642161 - JM: Crash (Null Pointer) [@ JSString::isAtomized()]

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

The following test case (run with -n -a -m) crashes on JM tip (tested on 64
bit):

assertEq(JSON.stringify(0 | "prefix" || Boolean), false);

==16194== Process terminating with default action of signal 11 (SIGSEGV)
==16194==  Access not within mapped region at address 0x0
==16194==    at 0x4395C0: JSString::isAtomized() const (jsstr.h:212)
==16194==    by 0x43C3DA: js::CompartmentChecker::check(JSString*) (jscntxtinlines.h:558)
==16194==    by 0x43C487: js::CompartmentChecker::check(js::Value const&) (jscntxtinlines.h:566)
==16194==    by 0x4FC0E5: js::CompartmentChecker::check(ValueArray const&) (jscntxtinlines.h:575)
==16194==    by 0x4FCE91: void js::assertSameCompartment<ValueArray>(JSContext*, ValueArray) (jscntxtinlines.h:626)
==16194==    by 0x4FC15B: js::CallJSNative(JSContext*, int (*)(JSContext*, unsigned int, js::Value*), unsigned int, js::Value*) (jscntxtinlines.h:685)
==16194==    by 0x6F4F34: CallCompiler::generateNativeStub() (MonoIC.cpp:809)
==16194==    by 0x6EFBD0: js::mjit::ic::NativeCall(js::VMFrame&, js::mjit::ic::CallICInfo*) (MonoIC.cpp:1047)
==16194==    by 0x41AD703: ???
==16194==    by 0x68D4EB: js::mjit::EnterMethodJIT(JSContext*, JSStackFrame*, void*, js::Value*) (MethodJIT.cpp:744)
==16194==    by 0x68D614: CheckStackAndEnterMethodJIT(JSContext*, JSStackFrame*, void*) (MethodJIT.cpp:773)
==16194==    by 0x68D78B: js::mjit::JaegerShot(JSContext*) (MethodJIT.cpp:797)

Comment 1

[Brian Hackett [Laid off!]]

Mark unexpected 'undefined' return value for JSON.stringify

http://hg.mozilla.org/projects/jaegermonkey/rev/322235a26fd1

Comment 2

[Christian Holler (:decoder)]

A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/bug642161.js.