Closed Bug 718823 Opened 12 years ago Closed 12 years ago

Crash [@ js::StackFrame::functionEpilogue]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Windows 7
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 718347
Tracking Flags:
Tracking Status
firefox10 --- unaffected
firefox11 --- unaffected
firefox12 - affected
status1.9.2 --- unaffected

People

(Reporter: gkw, Assigned: bhackett1024)

References

Details

(Keywords: crash, regression, testcase, Whiteboard: [sg:critical] js-triage-needed)

Crash Data

a = evalcx("")
a.length = 19
__proto__ = a
try {
    (function() {
        x = /x/;
        for (a = x;;) {
            length
        }
    })()
} catch (e) {}

crashes js opt shell on m-c changeset 34572943a3e4 with -m at js::StackFrame::functionEpilogue on Windows 7

autoBisect shows this is probably related to the following changeset: (not sure if this is correct)

The first bad revision is:
changeset:   84036:7ab4f1ebc7cc
user:        Brian Hackett
date:        Mon Jan 09 06:29:50 2012 -0800
summary:     Backout 54cd89b0f1fa (bug 712714 backout).  Talos will probably report fake regressions for this patch, do not back out for this reason.

s-s because eax is ffffff81 as detected by Windbg

(Not sure if the stack makes sense)

js!js::StackFrame::functionEpilogue+0x5c:
0122ba8c 8b4014          mov     eax,dword ptr [eax+14h] ds:002b:ffffff95=????????
0:000:x86> kb
ChildEBP RetAddr  Args to Child              
003bf18c 0122bdfa 00959c58 01008400 003bf200 js!js::StackFrame::functionEpilogue+0x5c [c:\users\fuzz1win\desktop\jsfunfuzz-opt-32-mc-84606-34572943a3e4\compilepath\js\src\vm\stack-inl.h @ 459]
003bf19c 0122a275 003bf1cc 0137b270 00959c58 js!js::ContextStack::popFrame+0x1a [c:\users\fuzz1win\desktop\jsfunfuzz-opt-32-mc-84606-34572943a3e4\compilepath\js\src\vm\stack.cpp @ 784]
003bf200 01224954 00959c58 01008400 01003040 js!js::CrossCompartmentWrapper::get+0x125 [c:\users\fuzz1win\desktop\jsfunfuzz-opt-32-mc-84606-34572943a3e4\compilepath\js\src\jswrapper.cpp @ 600]
003bf234 012846d7 00959c58 01008400 01003040 js!js::Proxy::get+0x84 [c:\users\fuzz1win\desktop\jsfunfuzz-opt-32-mc-84606-34572943a3e4\compilepath\js\src\jsproxy.cpp @ 837]
003bf284 0121d5aa 01003040 01003040 01003040 js!js_GetProperty+0x367 [c:\users\fuzz1win\desktop\jsfunfuzz-opt-32-mc-84606-34572943a3e4\compilepath\js\src\jsobj.cpp @ 5478]
003bf2a0 012e2ade 00959c58 00f12760 00a200a0 js!JSObject::getProperty+0x3a [c:\users\fuzz1win\desktop\jsfunfuzz-opt-32-mc-84606-34572943a3e4\compilepath\js\src\jsobjinlines.h @ 230]
003bf2cc 0133fc98 00959c58 0091f801 00a200a0 js!js::NameOperation+0x20e [c:\users\fuzz1win\desktop\jsfunfuzz-opt-32-mc-84606-34572943a3e4\compilepath\js\src\jsinterpinlines.h @ 421]
003bf2e4 0135e61f 010202e0 00959c58 00a20068 js!js::mjit::stubs::Name+0x28 [c:\users\fuzz1win\desktop\jsfunfuzz-opt-32-mc-84606-34572943a3e4\compilepath\js\src\methodjit\stubcalls.cpp @ 129]
003bf314 001e02bf 00959c58 01008400 00000000 js!js::mjit::ic::GetGlobalName+0x1df [c:\users\fuzz1win\desktop\jsfunfuzz-opt-32-mc-84606-34572943a3e4\compilepath\js\src\methodjit\monoic.cpp @ 107]
WARNING: Frame IP not in any known module. Following frames may be wrong.
003bf364 012529db 00959c58 00a20068 001e011b 0x1e02bf
00a20068 0100aec0 00000000 01003040 00a20020 js!js::mjit::EnterMethodJIT+0x2b [c:\users\fuzz1win\desktop\jsfunfuzz-opt-32-mc-84606-34572943a3e4\compilepath\js\src\methodjit\methodjit.cpp @ 1053]
00a20080 00000000 00000000 009886b9 00000000 0x100aec0
Assuming sg:critical unless otherwise shown, due to weird memory address of ffffff81 being accessed.
Whiteboard: js-triage-needed → [sg:critical] js-triage-needed
The crash repros in a debug build. We are crashing accessing a script that was returned by this function:

    JSScript *script() const {
        JS_ASSERT(isScriptFrame());
        return isFunctionFrame()
               ? isEvalFrame() ? args.script : fun()->script()
               : exec.script;
    }

because exec.script is 0xffffff81.
Assignee: general → bhackett1024
status1.9.2: --- → unaffected
status-firefox10: --- → unaffected
status-firefox11: --- → unaffected
status-firefox12: --- → affected
tracking-firefox12: --- → +
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → DUPLICATE
Group: core-security
You need to log in before you can comment on or make changes to this bug.