Last Comment Bug 649261 - TI: Crash [@JSString::isAtom] // Null pointer dereference
: TI: Crash [@JSString::isAtom] // Null pointer dereference
Status: RESOLVED FIXED
: crash, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: x86_64 Linux
: -- critical (vote)
: ---
Assigned To: general
:
Mentors:
: 649263 649273 649278 649339 (view as bug list)
Depends on:
Blocks: infer-regress langfuzz
  Show dependency treegraph
 
Reported: 2011-04-12 01:44 PDT by Christian Holler (:decoder)
Modified: 2013-01-14 08:33 PST (History)
4 users (show)
choller: in‑testsuite+
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments

Description Christian Holler (:decoder) 2011-04-12 01:44:00 PDT
The following testcase crashes on TI revision 23a746dac370 (run with -m -n -a),
tested on 64 bit:

var DESCRIPTION;
eval("DESCRIPTION += \"Non-character escapes in identifiers negative test.\";");


Backtrace:

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7fafc9376720 (LWP 6401)]
0x000000000043ad42 in JSString::isAtom (this=0x0) at ./jsstr.h:345
345             bool atomized = (d.lengthAndFlags & ATOM_MASK) == ATOM_FLAGS;
(gdb) bt
#0  0x000000000043ad42 in JSString::isAtom (this=0x0) at ./jsstr.h:345
#1  0x00000000005b6046 in js_ConcatStrings (cx=0x1409db0, left=0x0, right=0x7fafc7d10400) at jsstr.cpp:337
#2  0x0000000000796ccd in js::mjit::stubs::Add (f=@0x7fff6fb0df30) at ./methodjit/StubCalls.cpp:1181
#3  0x00007fafc91d72ab in ?? ()
#4  0x00007fafc91d7210 in ?? ()
#5  0x0000000001470f80 in ?? ()
#6  0x00007fff6fb0e470 in ?? ()
#7  0x0000000000000000 in ?? ()
Comment 1 Brian Hackett (:bhackett) 2011-04-12 08:12:42 PDT
*** Bug 649263 has been marked as a duplicate of this bug. ***
Comment 2 Brian Hackett (:bhackett) 2011-04-12 08:15:07 PDT
*** Bug 649273 has been marked as a duplicate of this bug. ***
Comment 3 Brian Hackett (:bhackett) 2011-04-12 08:15:35 PDT
*** Bug 649278 has been marked as a duplicate of this bug. ***
Comment 4 Brian Hackett (:bhackett) 2011-04-12 08:30:20 PDT
*** Bug 649339 has been marked as a duplicate of this bug. ***
Comment 5 Brian Hackett (:bhackett) 2011-04-12 08:39:12 PDT
For GETGNAME/CALLGNAME ops, didn't record dependencies on the pushed type correctly, so that if it became undefined due to reading a hole we didn't trigger recompilation (JM only looked at the type of the global property itself, which doesn't account for reading holes in the global).

http://hg.mozilla.org/projects/jaegermonkey/rev/a4131835b866
Comment 6 Christian Holler (:decoder) 2013-01-14 08:33:46 PST
A testcase for this bug was automatically identified at js/src/jit-test/tests/jaeger/recompile/bug649261.js.

Note You need to log in before you can comment on or make changes to this bug.