TI: Crash [@ JSString::isLinear]

RESOLVED FIXED

Status

()

Core
JavaScript Engine
--
critical
RESOLVED FIXED
6 years ago
5 years ago

People

(Reporter: decoder, Unassigned)

Tracking

(Blocks: 2 bugs, {crash, testcase})

Trunk
x86_64
Linux
crash, testcase
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

(crash signature)

(Reporter)

Description

6 years ago
The following testcase crashes on TI revision 09cce9915b80 (run with -m -n -a),
tested on 64 bit:

try {
    obj[i] = "a";
} catch (e) {}
var obj = {
    p: 100
};
var name = "p";
var a = [];
for (var i = 0; i < 10; i++) {
    a[i] = obj[name]--;
}
(a.join(), '100,99,98,97,96,95,94,93,92,91');


Backtrace:

==11938== Invalid read of size 8
==11938==    at 0x413B0C: JSString::isLinear() const (jsstr.h:288)
==11938==    by 0x43A199: JSString::ensureLinear(JSContext*) (jsstr.h:693)
==11938==    by 0x45731B: js::StringBuffer::append(JSString*) (jsstrinlines.h:191)
==11938==    by 0x4573D3: js::ValueToStringBuffer(JSContext*, js::Value const&, js::StringBuffer&) (jsstrinlines.h:253)
==11938==    by 0x44C293: array_toString_sub(JSContext*, JSObject*, int, JSString*, js::Value*) (jsarray.cpp:1426)
==11938==    by 0x44CF2F: array_join(JSContext*, unsigned int, js::Value*) (jsarray.cpp:1634)
==11938==    by 0x4FC9B9: js::CallJSNative(JSContext*, int (*)(JSContext*, unsigned int, js::Value*), unsigned int, js::Value*) (jscntxtinlines.h:715)
==11938==    by 0x715238: CallCompiler::generateNativeStub() (MonoIC.cpp:830)
==11938==    by 0x70FC1F: js::mjit::ic::NativeCall(js::VMFrame&, js::mjit::ic::CallICInfo*) (MonoIC.cpp:1093)
==11938==    by 0x41AFD9A: ???
==11938==    by 0x6942AD: js::mjit::EnterMethodJIT(JSContext*, JSStackFrame*, void*, js::Value*) (MethodJIT.cpp:691)
==11938==    by 0x6943EA: CheckStackAndEnterMethodJIT(JSContext*, JSStackFrame*, void*) (MethodJIT.cpp:720)
==11938==  Address 0x64 is not stack'd, malloc'd or (recently) free'd
==11938==
==11938==
==11938== Process terminating with default action of signal 11 (SIGSEGV)
(Reporter)

Comment 1

6 years ago
Pretty sure the same bug, but asserts: 

try {
    var i = 0;
    obj['-1'] = Array;
} catch (e) {}
var obj = {
    p: 100
};
var name = "p";
var a = [];
for (var i = 0; i < 10; i++) {
    a[i] = ++obj[name];
}
(a.join(), '101,102,103,104,105,106,107,108,109,110');


Assertion failure: (ptrBits & 0x7) == 0, at ../jsval.h:702
The stubs for INCELEM etc. opcodes did not match the interpreter, and needed to mark the pushed value as unknown whenever the accessed id is not an integer.

http://hg.mozilla.org/projects/jaegermonkey/rev/b081e391e533
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED
Crash Signature: [@ JSString::isLinear]
(Reporter)

Updated

6 years ago
Blocks: 676763
(Reporter)

Comment 3

5 years ago
A testcase for this bug was automatically identified at js/src/jit-test/tests/jaeger/bug653243.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.