Last Comment Bug 655954 - TI: Crash [@ JSObject::getClass] // Null pointer dereference
: TI: Crash [@ JSObject::getClass] // Null pointer dereference
Status: RESOLVED FIXED
: crash, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: x86_64 Linux
: -- critical (vote)
: ---
Assigned To: general
:
Mentors:
Depends on:
Blocks: infer-regress langfuzz
  Show dependency treegraph
 
Reported: 2011-05-10 01:22 PDT by Christian Holler (:decoder)
Modified: 2013-01-14 08:03 PST (History)
5 users (show)
choller: in‑testsuite+
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments

Description Christian Holler (:decoder) 2011-05-10 01:22:34 PDT
The following testcase crashes on TI revision 32e8c937a409 (run with -m -n -a),
tested on 64 bit:

foo(); 
function foo() { 
    this();
}

==27948== Invalid read of size 8
==27948==    at 0x413706: JSObject::getClass() const (jsobj.h:416)
==27948==    by 0x41434B: JSObject::isFunction() const (jsfun.h:310)
==27948==    by 0x6ED92B: js::mjit::Compiler::inlineNativeFunction(unsigned int, bool) (FastBuiltins.cpp:337)
==27948==    by 0x69EDF1: js::mjit::Compiler::generateMethod() (Compiler.cpp:1967)
==27948==    by 0x6A71F2: js::mjit::Compiler::inlineScriptedFunction(unsigned int, bool) (Compiler.cpp:3833)
==27948==    by 0x69EE96: js::mjit::Compiler::generateMethod() (Compiler.cpp:1974)
==27948==    by 0x69690F: js::mjit::Compiler::performCompilation(js::mjit::JITScript**) (Compiler.cpp:505)
==27948==    by 0x695803: js::mjit::Compiler::compile() (Compiler.cpp:160)
==27948==    by 0x69731E: js::mjit::TryCompile(JSContext*, js::StackFrame*) (Compiler.cpp:612)
==27948==    by 0x4EA62A: js::mjit::CanMethodJIT(JSContext*, JSScript*, js::StackFrame*, js::mjit::CompileRequest) (MethodJIT-inl.h:75)
==27948==    by 0x4EBB65: js::RunScript(JSContext*, JSScript*, js::StackFrame*) (jsinterp.cpp:599)
==27948==    by 0x4ED164: js::Execute(JSContext*, JSObject&, JSScript*, js::StackFrame*, unsigned int, js::Value*) (jsinterp.cpp:990)
==27948==  Address 0x8 is not stack'd, malloc'd or (recently) free'd
==27948== 
==27948== 
==27948== Process terminating with default action of signal 11 (SIGSEGV)
Comment 1 Brian Hackett (:bhackett) 2011-05-10 08:33:38 PDT
We don't want to inline calls which might have to wrap their 'this' value --- similar to disallowing arguments modification, inlining a call shouldn't change entries in the caller other than for syncing and register allocation.  Before the inline overhaul this was detected dynamically, but now that we decide on how to inline ahead of time this is trickier and we ended up compiling doomed code where the 'this' was a known non-object constant, which we converted to an object entry and got a torn value.

The fix cleans this up by doing the detection statically, and disallowing inlining on functions which use 'this' and have ever been called or known to have been called with a 'this' value requiring wrapping.

http://hg.mozilla.org/projects/jaegermonkey/rev/627d44418b26
Comment 2 Christian Holler (:decoder) 2013-01-14 08:03:04 PST
A testcase for this bug was automatically identified at js/src/jit-test/tests/jaeger/inline/bug655954.js.

Note You need to log in before you can comment on or make changes to this bug.