Last Comment Bug 657624 - TI: Crash due to call stack overflow [@ AnalyzeNewScriptProperties]
: TI: Crash due to call stack overflow [@ AnalyzeNewScriptProperties]
Status: RESOLVED FIXED
: crash, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: x86_64 Linux
: -- critical (vote)
: ---
Assigned To: general
:
Mentors:
Depends on:
Blocks: infer-regress langfuzz
  Show dependency treegraph
 
Reported: 2011-05-17 07:49 PDT by Christian Holler (:decoder)
Modified: 2011-08-05 00:54 PDT (History)
4 users (show)
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments

Description Christian Holler (:decoder) 2011-05-17 07:49:10 PDT
The following testcase crashes on TI revision 97f9e3274bd5 (option -n is sufficient), tested on 64 bit. 

function f(foo) {
    try {
        new f;
    } catch (foo) {}
    f.call(this);
}
try {
    f();
} catch (x) {}


Crash looks like an infinite recursion around [AnalyzeNewScriptProperties]:

#1  0x000000000041402e in js::PutEscapedString (buffer=0xb52620 "Function.call", size=100, str=0x7ff1dba05400, quote=0)
    at /home/decoder/LangFuzz/jaegermonkey/jsdbg/src/jsstr.h:1229
#2  0x00000000004d3898 in js::types::TypeIdStringImpl (id={asBits = 140676748563456}) at /home/decoder/LangFuzz/jaegermonkey/jsdbg/src/jsinfer.cpp:130
#3  0x0000000000405364 in TypeIdString (id={asBits = 140676748563456}) at ../jsinferinlines.h:128
#4  0x000000000041602c in js::types::TypeObject::name (this=0x1b69170) at ./jsinferinlines.h:1279
#5  0x00000000004d3a65 in js::types::TypeString (type=28742000) at /home/decoder/LangFuzz/jaegermonkey/jsdbg/src/jsinfer.cpp:183
#6  0x00000000004157ab in js::types::TypeCompartment::addPending (this=0x1b0e3a8, cx=0x1b0d8d0, constraint=0x1fad4b0, source=0x1b76b18, type=28742000) at ./jsinferinlines.h:816
#7  0x00000000004e258c in js::types::TypeSet::add (this=0x1b76b18, cx=0x1b0d8d0, constraint=0x1fad4b0, callExisting=true)
    at /home/decoder/LangFuzz/jaegermonkey/jsdbg/src/jsinfer.cpp:346
#8  0x00000000004e39b3 in TypeIntermediateClearDefinite::replay (this=0x1fae590, cx=0x1b0d8d0, script=0x1b765d0) at /home/decoder/LangFuzz/jaegermonkey/jsdbg/src/jsinfer.cpp:3835
#9  0x00000000004dcda7 in AnalyzeNewScriptProperties (cx=0x1b0d8d0, type=0x1b75870, script=0x1b765d0, pbaseobj=0x7fffb8eaecd0, initializerList=0x7fffb8eaec50)
    at /home/decoder/LangFuzz/jaegermonkey/jsdbg/src/jsinfer.cpp:4037
#10 0x00000000004dce88 in AnalyzeNewScriptProperties (cx=0x1b0d8d0, type=0x1b75870, script=0x1b765d0, pbaseobj=0x7fffb8eaecd0, initializerList=0x7fffb8eaec50)
    at /home/decoder/LangFuzz/jaegermonkey/jsdbg/src/jsinfer.cpp:4047
#11 0x00000000004dce88 in AnalyzeNewScriptProperties (cx=0x1b0d8d0, type=0x1b75870, script=0x1b765d0, pbaseobj=0x7fffb8eaecd0, initializerList=0x7fffb8eaec50)
    at /home/decoder/LangFuzz/jaegermonkey/jsdbg/src/jsinfer.cpp:4047
#12 0x00000000004dce88 in AnalyzeNewScriptProperties (cx=0x1b0d8d0, type=0x1b75870, script=0x1b765d0, pbaseobj=0x7fffb8eaecd0, initializerList=0x7fffb8eaec50)
    at /home/decoder/LangFuzz/jaegermonkey/jsdbg/src/jsinfer.cpp:4047
#13 0x00000000004dce88 in AnalyzeNewScriptProperties (cx=0x1b0d8d0, type=0x1b75870, script=0x1b765d0, pbaseobj=0x7fffb8eaecd0, initializerList=0x7fffb8eaec50)
    at /home/decoder/LangFuzz/jaegermonkey/jsdbg/src/jsinfer.cpp:4047
#14 0x00000000004dce88 in AnalyzeNewScriptProperties (cx=0x1b0d8d0, type=0x1b75870, script=0x1b765d0, pbaseobj=0x7fffb8eaecd0, initializerList=0x7fffb8eaec50)
    at /home/decoder/LangFuzz/jaegermonkey/jsdbg/src/jsinfer.cpp:4047
#15 0x00000000004dce88 in AnalyzeNewScriptProperties (cx=0x1b0d8d0, type=0x1b75870, script=0x1b765d0, pbaseobj=0x7fffb8eaecd0, initializerList=0x7fffb8eaec50)
    at /home/decoder/LangFuzz/jaegermonkey/jsdbg/src/jsinfer.cpp:4047
Comment 1 Brian Hackett (:bhackett) 2011-05-18 11:10:56 PDT
When analyzing properties added by objects in calls to 'new' on a script, we didn't watch for recursion.  We don't keep track of which scripts have been processed, but each time we cross procedure boundaries we append to a vector and can watch the length of this vector to block such recursion.

http://hg.mozilla.org/projects/jaegermonkey/rev/0b30b3263f8d

Note You need to log in before you can comment on or make changes to this bug.