JS Shell-only crash with dis() [@ JSGenerator::floatingFrame]

RESOLVED FIXED in mozilla11

Status

()

Core
JavaScript Engine
--
critical
RESOLVED FIXED
6 years ago
5 years ago

People

(Reporter: decoder, Assigned: luke)

Tracking

(Blocks: 1 bug, {crash, testcase})

Trunk
mozilla11
x86_64
Linux
crash, testcase
Points:
---
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: js-triage-done)

Attachments

(1 attachment)

(Reporter)

Description

6 years ago
The following test crashes on mozilla-central revision 5ebeef1eabcb (no options required):


dis(((function() { yield 3; })().__proto__));


Backtrace:

==50635== Invalid read of size 8
==50635==    at 0x413B7E: JSGenerator::floatingFrame() (jsiter.h:182)
==50635==    by 0x407CF0: ValueToScript(JSContext*, JS::Value, JSFunction**) (js.cpp:1567)
==50635==    by 0x409DA0: Disassemble(JSContext*, unsigned int, JS::Value*) (js.cpp:2170)
==50635==    by 0x50A95C: js::CallJSNative(JSContext*, int (*)(JSContext*, unsigned int, JS::Value*), js::CallArgs const&) (jscntxtinlines.h:297)
==50635==    by 0x4E9FD8: js::InvokeKernel(JSContext*, js::CallArgs, js::MaybeConstruct) (jsinterp.cpp:629)
==50635==    by 0x4FB1F4: js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) 
==50635==  Address 0x38 is not stack'd, malloc'd or (recently) free'd
(Assignee)

Comment 1

6 years ago
Created attachment 576031 [details] [diff] [review]
fix

Wow, this goes back to upvar2.
Assignee: general → luke
Status: NEW → ASSIGNED
Attachment #576031 - Flags: review?(jwalden+bmo)
(Assignee)

Updated

6 years ago
Whiteboard: js-triage-needed → js-triage-done
Comment on attachment 576031 [details] [diff] [review]
fix

Review of attachment 576031 [details] [diff] [review]:
-----------------------------------------------------------------

::: js/src/jit-test/tests/basic/testBug704351.js
@@ +1,2 @@
> +// |jit-test| error: TypeError
> +dis(((function() { yield 3; })().__proto__));

Add a temporary here, generatorPrototype or something, to make it more clear what's being dis'd.  I was confused about what exactly was the problematic action, with respect to the code change, until I stared at it a little longer to figure out object was being dis'd.
Attachment #576031 - Flags: review?(jwalden+bmo) → review+
(Assignee)

Comment 3

5 years ago
https://hg.mozilla.org/integration/mozilla-inbound/rev/9a5144c8f69f
Target Milestone: --- → mozilla11
https://hg.mozilla.org/mozilla-central/rev/9a5144c8f69f
Status: ASSIGNED → RESOLVED
Last Resolved: 5 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.