{
function x() {}
}
o = (0).__proto__;
function f(o) {
o._("", function() {})
}
f(o)
crashes js opt shell on JM changeset 8b03f0698742 with -m, -n and -a at js::mjit::Recompiler::patchNative.
This was found using a combination of jsfunfuzz and jandem's method fuzzer.
It's so common it virtually blows up the fuzzers.
Probably regressed around the recent TM->JM merge around this changeset.
|
(Reporter) | |
Comment 1•7 years ago
|
||
Program received signal EXC_BAD_ACCESS, Could not access memory. Reason: KERN_PROTECTION_FAILURE at address: 0x00003895 0x002afa64 in js::mjit::Recompiler::patchNative () (gdb) bt #0 0x002afa64 in js::mjit::Recompiler::patchNative () #1 0x002afc0e in js::mjit::Recompiler::recompile () #2 0x002b094a in js::mjit::Recompiler::recompile () #3 0x00098247 in js::types::TypeCompartment::processPendingRecompiles () #4 0x000a5f1b in js::types::TypeCompartment::dynamicPush () #5 0x000c9fc4 in js_OnUnknownMethod () #6 0x002a19fd in js::mjit::ic::CallProp () #7 0x003b51a5 in ?? () #8 0x0021c16d in js::mjit::JaegerShot () #9 0x000b94ae in js::Interpret () #10 0x000cab2c in js::RunScript () #11 0x000cd963 in js::Execute () #12 0x0001ab5b in JS_ExecuteScript () #13 0x0000a30c in Process () #14 0x0000bfbb in Shell () #15 0x0000c5bc in main ()
|
||
Comment 2•7 years ago
|
||
There is a VMFrame field now used to indicate whether we are in a native call, which wasn't being initialized. So we try to recompile and think the VMFrame is in the middle of a native call when it isn't, and crash. http://hg.mozilla.org/projects/jaegermonkey/rev/719e89901c29
|
||
Updated•6 years ago
|
||
|
||
Comment 3•5 years ago
|
||
A testcase for this bug was automatically identified at js/src/jit-test/tests/jaeger/recompile/bug640608.js.
Description
•