659450 - TI: Crash [@ JSString::length]

Status: RESOLVED DUPLICATE of bug 659448

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

The following testcase crashes on TI revision 29f08848d96c (run with -j -m -n -a), tested on 64 bit:


var gTestcases = Array;
function TestCase(n, d, e, a) {
    this.name
    this.description = d
    gTestcases[gTc++] = this
}
TestCase.prototype.dump = function () + this.description
function reportCompare(expected, actual, description) {
    description = ''
    new TestCase("s", description, expected, actual)
}
gTc = 0;
reportCompare(true, true);
try {
    TestCase(S, "s", "s", "s")
} catch (e) {}
gc();
reportCompare([], [], 0)
reportCompare([], [], 1)
new TestCase;
for (i = 0; i < 4; ++i) gTestcases[i].dump();



Backtrace:

==12041== Invalid read of size 8
==12041==    at 0x439618: JSString::length() const (jsstr.h:250)
==12041==    by 0x50827A: bool js::StringToNumberType<double>(JSContext*, JSString*, double*) (jsnum.h:646)
==12041==    by 0x5078DF: js::ValueToNumberSlow(JSContext*, js::Value, double*) (jsnum.cpp:1292)
==12041==    by 0x508EBB: js::ValueToNumber(JSContext*, js::Value*) (jsnum.h:280)
==12041==    by 0x79E88E: js::mjit::stubs::Pos(js::VMFrame&) (StubCalls.cpp:2582)
==12041==    by 0x41B4444: ???
==12041==    by 0x6936A4: js::mjit::EnterMethodJIT(JSContext*, js::StackFrame*, void*, js::Value*) (MethodJIT.cpp:882)
==12041==    by 0x693814: CheckStackAndEnterMethodJIT(JSContext*, js::StackFrame*, void*) (MethodJIT.cpp:914)
==12041==    by 0x693952: js::mjit::JaegerShotAtSafePoint(JSContext*, void*) (MethodJIT.cpp:941)
==12041==    by 0x777D9A: js::Interpret(JSContext*, js::StackFrame*, unsigned int, js::InterpMode) (jsinterp.cpp:3532)
==12041==    by 0x73AC78: js_InternalInterpret (InvokeHelpers.cpp:1642)
==12041==    by 0x6933C9: ??? (MethodJIT.cpp:152)
==12041==  Address 0x0 is not stack'd, malloc'd or (recently) free'd

Comment 2

[Christian Holler (:decoder)]

A testcase for this bug was already added in the original bug (bug 659448).