Last Comment Bug 653395 - TI: Crash [@ js::types::TypeSet::unknown]
: TI: Crash [@ js::types::TypeSet::unknown]
Status: RESOLVED FIXED
: crash, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: x86_64 Linux
: -- critical (vote)
: ---
Assigned To: general
:
: Jason Orendorff [:jorendorff]
Mentors:
Depends on:
Blocks: infer-regress langfuzz
  Show dependency treegraph
 
Reported: 2011-04-28 04:41 PDT by Christian Holler (:decoder)
Modified: 2013-01-19 14:29 PST (History)
6 users (show)
choller: in‑testsuite+
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments

Description Christian Holler (:decoder) 2011-04-28 04:41:00 PDT
The following testcase crashes on TI revision 09cce9915b80 (run with -n -a),
tested on 64 bit:

try {
    (function () {
        __proto__ = Uint32Array()
    }())
} catch (e) {}(function () {
})()
eval("\
function testAtomize() {\
    x = {};\
    for (var i = false ; i < 65536; ++i)\
        x[String.fromCharCode(i)] = 1;\
}\
new testAtomize()(testAtomize(), 65536);\
");


Backtrace:

==2309== Invalid read of size 4
==2309==    at 0x41330C: js::types::TypeSet::unknown() (jsinfer.h:302)
==2309==    by 0x4159E2: js::types::TypeSet::addType(JSContext*, unsigned long) (jsinferinlines.h:1128)
==2309==    by 0x4E2CAB: js::types::TypeCompartment::dynamicPush(JSContext*, JSScript*, unsigned int, unsigned long) (jsinfer.cpp:1886)
==2309==    by 0x456A37: JSScript::typeMonitorResult(JSContext*, unsigned char const*, unsigned long) (jsinferinlines.h:633)
==2309==    by 0x78CE14: JSScript::typeMonitorOverflow(JSContext*, unsigned char const*) (jsinferinlines.h:648)
==2309==    by 0x7768F9: js::Interpret(JSContext*, JSStackFrame*, unsigned int, JSInterpMode) (jsinterp.cpp:4177)
==2309==    by 0x4F7A04: js::RunScript(JSContext*, JSScript*, JSStackFrame*) (jsinterp.cpp:679)
==2309==    by 0x4F9061: js::Execute(JSContext*, JSObject&, JSScript*, JSStackFrame*, unsigned int, js::Value*) (jsinterp.cpp:1070)
==2309==    by 0x514D80: EvalKernel(JSContext*, js::CallArgs const&, EvalType, JSStackFrame*, JSObject&) (jsobj.cpp:1260)
==2309==    by 0x515049: js::DirectEval(JSContext*, js::CallArgs const&) (jsobj.cpp:1323)
==2309==    by 0x77A45F: js::Interpret(JSContext*, JSStackFrame*, unsigned int, JSInterpMode) (jsinterp.cpp:4764)
==2309==    by 0x4F7A04: js::RunScript(JSContext*, JSScript*, JSStackFrame*) (jsinterp.cpp:679)
==2309==  Address 0x40 is not stack'd, malloc'd or (recently) free'd
==2309== 
==2309== 
==2309== Process terminating with default action of signal 11 (SIGSEGV)
Comment 1 Jan de Mooij [:jandem] 2011-05-04 08:35:00 PDT
Taking...
Comment 2 Jan de Mooij [:jandem] 2011-05-04 14:51:54 PDT
Throwing back, not entirely sure how to fix properly.
Comment 3 Brian Hackett (:bhackett) 2011-05-09 13:06:01 PDT
NULL dereference, ensureVarTypes should be called before calling thisTypes/localTypes/argTypes/slotTypes on a script.  The varTypes associated with each script are created on demand.

http://hg.mozilla.org/projects/jaegermonkey/rev/16ae7aed77f3
Comment 4 Christian Holler (:decoder) 2013-01-19 14:29:55 PST
Automatically extracted testcase for this bug was committed:

https://hg.mozilla.org/mozilla-central/rev/efaf8960a929

Note You need to log in before you can comment on or make changes to this bug.