TI: Crash due to call stack overflow [@ AnalyzeNewScriptProperties]

RESOLVED FIXED

Status

()

Core
JavaScript Engine
--
critical
RESOLVED FIXED
6 years ago
6 years ago

People

(Reporter: decoder, Unassigned)

Tracking

(Blocks: 2 bugs, {crash, testcase})

Trunk
x86_64
Linux
crash, testcase
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(Not tracked)

Details

(crash signature)

(Reporter)

Description

6 years ago
The following testcase crashes on TI revision 97f9e3274bd5 (option -n is sufficient), tested on 64 bit. 

function f(foo) {
    try {
        new f;
    } catch (foo) {}
    f.call(this);
}
try {
    f();
} catch (x) {}


Crash looks like an infinite recursion around [AnalyzeNewScriptProperties]:

#1  0x000000000041402e in js::PutEscapedString (buffer=0xb52620 "Function.call", size=100, str=0x7ff1dba05400, quote=0)
    at /home/decoder/LangFuzz/jaegermonkey/jsdbg/src/jsstr.h:1229
#2  0x00000000004d3898 in js::types::TypeIdStringImpl (id={asBits = 140676748563456}) at /home/decoder/LangFuzz/jaegermonkey/jsdbg/src/jsinfer.cpp:130
#3  0x0000000000405364 in TypeIdString (id={asBits = 140676748563456}) at ../jsinferinlines.h:128
#4  0x000000000041602c in js::types::TypeObject::name (this=0x1b69170) at ./jsinferinlines.h:1279
#5  0x00000000004d3a65 in js::types::TypeString (type=28742000) at /home/decoder/LangFuzz/jaegermonkey/jsdbg/src/jsinfer.cpp:183
#6  0x00000000004157ab in js::types::TypeCompartment::addPending (this=0x1b0e3a8, cx=0x1b0d8d0, constraint=0x1fad4b0, source=0x1b76b18, type=28742000) at ./jsinferinlines.h:816
#7  0x00000000004e258c in js::types::TypeSet::add (this=0x1b76b18, cx=0x1b0d8d0, constraint=0x1fad4b0, callExisting=true)
    at /home/decoder/LangFuzz/jaegermonkey/jsdbg/src/jsinfer.cpp:346
#8  0x00000000004e39b3 in TypeIntermediateClearDefinite::replay (this=0x1fae590, cx=0x1b0d8d0, script=0x1b765d0) at /home/decoder/LangFuzz/jaegermonkey/jsdbg/src/jsinfer.cpp:3835
#9  0x00000000004dcda7 in AnalyzeNewScriptProperties (cx=0x1b0d8d0, type=0x1b75870, script=0x1b765d0, pbaseobj=0x7fffb8eaecd0, initializerList=0x7fffb8eaec50)
    at /home/decoder/LangFuzz/jaegermonkey/jsdbg/src/jsinfer.cpp:4037
#10 0x00000000004dce88 in AnalyzeNewScriptProperties (cx=0x1b0d8d0, type=0x1b75870, script=0x1b765d0, pbaseobj=0x7fffb8eaecd0, initializerList=0x7fffb8eaec50)
    at /home/decoder/LangFuzz/jaegermonkey/jsdbg/src/jsinfer.cpp:4047
#11 0x00000000004dce88 in AnalyzeNewScriptProperties (cx=0x1b0d8d0, type=0x1b75870, script=0x1b765d0, pbaseobj=0x7fffb8eaecd0, initializerList=0x7fffb8eaec50)
    at /home/decoder/LangFuzz/jaegermonkey/jsdbg/src/jsinfer.cpp:4047
#12 0x00000000004dce88 in AnalyzeNewScriptProperties (cx=0x1b0d8d0, type=0x1b75870, script=0x1b765d0, pbaseobj=0x7fffb8eaecd0, initializerList=0x7fffb8eaec50)
    at /home/decoder/LangFuzz/jaegermonkey/jsdbg/src/jsinfer.cpp:4047
#13 0x00000000004dce88 in AnalyzeNewScriptProperties (cx=0x1b0d8d0, type=0x1b75870, script=0x1b765d0, pbaseobj=0x7fffb8eaecd0, initializerList=0x7fffb8eaec50)
    at /home/decoder/LangFuzz/jaegermonkey/jsdbg/src/jsinfer.cpp:4047
#14 0x00000000004dce88 in AnalyzeNewScriptProperties (cx=0x1b0d8d0, type=0x1b75870, script=0x1b765d0, pbaseobj=0x7fffb8eaecd0, initializerList=0x7fffb8eaec50)
    at /home/decoder/LangFuzz/jaegermonkey/jsdbg/src/jsinfer.cpp:4047
#15 0x00000000004dce88 in AnalyzeNewScriptProperties (cx=0x1b0d8d0, type=0x1b75870, script=0x1b765d0, pbaseobj=0x7fffb8eaecd0, initializerList=0x7fffb8eaec50)
    at /home/decoder/LangFuzz/jaegermonkey/jsdbg/src/jsinfer.cpp:4047
When analyzing properties added by objects in calls to 'new' on a script, we didn't watch for recursion.  We don't keep track of which scripts have been processed, but each time we cross procedure boundaries we append to a vector and can watch the length of this vector to block such recursion.

http://hg.mozilla.org/projects/jaegermonkey/rev/0b30b3263f8d
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED
Crash Signature: [@ AnalyzeNewScriptProperties]
(Reporter)

Updated

6 years ago
Blocks: 676763
You need to log in before you can comment on or make changes to this bug.