Last Comment Bug 651209 - TI: Crash [@ JSString::isAtom]
: TI: Crash [@ JSString::isAtom]
Status: RESOLVED FIXED
: crash, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: x86 Linux
: -- critical (vote)
: ---
Assigned To: general
:
Mentors:
Depends on: 653980
Blocks: infer-regress langfuzz
  Show dependency treegraph
 
Reported: 2011-04-19 12:40 PDT by Christian Holler (:decoder)
Modified: 2013-01-14 08:42 PST (History)
5 users (show)
choller: in‑testsuite+
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments

Description Christian Holler (:decoder) 2011-04-19 12:40:51 PDT
The following testcase crashes on TI revision d78eef12a329 (run with -m -n -a),
tested on 32 bit:

var i = 0;
test();
function test() {
  var jstop  = 1000;
  var code = '';
  code+=createCode(i);
  eval();
}
function createCode(i) {
  jstop+= +  +  + i + " string.';";
}


==32738== Invalid read of size 4
==32738==    at 0x8080C55: JSString::isAtom() const (jsstr.h:345)
==32738==    by 0x81EB156: js_ConcatStrings(JSContext*, JSString*, JSString*) (jsstr.cpp:337)
==32738==    by 0x83BF1DE: js::mjit::stubs::Add(js::VMFrame&) (StubCalls.cpp:1180)
==32738==    by 0x57A9970: ???
==32738==    by 0x82C87FE: js::mjit::EnterMethodJIT(JSContext*, JSStackFrame*, void*, js::Value*) (MethodJIT.cpp:689)
==32738==    by 0x82C8923: CheckStackAndEnterMethodJIT(JSContext*, JSStackFrame*, void*) (MethodJIT.cpp:718)
==32738==    by 0x82C89F8: js::mjit::JaegerShot(JSContext*) (MethodJIT.cpp:735)
==32738==    by 0x8137733: js::RunScript(JSContext*, JSScript*, JSStackFrame*) (jsinterp.cpp:678)
==32738==    by 0x8138B72: js::Execute(JSContext*, JSObject*, JSScript*, JSStackFrame*, unsigned int, js::Value*) (jsinterp.cpp:1071)
==32738==    by 0x807BB51: JS_ExecuteScript (jsapi.cpp:5226)
==32738==    by 0x804C87F: Process(JSContext*, JSObject*, char*, int, int) (js.cpp:451)
==32738==    by 0x804D93C: ProcessArgs(JSContext*, JSObject*, char**, int) (js.cpp:966)
==32738==  Address 0x3e8 is not stack'd, malloc'd or (recently) free'd
==32738== 
==32738== 
==32738== Process terminating with default action of signal 11 (SIGSEGV)
Comment 1 Brian Hackett (:bhackett) 2011-04-20 07:20:59 PDT
We only want to inline scripted calls when the caller and callee have the same scope chains.  We already ruled out cases where the function objects themselves have different parents, but not where the caller is a heavyweight function and gets a call object created when it is called.  This disallows inlining from heavyweight functions and eval scripts (which can also get their own call objects).

Not sure this fix is complete, though.  Are there situations in which we will put call objects or block objects on the scope chains of non-heavyweight frames?

http://hg.mozilla.org/projects/jaegermonkey/rev/e2ac5bec56fb
Comment 2 Christian Holler (:decoder) 2013-01-14 08:42:34 PST
A testcase for this bug was automatically identified at js/src/jit-test/tests/jaeger/inline/bug651209.js.

Note You need to log in before you can comment on or make changes to this bug.