Closed
Bug 643284
Opened 14 years ago
Closed 14 years ago
TI: Crash [@ JSString::isRope] (Memory corruption?)
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: decoder, Unassigned)
References
Details
(Keywords: crash, testcase, Whiteboard: fixed-in-jaegermonkey)
Crash Data
Attachments
(1 file)
|
1.10 KB,
application/x-compressed-tar
|
Details |
The attached test case (extract, chdir and run with "js -n -a -m main1.js")
produces the following crash on JM tip (tested on 64 bit):
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7f9c0a759720 (LWP 3838)]
0x0000000000412aec in JSString::isRope (this=0x0) at ./jsstr.h:217
217 return lengthAndFlags & ROPE_BIT;
(gdb) bt
#0 0x0000000000412aec in JSString::isRope (this=0x0) at ./jsstr.h:217
#1 0x0000000000412bac in JSString::nonRopeChars (this=0x0) at ./jsstr.h:335
#2 0x0000000000412bea in JSLinearString::chars (this=0x0) at ./jsstr.h:471
#3 0x00000000005b56ed in js::PutEscapedStringImpl (buffer=0xb0dcc4 "Function:prototype", bufferSize=99, fp=0x0, str=0x0, quote=0) at jsstr.cpp:6003
#4 0x0000000000439b9d in js::PutEscapedString (buffer=0xb0dcc4 "Function:prototype", size=100, str=0x0, quote=0) at jsstr.h:1054
#5 0x00000000004e0b8a in js::types::TypeIdStringImpl (id={asBits = 0}) at jsinfer.cpp:133
#6 0x0000000000405341 in TypeIdString (id={asBits = 0}) at ../jsinferinlines.h:127
#7 0x0000000000414d9c in js::types::TypeObject::name (this=0x1d08590) at ./jsinferinlines.h:1189
#8 0x00000000004e0d57 in js::types::TypeString (type=30442896) at jsinfer.cpp:186
#9 0x0000000000414b4e in js::types::TypeSet::addType (this=0x1d037f0, cx=0x1c8abe0, type=30442896) at ./jsinferinlines.h:1055
#10 0x00000000004e9872 in js::types::AnalyzeScriptTypes (cx=0x1c8abe0, script=0x1d033c0) at jsinfer.cpp:3668
#11 0x00000000004e3de6 in js::types::TypeCompartment::dynamicPush (this=0x1c8b470, cx=0x1c8abe0, script=0x1d033c0, offset=31, type=30332288) at jsinfer.cpp:1814
#12 0x0000000000457b18 in JSScript::typeMonitorResult (this=0x1d033c0, cx=0x1c8abe0, pc=0x1d03527 "9", type=30332288) at ./jsinferinlines.h:534
#13 0x00000000007059e6 in JSScript::typeMonitorResult (this=0x1d033c0, cx=0x1c8abe0, pc=0x1d03527 "9", rval=@0x7fff39098660) at ./jsinferinlines.h:542
#14 0x000000000076d535 in NameOp (f=@0x7fff390986e0, obj=0x7f9c09103048, markresult=true, callname=true) at ./methodjit/StubCalls.cpp:402
#15 0x000000000076ddec in js::mjit::stubs::CallName (f=@0x7fff390986e0) at ./methodjit/StubCalls.cpp:619
#16 0x00007f9c0a5be9a5 in ?? ()
#17 0x00007f9c0a5be310 in ?? ()
#18 0x0000000001d0cbc0 in ?? ()
#19 0x00007f9c09106700 in ?? ()
#20 0x00007fff390995a0 in ?? ()
#21 0x0000000000000000 in ?? ()
NOTE: The original testcase crashed on [js::PutEscapedStringImpl, while minimizing, other assertions popped up. I assume this is a memory corruption similar to 642159 or even the same again.
|
||
Comment 1•14 years ago
|
||
We weren't sweeping the types in the TypeResults storing dynamic type information on a script. These types used to be all primitive/unknown so this wasn't a problem, but rev 9ee17aa5f938 from yesterday allowed TypeObjects to be stored here.
http://hg.mozilla.org/projects/jaegermonkey/rev/c0ed46c39d15
Whiteboard: fixed
|
|
||
Updated•14 years ago
|
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Whiteboard: fixed → fixed-in-jaegermonkey
|
||
Updated•14 years ago
|
Crash Signature: [@ JSString::isRope]
You need to log in
before you can comment on or make changes to this bug.
Description
•