
Comment 3•14 years ago
|
||
I feel like I've heard this song before.
Attachment #479237 -
Flags: review?(jim)
Updated•14 years ago
|
blocking2.0: ? → beta8+
Updated•14 years ago
|
Attachment #479237 -
Flags: review?(jimb) → review+
Assignee | ||
Comment 4•14 years ago
|
||
http://hg.mozilla.org/tracemonkey/rev/7fc2209ef579
Whiteboard: [sg:critical?][ccbr] → [sg:critical?][ccbr] fixed-in-tracemonkey
Target Milestone: --- → mozilla2.0b8
Comment 5•14 years ago
|
||
http://hg.mozilla.org/mozilla-central/rev/7fc2209ef579
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Updated•14 years ago
|
Target Milestone: mozilla2.0b8 → mozilla2.0b7
Updated•14 years ago
|
Group: core-security
Updated•13 years ago
|
Crash Signature: [@ js_DeflateString]
Comment 10•12 years ago
|
||
JSBugMon: This bug has been automatically verified fixed.
Updated•12 years ago
|
Status: RESOLVED → VERIFIED
Comment 11•11 years ago
|
||
Automatically extracted testcase for this bug was committed: https://hg.mozilla.org/mozilla-central/rev/efaf8960a929
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•