Last Comment Bug 694438 - TI: Crash on Heap in LangFuzz driver
: TI: Crash on Heap in LangFuzz driver
Status: RESOLVED FIXED
: crash, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: x86_64 Linux
: -- critical (vote)
: ---
Assigned To: general
:
Mentors:
Depends on:
Blocks: infer-regress langfuzz
  Show dependency treegraph
 
Reported: 2011-10-13 15:14 PDT by Christian Holler (:decoder)
Modified: 2013-01-19 14:26 PST (History)
4 users (show)
choller: in‑testsuite+
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments

Description Christian Holler (:decoder) 2011-10-13 15:14:26 PDT
The following testcase crashes on jaegermonkey revision ae061e27e3df (run with -m -n), tested on 64 bit:


var lfcode = new Array();
lfcode.push("29cff0b98e80f8b27367a56b3c752dedc59a01fd.js");
lfcode.push("da39a3ee5e6b4b0d3255bfef95601890afd80709.js");
lfcode.push("3");
lfcode.push("b40eb3beb80c7cde2828a33bd779f7826e25287d.js");
lfcode.push("f7b783e07cd0e61b675319866b62c96b521d3c12.js");
lfcode.push("29cff0b98e80f8b27367a56b3c752dedc59a01fd.js");
lfcode.push("da39a3ee5e6b4b0d3255bfef95601890afd80709.js");
lfcode.push("1");
lfcode.push("02b39295c36bbe079e9dca0aca95d253d064a194.js");
lfcode.push("f7b783e07cd0e61b675319866b62c96b521d3c12.js");
lfcode.push("29cff0b98e80f8b27367a56b3c752dedc59a01fd.js");
lfcode.push("da39a3ee5e6b4b0d3255bfef95601890afd80709.js");
lfcode.push("4");
lfcode.push("6d3ccd7e95a67392260056fd31425aa671cb5c54.js");
lfcode.push("f7b783e07cd0e61b675319866b62c96b521d3c12.js");
lfcode.push("29cff0b98e80f8b27367a56b3c752dedc59a01fd.js");
lfcode.push("da39a3ee5e6b4b0d3255bfef95601890afd80709.js");
lfcode.push("0");
lfcode.push("0d88bd3fca079ce7b26f26e12511d3e36edb4202.js");
lfcode.push("f7b783e07cd0e61b675319866b62c96b521d3c12.js");
lfcode.push("29cff0b98e80f8b27367a56b3c752dedc59a01fd.js");
lfcode.push("da39a3ee5e6b4b0d3255bfef95601890afd80709.js");
lfcode.push("4");
lfcode.push("c26e5241caa1d0dad95a2202a57cdc48322e5917.js");
lfcode.push("f7b783e07cd0e61b675319866b62c96b521d3c12.js");
lfcode.push("29cff0b98e80f8b27367a56b3c752dedc59a01fd.js");
lfcode.push("da39a3ee5e6b4b0d3255bfef95601890afd80709.js");
lfcode.push("3");
lfcode.push("7eeb48e00f249e4a8ab82e7c70102725f3c88195.js");
lfcode.push("f7b783e07cd0e61b675319866b62c96b521d3c12.js");
lfcode.push("29cff0b98e80f8b27367a56b3c752dedc59a01fd.js");
lfcode.push("da39a3ee5e6b4b0d3255bfef95601890afd80709.js");
lfcode.push("2");
lfcode.push("7b61d02cc95bbc7309f749c5deb5d4709687214f.js");
lfcode.push("f7b783e07cd0e61b675319866b62c96b521d3c12.js");
lfcode.push("29cff0b98e80f8b27367a56b3c752dedc59a01fd.js");
lfcode.push("da39a3ee5e6b4b0d3255bfef95601890afd80709.js");
lfcode.push("1");
lfcode.push("8eafe3c62c3ce1635548fc09c4434ef0259bcfff.js");
lfcode.push("f7b783e07cd0e61b675319866b62c96b521d3c12.js");
lfcode.push("29cff0b98e80f8b27367a56b3c752dedc59a01fd.js");
lfcode.push("da39a3ee5e6b4b0d3255bfef95601890afd80709.js");
var lfRunTypeId = -1;
while (true) {
	var file = lfcode.shift(); if (file == undefined) { break; }
        loadFile(file);
}
function loadFile(lfVarx) {
	try {
		if (lfVarx.substr(-3) == ".js") {
			switch (lfRunTypeId) {
				case 4: eval("(function() { " + "" + " })();");
			}
		}
	} catch (lfVare) {	}
}
Comment 1 Brian Hackett (:bhackett) 2011-10-13 20:47:06 PDT
x64 builds in the JM tree were pretty broken due to a change in bug 694247 --- we were not masking out the type tag when loading scope chains of scope objects.

https://hg.mozilla.org/projects/jaegermonkey/rev/ef7528a0fe21
Comment 2 Christian Holler (:decoder) 2013-01-19 14:26:04 PST
Automatically extracted testcase for this bug was committed:

https://hg.mozilla.org/mozilla-central/rev/efaf8960a929

Note You need to log in before you can comment on or make changes to this bug.