Last Comment Bug 704351 - JS Shell-only crash with dis() [@ JSGenerator::floatingFrame]
: JS Shell-only crash with dis() [@ JSGenerator::floatingFrame]
Status: RESOLVED FIXED
js-triage-done
: crash, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: x86_64 Linux
: -- critical (vote)
: mozilla11
Assigned To: Luke Wagner [:luke]
:
Mentors:
Depends on:
Blocks: langfuzz
  Show dependency treegraph
 
Reported: 2011-11-21 16:25 PST by Christian Holler (:decoder)
Modified: 2011-12-16 05:42 PST (History)
5 users (show)
Ms2ger: in‑testsuite+
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
fix (1.25 KB, patch)
2011-11-21 16:49 PST, Luke Wagner [:luke]
jwalden+bmo: review+
Details | Diff | Splinter Review

Description Christian Holler (:decoder) 2011-11-21 16:25:25 PST
The following test crashes on mozilla-central revision 5ebeef1eabcb (no options required):


dis(((function() { yield 3; })().__proto__));


Backtrace:

==50635== Invalid read of size 8
==50635==    at 0x413B7E: JSGenerator::floatingFrame() (jsiter.h:182)
==50635==    by 0x407CF0: ValueToScript(JSContext*, JS::Value, JSFunction**) (js.cpp:1567)
==50635==    by 0x409DA0: Disassemble(JSContext*, unsigned int, JS::Value*) (js.cpp:2170)
==50635==    by 0x50A95C: js::CallJSNative(JSContext*, int (*)(JSContext*, unsigned int, JS::Value*), js::CallArgs const&) (jscntxtinlines.h:297)
==50635==    by 0x4E9FD8: js::InvokeKernel(JSContext*, js::CallArgs, js::MaybeConstruct) (jsinterp.cpp:629)
==50635==    by 0x4FB1F4: js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) 
==50635==  Address 0x38 is not stack'd, malloc'd or (recently) free'd
Comment 1 Luke Wagner [:luke] 2011-11-21 16:49:56 PST
Created attachment 576031 [details] [diff] [review]
fix

Wow, this goes back to upvar2.
Comment 2 Jeff Walden [:Waldo] (remove +bmo to email) 2011-11-29 14:18:53 PST
Comment on attachment 576031 [details] [diff] [review]
fix

Review of attachment 576031 [details] [diff] [review]:
-----------------------------------------------------------------

::: js/src/jit-test/tests/basic/testBug704351.js
@@ +1,2 @@
> +// |jit-test| error: TypeError
> +dis(((function() { yield 3; })().__proto__));

Add a temporary here, generatorPrototype or something, to make it more clear what's being dis'd.  I was confused about what exactly was the problematic action, with respect to the code change, until I stared at it a little longer to figure out object was being dis'd.
Comment 4 :Ms2ger (⌚ UTC+1/+2) 2011-12-16 05:42:28 PST
https://hg.mozilla.org/mozilla-central/rev/9a5144c8f69f

Note You need to log in before you can comment on or make changes to this bug.