658212 - TI: Crash [@ JSString::length]

Status: RESOLVED DUPLICATE of bug 658211

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

Attachment: Test case for shell (run with -j -n -a -m)

The attached testcase crashes on TI revision 4dff743ec04d (run with -j -m -n -a), tested on 64 bit.

Backtrace:

==19388== Invalid read of size 8
==19388==    at 0x43943E: JSString::length() const (jsstr.h:250)
==19388==    by 0x505D2A: bool js::StringToNumberType<double>(JSContext*, JSString*, double*) (jsnum.h:646)
==19388==    by 0x50538F: js::ValueToNumberSlow(JSContext*, js::Value, double*) (jsnum.cpp:1292)
==19388==    by 0x50696B: js::ValueToNumber(JSContext*, js::Value*) (jsnum.h:280)
==19388==    by 0x799619: js::mjit::stubs::Pos(js::VMFrame&) (StubCalls.cpp:2581)
==19388==    by 0x41B1C73: ???
==19388==    by 0x6914BC: js::mjit::EnterMethodJIT(JSContext*, js::StackFrame*, void*, js::Value*) (MethodJIT.cpp:882)
==19388==    by 0x69162C: CheckStackAndEnterMethodJIT(JSContext*, js::StackFrame*, void*) (MethodJIT.cpp:914)
==19388==    by 0x691708: js::mjit::JaegerShot(JSContext*) (MethodJIT.cpp:931)
==19388==    by 0x77E6DA: js::Interpret(JSContext*, js::StackFrame*, unsigned int, js::InterpMode) (jsinterp.cpp:4727)
==19388==    by 0x735E8C: js_InternalInterpret (InvokeHelpers.cpp:1636)
==19388==    by 0x6911E1: ??? (MethodJIT.cpp:152)
==19388==  Address 0x5 is not stack'd, malloc'd or (recently) free'd
==19388== 
==19388== 
==19388== Process terminating with default action of signal 11 (SIGSEGV)

Comment 2

[Christian Holler (:decoder)]

A testcase for this bug was automatically identified at js/src/jit-test/tests/jaeger/recompile/bug658212.js.