Closed Bug 643113 Opened 9 years ago Closed 9 years ago

TI: Crash (Null Pointer) @ JSString::isAtomized()

Categories

(Core :: JavaScript Engine, defect, critical)

x86_64
Linux
defect
Not set
critical

Tracking

()

RESOLVED FIXED

People

(Reporter: decoder, Unassigned)

References

(Blocks 2 open bugs)

Details

(Keywords: crash, testcase, Whiteboard: fixed-in-jaegermonkey)

The following test case (run with -n -a -m) crashes on JM tip (tested on 64
bit):

function printBugNumber (num)
{
  print ('BUGNUMBER: ' + num);
}
test();
function test()
{
  printBugNumber(typeof BUGNUMBER == 'undefined');
  1|| q + 48? new q(   printBugNumber,
                eval("var EXP_1 = new MyValuelessObject('string'); var EXP_2 = new MyValuelessObject(false); EXP_1 + EXP_2") ): 1;
}


==17386== Invalid read of size 8
==17386==    at 0x43962A: JSString::isAtomized() const (jsstr.h:212)
==17386==    by 0x5AA438: js_ConcatStrings(JSContext*, JSString*, JSString*) (jsstr.cpp:251)
==17386==    by 0x76E8A0: js::mjit::stubs::Add(js::VMFrame&) (StubCalls.cpp:1151)
==17386==    by 0x41ADDD2: ???
==17386==    by 0x68E0DB: js::mjit::EnterMethodJIT(JSContext*, JSStackFrame*, void*, js::Value*) (MethodJIT.cpp:744)
==17386==    by 0x68E204: CheckStackAndEnterMethodJIT(JSContext*, JSStackFrame*, void*) (MethodJIT.cpp:773)
==17386==    by 0x68E37B: js::mjit::JaegerShot(JSContext*) (MethodJIT.cpp:797)
==17386==    by 0x4F77F2: js::RunScript(JSContext*, JSScript*, JSStackFrame*) (jsinterp.cpp:652)
==17386==    by 0x4F8F5F: js::Execute(JSContext*, JSObject*, JSScript*, JSStackFrame*, unsigned int, js::Value*) (jsinterp.cpp:1062)
==17386==    by 0x4342F6: JS_ExecuteScript (jsapi.cpp:5237)
==17386==    by 0x40592D: Process(JSContext*, JSObject*, char*, int, int) (js.cpp:453)
==17386==    by 0x4068A3: ProcessArgs(JSContext*, JSObject*, char**, int) (js.cpp:953)
==17386==  Address 0x1 is not stack'd, malloc'd or (recently) free'd
==17386== 
==17386== 
==17386== Process terminating with default action of signal 11 (SIGSEGV)
Duplicate of this bug: 643281
This assertion is gone but another one showed up.  If we failed to generate a stub for a JSOP_NAME, we sometimes crashed trying to use the result of the lookup to capture the possible behaviors of that access.

http://hg.mozilla.org/projects/jaegermonkey/rev/38bc7af66c0b
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Whiteboard: fixed-in-jaegermonkey
Depends on: 663690
Blocks: 676763
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/bug643113.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.