Closed
Bug 657624
Opened 14 years ago
Closed 14 years ago
TI: Crash due to call stack overflow [@ AnalyzeNewScriptProperties]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: decoder, Unassigned)
References
Details
(Keywords: crash, testcase)
Crash Data
The following testcase crashes on TI revision 97f9e3274bd5 (option -n is sufficient), tested on 64 bit.
function f(foo) {
try {
new f;
} catch (foo) {}
f.call(this);
}
try {
f();
} catch (x) {}
Crash looks like an infinite recursion around [AnalyzeNewScriptProperties]:
#1 0x000000000041402e in js::PutEscapedString (buffer=0xb52620 "Function.call", size=100, str=0x7ff1dba05400, quote=0)
at /home/decoder/LangFuzz/jaegermonkey/jsdbg/src/jsstr.h:1229
#2 0x00000000004d3898 in js::types::TypeIdStringImpl (id={asBits = 140676748563456}) at /home/decoder/LangFuzz/jaegermonkey/jsdbg/src/jsinfer.cpp:130
#3 0x0000000000405364 in TypeIdString (id={asBits = 140676748563456}) at ../jsinferinlines.h:128
#4 0x000000000041602c in js::types::TypeObject::name (this=0x1b69170) at ./jsinferinlines.h:1279
#5 0x00000000004d3a65 in js::types::TypeString (type=28742000) at /home/decoder/LangFuzz/jaegermonkey/jsdbg/src/jsinfer.cpp:183
#6 0x00000000004157ab in js::types::TypeCompartment::addPending (this=0x1b0e3a8, cx=0x1b0d8d0, constraint=0x1fad4b0, source=0x1b76b18, type=28742000) at ./jsinferinlines.h:816
#7 0x00000000004e258c in js::types::TypeSet::add (this=0x1b76b18, cx=0x1b0d8d0, constraint=0x1fad4b0, callExisting=true)
at /home/decoder/LangFuzz/jaegermonkey/jsdbg/src/jsinfer.cpp:346
#8 0x00000000004e39b3 in TypeIntermediateClearDefinite::replay (this=0x1fae590, cx=0x1b0d8d0, script=0x1b765d0) at /home/decoder/LangFuzz/jaegermonkey/jsdbg/src/jsinfer.cpp:3835
#9 0x00000000004dcda7 in AnalyzeNewScriptProperties (cx=0x1b0d8d0, type=0x1b75870, script=0x1b765d0, pbaseobj=0x7fffb8eaecd0, initializerList=0x7fffb8eaec50)
at /home/decoder/LangFuzz/jaegermonkey/jsdbg/src/jsinfer.cpp:4037
#10 0x00000000004dce88 in AnalyzeNewScriptProperties (cx=0x1b0d8d0, type=0x1b75870, script=0x1b765d0, pbaseobj=0x7fffb8eaecd0, initializerList=0x7fffb8eaec50)
at /home/decoder/LangFuzz/jaegermonkey/jsdbg/src/jsinfer.cpp:4047
#11 0x00000000004dce88 in AnalyzeNewScriptProperties (cx=0x1b0d8d0, type=0x1b75870, script=0x1b765d0, pbaseobj=0x7fffb8eaecd0, initializerList=0x7fffb8eaec50)
at /home/decoder/LangFuzz/jaegermonkey/jsdbg/src/jsinfer.cpp:4047
#12 0x00000000004dce88 in AnalyzeNewScriptProperties (cx=0x1b0d8d0, type=0x1b75870, script=0x1b765d0, pbaseobj=0x7fffb8eaecd0, initializerList=0x7fffb8eaec50)
at /home/decoder/LangFuzz/jaegermonkey/jsdbg/src/jsinfer.cpp:4047
#13 0x00000000004dce88 in AnalyzeNewScriptProperties (cx=0x1b0d8d0, type=0x1b75870, script=0x1b765d0, pbaseobj=0x7fffb8eaecd0, initializerList=0x7fffb8eaec50)
at /home/decoder/LangFuzz/jaegermonkey/jsdbg/src/jsinfer.cpp:4047
#14 0x00000000004dce88 in AnalyzeNewScriptProperties (cx=0x1b0d8d0, type=0x1b75870, script=0x1b765d0, pbaseobj=0x7fffb8eaecd0, initializerList=0x7fffb8eaec50)
at /home/decoder/LangFuzz/jaegermonkey/jsdbg/src/jsinfer.cpp:4047
#15 0x00000000004dce88 in AnalyzeNewScriptProperties (cx=0x1b0d8d0, type=0x1b75870, script=0x1b765d0, pbaseobj=0x7fffb8eaecd0, initializerList=0x7fffb8eaec50)
at /home/decoder/LangFuzz/jaegermonkey/jsdbg/src/jsinfer.cpp:4047
|
||
Comment 1•14 years ago
|
||
When analyzing properties added by objects in calls to 'new' on a script, we didn't watch for recursion. We don't keep track of which scripts have been processed, but each time we cross procedure boundaries we append to a vector and can watch the length of this vector to block such recursion.
http://hg.mozilla.org/projects/jaegermonkey/rev/0b30b3263f8d
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
|
||
Updated•14 years ago
|
Crash Signature: [@ AnalyzeNewScriptProperties]
You need to log in
before you can comment on or make changes to this bug.
Description
•