TI: Crash [@ JSObject::getClass] // Null pointer dereference

RESOLVED FIXED

Status

()

Core
JavaScript Engine
--
critical
RESOLVED FIXED
6 years ago
5 years ago

People

(Reporter: decoder, Unassigned)

Tracking

(Blocks: 2 bugs, {crash, testcase})

Trunk
x86_64
Linux
crash, testcase
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

(crash signature)

(Reporter)

Description

6 years ago
The following testcase crashes on TI revision 32e8c937a409 (run with -m -n -a),
tested on 64 bit:

foo(); 
function foo() { 
    this();
}

==27948== Invalid read of size 8
==27948==    at 0x413706: JSObject::getClass() const (jsobj.h:416)
==27948==    by 0x41434B: JSObject::isFunction() const (jsfun.h:310)
==27948==    by 0x6ED92B: js::mjit::Compiler::inlineNativeFunction(unsigned int, bool) (FastBuiltins.cpp:337)
==27948==    by 0x69EDF1: js::mjit::Compiler::generateMethod() (Compiler.cpp:1967)
==27948==    by 0x6A71F2: js::mjit::Compiler::inlineScriptedFunction(unsigned int, bool) (Compiler.cpp:3833)
==27948==    by 0x69EE96: js::mjit::Compiler::generateMethod() (Compiler.cpp:1974)
==27948==    by 0x69690F: js::mjit::Compiler::performCompilation(js::mjit::JITScript**) (Compiler.cpp:505)
==27948==    by 0x695803: js::mjit::Compiler::compile() (Compiler.cpp:160)
==27948==    by 0x69731E: js::mjit::TryCompile(JSContext*, js::StackFrame*) (Compiler.cpp:612)
==27948==    by 0x4EA62A: js::mjit::CanMethodJIT(JSContext*, JSScript*, js::StackFrame*, js::mjit::CompileRequest) (MethodJIT-inl.h:75)
==27948==    by 0x4EBB65: js::RunScript(JSContext*, JSScript*, js::StackFrame*) (jsinterp.cpp:599)
==27948==    by 0x4ED164: js::Execute(JSContext*, JSObject&, JSScript*, js::StackFrame*, unsigned int, js::Value*) (jsinterp.cpp:990)
==27948==  Address 0x8 is not stack'd, malloc'd or (recently) free'd
==27948== 
==27948== 
==27948== Process terminating with default action of signal 11 (SIGSEGV)
We don't want to inline calls which might have to wrap their 'this' value --- similar to disallowing arguments modification, inlining a call shouldn't change entries in the caller other than for syncing and register allocation.  Before the inline overhaul this was detected dynamically, but now that we decide on how to inline ahead of time this is trickier and we ended up compiling doomed code where the 'this' was a known non-object constant, which we converted to an object entry and got a torn value.

The fix cleans this up by doing the detection statically, and disallowing inlining on functions which use 'this' and have ever been called or known to have been called with a 'this' value requiring wrapping.

http://hg.mozilla.org/projects/jaegermonkey/rev/627d44418b26
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED
Crash Signature: [@ JSObject::getClass]
(Reporter)

Updated

6 years ago
Blocks: 676763
(Reporter)

Comment 2

5 years ago
A testcase for this bug was automatically identified at js/src/jit-test/tests/jaeger/inline/bug655954.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.