Closed
Bug 718823
Opened 13 years ago
Closed 13 years ago
Crash [@ js::StackFrame::functionEpilogue]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 718347
Tracking | Status | |
---|---|---|
firefox10 | --- | unaffected |
firefox11 | --- | unaffected |
firefox12 | - | affected |
status1.9.2 | --- | unaffected |
People
(Reporter: gkw, Assigned: bhackett1024)
References
Details
(Keywords: crash, regression, testcase, Whiteboard: [sg:critical] js-triage-needed)
Crash Data
a = evalcx("")
a.length = 19
__proto__ = a
try {
(function() {
x = /x/;
for (a = x;;) {
length
}
})()
} catch (e) {}
crashes js opt shell on m-c changeset 34572943a3e4 with -m at js::StackFrame::functionEpilogue on Windows 7
autoBisect shows this is probably related to the following changeset: (not sure if this is correct)
The first bad revision is:
changeset: 84036:7ab4f1ebc7cc
user: Brian Hackett
date: Mon Jan 09 06:29:50 2012 -0800
summary: Backout 54cd89b0f1fa (bug 712714 backout). Talos will probably report fake regressions for this patch, do not back out for this reason.
s-s because eax is ffffff81 as detected by Windbg
(Not sure if the stack makes sense)
js!js::StackFrame::functionEpilogue+0x5c:
0122ba8c 8b4014 mov eax,dword ptr [eax+14h] ds:002b:ffffff95=????????
0:000:x86> kb
ChildEBP RetAddr Args to Child
003bf18c 0122bdfa 00959c58 01008400 003bf200 js!js::StackFrame::functionEpilogue+0x5c [c:\users\fuzz1win\desktop\jsfunfuzz-opt-32-mc-84606-34572943a3e4\compilepath\js\src\vm\stack-inl.h @ 459]
003bf19c 0122a275 003bf1cc 0137b270 00959c58 js!js::ContextStack::popFrame+0x1a [c:\users\fuzz1win\desktop\jsfunfuzz-opt-32-mc-84606-34572943a3e4\compilepath\js\src\vm\stack.cpp @ 784]
003bf200 01224954 00959c58 01008400 01003040 js!js::CrossCompartmentWrapper::get+0x125 [c:\users\fuzz1win\desktop\jsfunfuzz-opt-32-mc-84606-34572943a3e4\compilepath\js\src\jswrapper.cpp @ 600]
003bf234 012846d7 00959c58 01008400 01003040 js!js::Proxy::get+0x84 [c:\users\fuzz1win\desktop\jsfunfuzz-opt-32-mc-84606-34572943a3e4\compilepath\js\src\jsproxy.cpp @ 837]
003bf284 0121d5aa 01003040 01003040 01003040 js!js_GetProperty+0x367 [c:\users\fuzz1win\desktop\jsfunfuzz-opt-32-mc-84606-34572943a3e4\compilepath\js\src\jsobj.cpp @ 5478]
003bf2a0 012e2ade 00959c58 00f12760 00a200a0 js!JSObject::getProperty+0x3a [c:\users\fuzz1win\desktop\jsfunfuzz-opt-32-mc-84606-34572943a3e4\compilepath\js\src\jsobjinlines.h @ 230]
003bf2cc 0133fc98 00959c58 0091f801 00a200a0 js!js::NameOperation+0x20e [c:\users\fuzz1win\desktop\jsfunfuzz-opt-32-mc-84606-34572943a3e4\compilepath\js\src\jsinterpinlines.h @ 421]
003bf2e4 0135e61f 010202e0 00959c58 00a20068 js!js::mjit::stubs::Name+0x28 [c:\users\fuzz1win\desktop\jsfunfuzz-opt-32-mc-84606-34572943a3e4\compilepath\js\src\methodjit\stubcalls.cpp @ 129]
003bf314 001e02bf 00959c58 01008400 00000000 js!js::mjit::ic::GetGlobalName+0x1df [c:\users\fuzz1win\desktop\jsfunfuzz-opt-32-mc-84606-34572943a3e4\compilepath\js\src\methodjit\monoic.cpp @ 107]
WARNING: Frame IP not in any known module. Following frames may be wrong.
003bf364 012529db 00959c58 00a20068 001e011b 0x1e02bf
00a20068 0100aec0 00000000 01003040 00a20020 js!js::mjit::EnterMethodJIT+0x2b [c:\users\fuzz1win\desktop\jsfunfuzz-opt-32-mc-84606-34572943a3e4\compilepath\js\src\methodjit\methodjit.cpp @ 1053]
00a20080 00000000 00000000 009886b9 00000000 0x100aec0
Reporter | ||
Comment 1•13 years ago
|
||
Assuming sg:critical unless otherwise shown, due to weird memory address of ffffff81 being accessed.
Whiteboard: js-triage-needed → [sg:critical] js-triage-needed
Comment 2•13 years ago
|
||
The crash repros in a debug build. We are crashing accessing a script that was returned by this function:
JSScript *script() const {
JS_ASSERT(isScriptFrame());
return isFunctionFrame()
? isEvalFrame() ? args.script : fun()->script()
: exec.script;
}
because exec.script is 0xffffff81.
Updated•13 years ago
|
Assignee: general → bhackett1024
status1.9.2:
--- → unaffected
status-firefox10:
--- → unaffected
status-firefox11:
--- → unaffected
status-firefox12:
--- → affected
tracking-firefox12:
--- → +
Assignee | ||
Updated•13 years ago
|
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → DUPLICATE
Updated•13 years ago
|
Updated•11 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•