Closed Bug 643284 Opened 13 years ago Closed 13 years ago

TI: Crash [@ JSString::isRope] (Memory corruption?)

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: decoder, Unassigned)

References

Details

(Keywords: crash, testcase, Whiteboard: fixed-in-jaegermonkey)

Crash Data

Attachments

(1 file)

shell testcase, unpack, chdir and run main.js with options "-n -m -a"
1.10 KB, application/x-compressed-tar
Details 
The attached test case (extract, chdir and run with "js -n -a -m main1.js")
produces the following crash on JM tip (tested on 64 bit):

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7f9c0a759720 (LWP 3838)]
0x0000000000412aec in JSString::isRope (this=0x0) at ./jsstr.h:217
217             return lengthAndFlags & ROPE_BIT;
(gdb) bt
#0  0x0000000000412aec in JSString::isRope (this=0x0) at ./jsstr.h:217
#1  0x0000000000412bac in JSString::nonRopeChars (this=0x0) at ./jsstr.h:335
#2  0x0000000000412bea in JSLinearString::chars (this=0x0) at ./jsstr.h:471
#3  0x00000000005b56ed in js::PutEscapedStringImpl (buffer=0xb0dcc4 "Function:prototype", bufferSize=99, fp=0x0, str=0x0, quote=0) at jsstr.cpp:6003
#4  0x0000000000439b9d in js::PutEscapedString (buffer=0xb0dcc4 "Function:prototype", size=100, str=0x0, quote=0) at jsstr.h:1054
#5  0x00000000004e0b8a in js::types::TypeIdStringImpl (id={asBits = 0}) at jsinfer.cpp:133
#6  0x0000000000405341 in TypeIdString (id={asBits = 0}) at ../jsinferinlines.h:127
#7  0x0000000000414d9c in js::types::TypeObject::name (this=0x1d08590) at ./jsinferinlines.h:1189
#8  0x00000000004e0d57 in js::types::TypeString (type=30442896) at jsinfer.cpp:186
#9  0x0000000000414b4e in js::types::TypeSet::addType (this=0x1d037f0, cx=0x1c8abe0, type=30442896) at ./jsinferinlines.h:1055
#10 0x00000000004e9872 in js::types::AnalyzeScriptTypes (cx=0x1c8abe0, script=0x1d033c0) at jsinfer.cpp:3668
#11 0x00000000004e3de6 in js::types::TypeCompartment::dynamicPush (this=0x1c8b470, cx=0x1c8abe0, script=0x1d033c0, offset=31, type=30332288) at jsinfer.cpp:1814
#12 0x0000000000457b18 in JSScript::typeMonitorResult (this=0x1d033c0, cx=0x1c8abe0, pc=0x1d03527 "9", type=30332288) at ./jsinferinlines.h:534
#13 0x00000000007059e6 in JSScript::typeMonitorResult (this=0x1d033c0, cx=0x1c8abe0, pc=0x1d03527 "9", rval=@0x7fff39098660) at ./jsinferinlines.h:542
#14 0x000000000076d535 in NameOp (f=@0x7fff390986e0, obj=0x7f9c09103048, markresult=true, callname=true) at ./methodjit/StubCalls.cpp:402
#15 0x000000000076ddec in js::mjit::stubs::CallName (f=@0x7fff390986e0) at ./methodjit/StubCalls.cpp:619
#16 0x00007f9c0a5be9a5 in ?? ()
#17 0x00007f9c0a5be310 in ?? ()
#18 0x0000000001d0cbc0 in ?? ()
#19 0x00007f9c09106700 in ?? ()
#20 0x00007fff390995a0 in ?? ()
#21 0x0000000000000000 in ?? ()


NOTE: The original testcase crashed on [js::PutEscapedStringImpl, while minimizing, other assertions popped up. I assume this is a memory corruption similar to 642159 or even the same again.
We weren't sweeping the types in the TypeResults storing dynamic type information on a script.  These types used to be all primitive/unknown so this wasn't a problem, but rev 9ee17aa5f938 from yesterday allowed TypeObjects to be stored here.

http://hg.mozilla.org/projects/jaegermonkey/rev/c0ed46c39d15
Whiteboard: fixed
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Whiteboard: fixed → fixed-in-jaegermonkey
Crash Signature: [@ JSString::isRope]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: