Closed Bug 662047 Opened 14 years ago Closed 14 years ago

TI: Crash [@ js::PutEscapedStringImpl]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 661840

People

(Reporter: decoder, Unassigned)

References

Details

(Keywords: crash, testcase)

Crash Data

Attachments

(1 file)

shell testcase, unpack, chdir and run main.js with options "-j -n -m -a"
818 bytes, application/x-compressed-tar
Details
The attached testcase crashes on TI revision 11714be33655 but NOT on TI tip a638ecbe6843 (unpack, chdir and run main.js with -j -m -n -a). I'm currently not at home and cannot do a bisect here right now. The bug itself seems to be a GC related bug, so I'm not fully sure if it was fixed in between those revisions (maybe 661840?) or if it simply does not reproduce anymore on the newer revision because it's fragile. Backtrace: ==28455== Invalid read of size 2 ==28455== at 0x5AF3EA: js::PutEscapedStringImpl(char*, unsigned long, _IO_FILE*, JSLinearString*, unsigned int) (jsstr.cpp:6087) ==28455== by 0x4139FD: js::PutEscapedString(char*, unsigned long, JSLinearString*, unsigned int) (jsstr.h:1237) ==28455== by 0x4D53A6: js::types::TypeIdStringImpl(jsid) (jsinfer.cpp:130) ==28455== by 0x4ACA55: js::types::TypeIdString(jsid) (jsinferinlines.h:139) ==28455== by 0x4B74CB: js::types::TypeObject::name() (jsinferinlines.h:1228) ==28455== by 0x4D557C: js::types::TypeString(unsigned long) (jsinfer.cpp:185) ==28455== by 0x43B6A0: js::types::TypeSet::addType(JSContext*, unsigned long) (jsinferinlines.h:1071) ==28455== by 0x4DDC48: js::analyze::ScriptAnalysis::analyzeTypesBytecode(JSContext*, unsigned int, js::analyze::ScriptAnalysis::TypeInferenceState&) (jsinfer.cpp:3714) ==28455== by 0x4DEB94: js::analyze::ScriptAnalysis::analyzeTypes(JSContext*) (jsinfer.cpp:4032) ==28455== by 0x4E6CEA: TypeConstraintCondensed::checkAnalysis(JSContext*) (jsinfer.cpp:489) ==28455== by 0x4E6D1A: TypeConstraintCondensed::newType(JSContext*, js::types::TypeSet*, unsigned long) (jsinfer.cpp:492) ==28455== by 0x43B38F: js::types::TypeCompartment::resolvePending(JSContext*) (jsinferinlines.h:804) ==28455== Address 0xdadadadadadadada is not stack'd, malloc'd or (recently) free'd ==28455== ==28455== ==28455== Process terminating with default action of signal 11 (SIGSEGV)
This is highly likely to be fixed on tip. I emailed bhackett a hard-to-reduce testcase that had a similar signature a day or two ago and he may have fixed it.
Yeah, this showed up in that testcase and bug 661840 because now gc() can trigger a compartment GC and the bug only shows up in that context.
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → DUPLICATE
Crash Signature: [@ js::PutEscapedStringImpl]
A testcase for this bug was already added in the original bug (bug 661840).
Flags: in-testsuite-
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: