Closed Bug 655954 Opened 9 years ago Closed 9 years ago

TI: Crash [@ JSObject::getClass] // Null pointer dereference

Categories

(Core :: JavaScript Engine, defect, critical)

x86_64
Linux
defect
Not set
critical

Tracking

()

RESOLVED FIXED

People

(Reporter: decoder, Unassigned)

References

(Blocks 2 open bugs)

Details

(Keywords: crash, testcase)

Crash Data

The following testcase crashes on TI revision 32e8c937a409 (run with -m -n -a),
tested on 64 bit:

foo(); 
function foo() { 
    this();
}

==27948== Invalid read of size 8
==27948==    at 0x413706: JSObject::getClass() const (jsobj.h:416)
==27948==    by 0x41434B: JSObject::isFunction() const (jsfun.h:310)
==27948==    by 0x6ED92B: js::mjit::Compiler::inlineNativeFunction(unsigned int, bool) (FastBuiltins.cpp:337)
==27948==    by 0x69EDF1: js::mjit::Compiler::generateMethod() (Compiler.cpp:1967)
==27948==    by 0x6A71F2: js::mjit::Compiler::inlineScriptedFunction(unsigned int, bool) (Compiler.cpp:3833)
==27948==    by 0x69EE96: js::mjit::Compiler::generateMethod() (Compiler.cpp:1974)
==27948==    by 0x69690F: js::mjit::Compiler::performCompilation(js::mjit::JITScript**) (Compiler.cpp:505)
==27948==    by 0x695803: js::mjit::Compiler::compile() (Compiler.cpp:160)
==27948==    by 0x69731E: js::mjit::TryCompile(JSContext*, js::StackFrame*) (Compiler.cpp:612)
==27948==    by 0x4EA62A: js::mjit::CanMethodJIT(JSContext*, JSScript*, js::StackFrame*, js::mjit::CompileRequest) (MethodJIT-inl.h:75)
==27948==    by 0x4EBB65: js::RunScript(JSContext*, JSScript*, js::StackFrame*) (jsinterp.cpp:599)
==27948==    by 0x4ED164: js::Execute(JSContext*, JSObject&, JSScript*, js::StackFrame*, unsigned int, js::Value*) (jsinterp.cpp:990)
==27948==  Address 0x8 is not stack'd, malloc'd or (recently) free'd
==27948== 
==27948== 
==27948== Process terminating with default action of signal 11 (SIGSEGV)
We don't want to inline calls which might have to wrap their 'this' value --- similar to disallowing arguments modification, inlining a call shouldn't change entries in the caller other than for syncing and register allocation.  Before the inline overhaul this was detected dynamically, but now that we decide on how to inline ahead of time this is trickier and we ended up compiling doomed code where the 'this' was a known non-object constant, which we converted to an object entry and got a torn value.

The fix cleans this up by doing the detection statically, and disallowing inlining on functions which use 'this' and have ever been called or known to have been called with a 'this' value requiring wrapping.

http://hg.mozilla.org/projects/jaegermonkey/rev/627d44418b26
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Crash Signature: [@ JSObject::getClass]
Blocks: 676763
A testcase for this bug was automatically identified at js/src/jit-test/tests/jaeger/inline/bug655954.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.