TI: Crash [@ js::gc::ChunkBitmap::isMarked]

RESOLVED FIXED

Status

()

Core
JavaScript Engine
--
critical
RESOLVED FIXED
6 years ago
5 years ago

People

(Reporter: decoder, Unassigned)

Tracking

(Blocks: 2 bugs, {crash, testcase})

Trunk
x86_64
Linux
crash, testcase
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

(crash signature)

Attachments

(1 attachment)

(Reporter)

Description

6 years ago
The following testcase crashes on TI revision 7dae91c263cf (run with -j -m -n), tested on 64 bit:


try {
for (var BUGNUMBER = 0, sz = Math.pow(2, 21); i < sz; i++)
  str += '0,';
} catch (exc1) {}
var str = '[';
for (var i = 0, BUGNUMBER; i < sz; i++)
  str += '0,'; 
  var obj = {
    p: { __proto__: null },
  };
for (var i = 0, sz = Math.pow(2, 21); i < sz; i++)
  str += '0,';
I got this to crash when the address space is randomized, but it won't crash in gdb.  I turned off aslr and now it won't crash at all.  Can you get this to crash in gdb?  If so, do you have a shell I can ssh to?
(Reporter)

Comment 2

6 years ago
No, this does not crash in GDB for me as well, but in Valgrind. Maybe it's possible to turn on ASLR in GDB? I'm on a train right now but can check later maybe.
Created attachment 554495 [details] [diff] [review]
patch

There is a static type object which serves as the default type object for objects with no prototype.  Similar to static strings, isMarked() cannot be called on this (its property types are unknown and it cannot have empty shapes, so nothing ever mutates it).  When sweeping compartment tables for the types to associate with singleton/JSON objects, we didn't check for this static type object, under the assumption that elements of such objects were not mutants with non-standard prototypes.  This situation was possible, though, as singletons were allowed to change their __proto__ so long as that prototype was itself a constant.  This latter behavior is pretty goofy and liable to cause problems elsewhere, so the fix just treats any initializer mutating __proto__ as not constant.

http://hg.mozilla.org/projects/jaegermonkey/rev/7ef2e842650c
Attachment #554495 - Flags: review?(dvander)
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED
Comment on attachment 554495 [details] [diff] [review]
patch

Review of attachment 554495 [details] [diff] [review]:
-----------------------------------------------------------------

::: js/src/jsinfer.cpp
@@ +2323,5 @@
>          && (b.isPrimitive(JSVAL_TYPE_INT32) || b.isPrimitive(JSVAL_TYPE_DOUBLE));
>  }
>  
> +/*
> + * As for GetValueType, but requires object types to be non-singletons with

Was this meant to be "Same as for GetValueType"?
Attachment #554495 - Flags: review?(dvander) → review+
(Reporter)

Comment 5

5 years ago
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/bug680217.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.