Last Comment Bug 653243 - TI: Crash [@ JSString::isLinear]
: TI: Crash [@ JSString::isLinear]
Status: RESOLVED FIXED
: crash, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: x86_64 Linux
: -- critical (vote)
: ---
Assigned To: general
:
Mentors:
Depends on:
Blocks: infer-regress langfuzz
  Show dependency treegraph
 
Reported: 2011-04-27 14:25 PDT by Christian Holler (:decoder)
Modified: 2013-01-14 08:01 PST (History)
6 users (show)
choller: in‑testsuite+
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments

Description Christian Holler (:decoder) 2011-04-27 14:25:06 PDT
The following testcase crashes on TI revision 09cce9915b80 (run with -m -n -a),
tested on 64 bit:

try {
    obj[i] = "a";
} catch (e) {}
var obj = {
    p: 100
};
var name = "p";
var a = [];
for (var i = 0; i < 10; i++) {
    a[i] = obj[name]--;
}
(a.join(), '100,99,98,97,96,95,94,93,92,91');


Backtrace:

==11938== Invalid read of size 8
==11938==    at 0x413B0C: JSString::isLinear() const (jsstr.h:288)
==11938==    by 0x43A199: JSString::ensureLinear(JSContext*) (jsstr.h:693)
==11938==    by 0x45731B: js::StringBuffer::append(JSString*) (jsstrinlines.h:191)
==11938==    by 0x4573D3: js::ValueToStringBuffer(JSContext*, js::Value const&, js::StringBuffer&) (jsstrinlines.h:253)
==11938==    by 0x44C293: array_toString_sub(JSContext*, JSObject*, int, JSString*, js::Value*) (jsarray.cpp:1426)
==11938==    by 0x44CF2F: array_join(JSContext*, unsigned int, js::Value*) (jsarray.cpp:1634)
==11938==    by 0x4FC9B9: js::CallJSNative(JSContext*, int (*)(JSContext*, unsigned int, js::Value*), unsigned int, js::Value*) (jscntxtinlines.h:715)
==11938==    by 0x715238: CallCompiler::generateNativeStub() (MonoIC.cpp:830)
==11938==    by 0x70FC1F: js::mjit::ic::NativeCall(js::VMFrame&, js::mjit::ic::CallICInfo*) (MonoIC.cpp:1093)
==11938==    by 0x41AFD9A: ???
==11938==    by 0x6942AD: js::mjit::EnterMethodJIT(JSContext*, JSStackFrame*, void*, js::Value*) (MethodJIT.cpp:691)
==11938==    by 0x6943EA: CheckStackAndEnterMethodJIT(JSContext*, JSStackFrame*, void*) (MethodJIT.cpp:720)
==11938==  Address 0x64 is not stack'd, malloc'd or (recently) free'd
==11938==
==11938==
==11938== Process terminating with default action of signal 11 (SIGSEGV)
Comment 1 Christian Holler (:decoder) 2011-04-27 14:40:24 PDT
Pretty sure the same bug, but asserts: 

try {
    var i = 0;
    obj['-1'] = Array;
} catch (e) {}
var obj = {
    p: 100
};
var name = "p";
var a = [];
for (var i = 0; i < 10; i++) {
    a[i] = ++obj[name];
}
(a.join(), '101,102,103,104,105,106,107,108,109,110');


Assertion failure: (ptrBits & 0x7) == 0, at ../jsval.h:702
Comment 2 Brian Hackett (:bhackett) 2011-05-01 18:10:13 PDT
The stubs for INCELEM etc. opcodes did not match the interpreter, and needed to mark the pushed value as unknown whenever the accessed id is not an integer.

http://hg.mozilla.org/projects/jaegermonkey/rev/b081e391e533
Comment 3 Christian Holler (:decoder) 2013-01-14 08:01:41 PST
A testcase for this bug was automatically identified at js/src/jit-test/tests/jaeger/bug653243.js.

Note You need to log in before you can comment on or make changes to this bug.