Closed
Bug 646411
Opened 13 years ago
Closed 13 years ago
TI: Crash [@ JSString::length]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: decoder, Unassigned)
References
Details
(Keywords: crash, testcase)
Crash Data
The following code crashes on TI tip (run with -n -m -a), tested on 64 bit:
__proto__ = Function();
eval("\
var MS = 16;\
addNewTestCase(new Date(1899,11,31,16,0,0), \"new Date(1899,11,31,16,0,0)\", typeof UTC_DAY == 'undefined');\
function addNewTestCase( DateCase, DateString, ResultArray ) {\
ResultArray[MS];\
}\
");
Backtrace (looks like near-null pointer deref):
0x0000000000412c64 in JSString::length (this=0x1) at ./jsstr.h:244
244 return d.lengthAndFlags >> LENGTH_SHIFT;
(gdb) bt
#0 0x0000000000412c64 in JSString::length (this=0x1) at ./jsstr.h:244
#1 0x000000000077a2e7 in js::mjit::stubs::GetElem (f=@0x7fff19787e60) at ./methodjit/StubCalls.cpp:444
#2 0x00007f0c292a555d in ?? ()
#3 0x00007f0c292a4ac0 in ?? ()
#4 0x0000000001252b10 in ?? ()
#5 0x00007fff197883b0 in ?? ()
#6 0x0000000000000000 in ?? ()
|
||
Comment 1•13 years ago
|
||
We got confused by the opcode fusion in Compiler::jsop_typeof, and gave the value pushed by the following '==' a type set containing only strings, so that when we propagated types to addNewTestCase in the call IC it thought the argument was a string, and passed a torn value to GetElem. This fix does not specify type sets for values pushed by fused opcodes. http://hg.mozilla.org/projects/jaegermonkey/rev/df80ae4a8776
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
|
||
Updated•13 years ago
|
Crash Signature: [@ JSString::length]
|
Reporter | |
Comment 2•11 years ago
|
||
A testcase for this bug was automatically identified at js/src/jit-test/tests/jaeger/bug646411.js.
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•