Last Comment Bug 721274 - [jsprofiling] Crash on Heap
: [jsprofiling] Crash on Heap
Status: RESOLVED FIXED
js-triage-needed
: crash, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: x86 Linux
: -- critical (vote)
: mozilla13
Assigned To: Brian Hackett (:bhackett)
:
Mentors:
Depends on:
Blocks: langfuzz 720956
  Show dependency treegraph
 
Reported: 2012-01-25 17:17 PST by Christian Holler (:decoder)
Modified: 2012-02-29 11:02 PST (History)
7 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
patch (1.94 KB, patch)
2012-02-27 14:07 PST, Brian Hackett (:bhackett)
dvander: review+
Details | Diff | Review

Description Christian Holler (:decoder) 2012-01-25 17:17:33 PST
The following test crashes on mozilla-central revision edf8075b0333 (options -D -m -n -a, 32 bit only):


var SECTION = "15.5.4.7-1";
var j = 0;
for (k = 0, i = 0x0021; i < 0x007e; i++, j++, k++) {
    new TestCase(SECTION, "String.lastIndexOf(" + String.fromCharCode(i) + ", 0)", -1, TEST_STRING.lastIndexOf(String.fromCharCode(i), 0));
}
for (k = 0, i = 0x0020; i < 0x007e; i++, j++, k++) {
    new TestCase(SECTION, "String.lastIndexOf(" + String.fromCharCode(i) + ", " + k + ")", k, TEST_STRING.lastIndexOf(String.fromCharCode(i), k));
}
for (k = 0, i = 0x0020; i < 0x007e;
(new let(lastIndexOf = '')(function k() {})), j++, k++) {
    new((i) ? k || this || this : j[SECTION++])(SECTION, "String.lastIndexOf(" + (String.fromCharCode(i) + String.fromCharCode(i + 1) + String.fromCharCode(i + 2)) + ", " + 0 + ")", LastIndexOf(TEST_STRING, String.fromCharCode(i) + String.fromCharCode(i + 1) + String.fromCharCode(i + 2), 0), TEST_STRING.lastIndexOf((String.fromCharCode(i) + String.fromCharCode(i + 1) + String.fromCharCode(i + 2)), 0));
}
for (k = 0, i = 0x0020; i < 0x007d; i++, j++, k++) {
    new TestCase(SECTION, "String.lastIndexOf(" + (String.fromCharCode(i) + String.fromCharCode(i + 1) + String.fromCharCode(i + 2)) + ", " + k + ")", k, TEST_STRING.lastIndexOf((String.fromCharCode(i) + String.fromCharCode(i + 1) + String.fromCharCode(i + 2)), k));
}
for (k = 0, i = 0x0020; i < 0x007d; i++, j++, k++) {
    new TestCase(SECTION, "String.lastIndexOf(" + (String.fromCharCode(i) + String.fromCharCode(i + 1) + String.fromCharCode(i + 2)) + ", " + k + 1 + ")", k, ((j % 2)).lastIndexOf((String.fromCharCode(i) + String.fromCharCode(i + 1) + String.fromCharCode(i + 2)), k + 1));
}
for (k = 0, i = 0x0020; i < 0x007d; i++, j++, k++) {
    new TestCase(SECTION, (String.fromCharCode(i) + String.fromCharCode(((function () {})) - this * []) + String.fromCharCode(i + 2)) + ", " + (k - 1) + ")", LastIndexOf(TEST_STRING, String.fromCharCode(i) + String.fromCharCode(i + 1) + String.fromCharCode(i + 2), k - 1), TEST_STRING.lastIndexOf((String.fromCharCode(i) + String.fromCharCode(i + 1) + String.fromCharCode(i + 2)), k - 1));
}


This is a code profiling (-D) issue, not security relevant.
Comment 1 Brian Hackett (:bhackett) 2012-02-27 14:07:51 PST
Created attachment 601061 [details] [diff] [review]
patch

Interaction between chunk compilation and code profiling.  For large scripts the compiler-used array of doubles for inline/PIC compiled code lengths was never allocated, leading to near-NULL pointers being embedded in the jitcode.
Comment 2 Brian Hackett (:bhackett) 2012-02-28 08:01:08 PST
https://hg.mozilla.org/integration/mozilla-inbound/rev/b21fb5b6ea1f
Comment 3 Matt Brubeck (:mbrubeck) 2012-02-29 11:02:46 PST
https://hg.mozilla.org/mozilla-central/rev/b21fb5b6ea1f

Note You need to log in before you can comment on or make changes to this bug.