Closed Bug 641229 Opened 9 years ago Closed 9 years ago

TI: Crash [@ js::types::TypeSet::addType] or "Assertion failure: index < js::analyze::GetDefCount(script, offset),"

Categories

(Core :: JavaScript Engine, defect, critical)

x86
Linux
defect
Not set
critical

Tracking

()

RESOLVED FIXED

People

(Reporter: gkw, Unassigned)

References

(Blocks 2 open bugs)

Details

(Keywords: assertion, crash, testcase, Whiteboard: fixed-in-jaegermonkey)

Crash Data

for(var i=0;;i++){__defineSetter__("x",Math.max)
Function("({x}=[])")()}

crashes js debug and opt shells on JM changeset bcf148dbce2f with -m -a -n -p -d at js::types::TypeSet::addType


Program received signal SIGSEGV, Segmentation fault.
0x08068175 in js::types::TypeSet::addType(JSContext*, int) ()
(gdb) bt
#0  0x08068175 in js::types::TypeSet::addType(JSContext*, int) ()
#1  0x080e1cfc in js::types::TypeCompartment::dynamicPush(JSContext*, JSScript*, unsigned int, int) ()
#2  0x080f5469 in js_math_max(JSContext*, unsigned int, js::Value*) ()
#3  0x080e6c6e in js::Invoke(JSContext*, js::CallArgs const&, unsigned int) ()
#4  0x080e7938 in js::ExternalInvoke(JSContext*, js::Value const&, js::Value const&, unsigned int, js::Value*, js::Value*) ()
#5  0x080e79f2 in js::ExternalGetOrSet(JSContext*, JSObject*, int, js::Value const&, JSAccessMode, unsigned int, js::Value*, js::Value*) ()
#6  0x080fdc24 in js_NativeSet(JSContext*, JSObject*, js::Shape const*, bool, bool, js::Value*) ()
#7  0x08108750 in js_SetProperty(JSContext*, JSObject*, int, js::Value*, int) ()
#8  0x082b0934 in js::Interpret(JSContext*, JSStackFrame*, unsigned int, JSInterpMode) ()
#9  0x0828803f in js::mjit::stubs::UncachedCallHelper(js::VMFrame&, unsigned int, js::mjit::stubs::UncachedCallResult*) ()
#10 0x082880d9 in js::mjit::stubs::UncachedCall(js::VMFrame&, unsigned int) ()
#11 0xf7790287 in ?? ()
#12 0x08218a77 in js::mjit::JaegerShot(JSContext*) ()
#13 0x080e6965 in js::RunScript(JSContext*, JSScript*, JSStackFrame*) ()
#14 0x080e95af in js::Execute(JSContext*, JSObject*, JSScript*, JSStackFrame*, unsigned int, js::Value*) ()
#15 0x0805d94d in JS_ExecuteScript ()
#16 0x0804f9bb in Process(JSContext*, JSObject*, char*, int, int) ()
#17 0x08050a54 in Shell(JSContext*, int, char**, char**) ()
#18 0x08050c78 in main ()
Whoops, asserts at Assertion failure: index < js::analyze::GetDefCount(script, offset), on debug shells
Summary: TI: Crash [@ js::types::TypeSet::addType] → TI: Crash [@ js::types::TypeSet::addType] or "Assertion failure: index < js::analyze::GetDefCount(script, offset),"
Keywords: assertion
When a native produces an unexpected value, like Math.max getting a weird value and returning NaN, it tells that to the scripted caller.  The bug is we didn't have enough checks to ensure we were actually at a scripted callsite, as opposed to another op which calls e.g. a native stored on a getter/setter.

http://hg.mozilla.org/projects/jaegermonkey/rev/2ac6e8d55098
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Whiteboard: fixed-in-jaegermonkey
Crash Signature: [@ js::types::TypeSet::addType]
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/bug641229.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.