As a security precaution, we have turned on the setting "Require API key authentication for API requests" for everyone. If this has broken something, please contact
Last Comment Bug 650663 - TI: Crash [@ JSString::isLinear]
: TI: Crash [@ JSString::isLinear]
: crash, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: x86 Linux
: -- critical (vote)
: ---
Assigned To: general
: Jason Orendorff [:jorendorff]
Depends on:
Blocks: infer-regress langfuzz
  Show dependency treegraph
Reported: 2011-04-17 13:30 PDT by Christian Holler (:decoder)
Modified: 2013-01-14 07:39 PST (History)
6 users (show)
choller: in‑testsuite+
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Description User image Christian Holler (:decoder) 2011-04-17 13:30:42 PDT
The following testcase crashes on TI revision ac0989a03bf1 (run with options -m
-a -n), tested on 32 bit:

var cnBadSyntax = '1=2';
var obj = new testObject;;
function testObject() {
        this.badSyntax = cnBadSyntax;
function f() {
    try {
    } catch (e) {}
function g() {;

==26888== Invalid read of size 4
==26888==    at 0x805AA0C: JSString::isLinear() const (jsstr.h:288)
==26888==    by 0x8080D84: JSString::ensureLinear(JSContext*) (jsstr.h:693)
==26888==    by 0x8154B53: js::EvalKernel(JSContext*, unsigned int, js::Value*, js::EvalType, JSStackFrame*, JSObject*) (jsobj.cpp:1208)
==26888==    by 0x8139F54: js::DirectEval(JSContext*, unsigned int, js::Value*) (jsinterp.cpp:1432)
==26888==    by 0x8362491: js::mjit::stubs::Eval(js::VMFrame&, unsigned int) (InvokeHelpers.cpp:499)
==26888==    by 0x57AA4BA: ???
==26888==    by 0x82C85B2: js::mjit::EnterMethodJIT(JSContext*, JSStackFrame*, void*, js::Value*) (MethodJIT.cpp:689)
==26888==    by 0x82C86D7: CheckStackAndEnterMethodJIT(JSContext*, JSStackFrame*, void*) (MethodJIT.cpp:718)
==26888==    by 0x82C87AC: js::mjit::JaegerShot(JSContext*) (MethodJIT.cpp:735)
==26888==    by 0x8137733: js::RunScript(JSContext*, JSScript*, JSStackFrame*) (jsinterp.cpp:678)
==26888==    by 0x8137C69: js::Invoke(JSContext*, js::CallArgs const&, unsigned int) (jsinterp.cpp:768)
==26888==    by 0x80F9D4C: js_fun_call(JSContext*, unsigned int, js::Value*) (jsfun.cpp:2208)
==26888==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
==26888== Process terminating with default action of signal 11 (SIGSEGV)
Comment 1 User image Brian Hackett (:bhackett) 2011-04-19 07:03:34 PDT
Fused opcode bug.  For JSOP_GETTHISPROP, the Compiler tags the possible types of the intermediate value pushed by the 'THIS' portion so we can optimize the GETPROP, but did so incorrectly --- it just used the script's possible 'this' types and did not include the type constraint which transforms primitive 'this' into objects.  This fix just duplicates in the compiler what type inference does for this opcode.  The real fix is to get rid of GETTHISPROP and related fused opcodes (bug 647626).
Comment 2 User image Bob Clary [:bc:] 2011-04-19 21:32:20 PDT
I saw this (unreproducible) crash on the trunk in the test case <> for bug 390090:

Operating system: Windows NT
                  5.1.2600 Service Pack 3
CPU: x86
     GenuineIntel family 6 model 44 stepping 2
     1 CPU

Crash address: 0x0

Thread 0 (crashed)
 0  mozjs.dll!JSString::isLinear() [jsstr.h : 288 + 0x3]
    eip = 0x0068fb8a   esp = 0x0012a8c8   ebp = 0x0012a8cc   ebx = 0x02da0030
    esi = 0x00000020   edi = 0x02da0060   eax = 0x00000000   ecx = 0x00000000
    edx = 0x00000000   efl = 0x00010246
    Found by: given as instruction pointer in context


Operating system: Linux
                  0.0.0 Linux #1 SMP Thu Mar 31 21:54:35 UTC 2011 i686
CPU: x86
     GenuineIntel family 6 model 44 stepping 2
     1 CPU

Crash reason:  SIGSEGV
Crash address: 0x3ae041d0

Thread 0 (crashed)
 0  0x3ae041d0
    eip = 0x3ae041d0   esp = 0xbfcf69c0   ebp = 0x00615600   ebx = 0x03160874
    esi = 0x5d2244fc   edi = 0x0231aa44   eax = 0x00000000   ecx = 0x00000003
    edx = 0x00022511   efl = 0x00010286
    Found by: given as instruction pointer in context
 1!exprAnalyze [sqlite3.c : 96854 + 0x6]
    eip = 0x001f0000   esp = 0xbfcf69cc   ebp = 0x00615600
    Found by: stack scanning

I haven't been able to reproduce but the original machines were very low memory (1G). The JSString::isLinear crash did involve js_ReportUncaughtException, but the exprAnalyze involved PR_GetThreadPrivate and AssertActivityIsLegal.

Are these related, or ignorable due to low memory conditions or ?
Comment 3 User image Christian Holler (:decoder) 2013-01-14 07:39:38 PST
A testcase for this bug was automatically identified at js/src/jit-test/tests/jaeger/bug650663.js.

Note You need to log in before you can comment on or make changes to this bug.