Closed
Bug 657624
Opened 13 years ago
Closed 13 years ago
TI: Crash due to call stack overflow [@ AnalyzeNewScriptProperties]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: decoder, Unassigned)
References
Details
(Keywords: crash, testcase)
Crash Data
The following testcase crashes on TI revision 97f9e3274bd5 (option -n is sufficient), tested on 64 bit. function f(foo) { try { new f; } catch (foo) {} f.call(this); } try { f(); } catch (x) {} Crash looks like an infinite recursion around [AnalyzeNewScriptProperties]: #1 0x000000000041402e in js::PutEscapedString (buffer=0xb52620 "Function.call", size=100, str=0x7ff1dba05400, quote=0) at /home/decoder/LangFuzz/jaegermonkey/jsdbg/src/jsstr.h:1229 #2 0x00000000004d3898 in js::types::TypeIdStringImpl (id={asBits = 140676748563456}) at /home/decoder/LangFuzz/jaegermonkey/jsdbg/src/jsinfer.cpp:130 #3 0x0000000000405364 in TypeIdString (id={asBits = 140676748563456}) at ../jsinferinlines.h:128 #4 0x000000000041602c in js::types::TypeObject::name (this=0x1b69170) at ./jsinferinlines.h:1279 #5 0x00000000004d3a65 in js::types::TypeString (type=28742000) at /home/decoder/LangFuzz/jaegermonkey/jsdbg/src/jsinfer.cpp:183 #6 0x00000000004157ab in js::types::TypeCompartment::addPending (this=0x1b0e3a8, cx=0x1b0d8d0, constraint=0x1fad4b0, source=0x1b76b18, type=28742000) at ./jsinferinlines.h:816 #7 0x00000000004e258c in js::types::TypeSet::add (this=0x1b76b18, cx=0x1b0d8d0, constraint=0x1fad4b0, callExisting=true) at /home/decoder/LangFuzz/jaegermonkey/jsdbg/src/jsinfer.cpp:346 #8 0x00000000004e39b3 in TypeIntermediateClearDefinite::replay (this=0x1fae590, cx=0x1b0d8d0, script=0x1b765d0) at /home/decoder/LangFuzz/jaegermonkey/jsdbg/src/jsinfer.cpp:3835 #9 0x00000000004dcda7 in AnalyzeNewScriptProperties (cx=0x1b0d8d0, type=0x1b75870, script=0x1b765d0, pbaseobj=0x7fffb8eaecd0, initializerList=0x7fffb8eaec50) at /home/decoder/LangFuzz/jaegermonkey/jsdbg/src/jsinfer.cpp:4037 #10 0x00000000004dce88 in AnalyzeNewScriptProperties (cx=0x1b0d8d0, type=0x1b75870, script=0x1b765d0, pbaseobj=0x7fffb8eaecd0, initializerList=0x7fffb8eaec50) at /home/decoder/LangFuzz/jaegermonkey/jsdbg/src/jsinfer.cpp:4047 #11 0x00000000004dce88 in AnalyzeNewScriptProperties (cx=0x1b0d8d0, type=0x1b75870, script=0x1b765d0, pbaseobj=0x7fffb8eaecd0, initializerList=0x7fffb8eaec50) at /home/decoder/LangFuzz/jaegermonkey/jsdbg/src/jsinfer.cpp:4047 #12 0x00000000004dce88 in AnalyzeNewScriptProperties (cx=0x1b0d8d0, type=0x1b75870, script=0x1b765d0, pbaseobj=0x7fffb8eaecd0, initializerList=0x7fffb8eaec50) at /home/decoder/LangFuzz/jaegermonkey/jsdbg/src/jsinfer.cpp:4047 #13 0x00000000004dce88 in AnalyzeNewScriptProperties (cx=0x1b0d8d0, type=0x1b75870, script=0x1b765d0, pbaseobj=0x7fffb8eaecd0, initializerList=0x7fffb8eaec50) at /home/decoder/LangFuzz/jaegermonkey/jsdbg/src/jsinfer.cpp:4047 #14 0x00000000004dce88 in AnalyzeNewScriptProperties (cx=0x1b0d8d0, type=0x1b75870, script=0x1b765d0, pbaseobj=0x7fffb8eaecd0, initializerList=0x7fffb8eaec50) at /home/decoder/LangFuzz/jaegermonkey/jsdbg/src/jsinfer.cpp:4047 #15 0x00000000004dce88 in AnalyzeNewScriptProperties (cx=0x1b0d8d0, type=0x1b75870, script=0x1b765d0, pbaseobj=0x7fffb8eaecd0, initializerList=0x7fffb8eaec50) at /home/decoder/LangFuzz/jaegermonkey/jsdbg/src/jsinfer.cpp:4047
Comment 1•13 years ago
|
||
When analyzing properties added by objects in calls to 'new' on a script, we didn't watch for recursion. We don't keep track of which scripts have been processed, but each time we cross procedure boundaries we append to a vector and can watch the length of this vector to block such recursion. http://hg.mozilla.org/projects/jaegermonkey/rev/0b30b3263f8d
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Updated•13 years ago
|
Crash Signature: [@ AnalyzeNewScriptProperties]
You need to log in
before you can comment on or make changes to this bug.
Description
•