Last Comment Bug 726636 - JS Shell: Crashes with call to mjitChunkLimit without arguments
: JS Shell: Crashes with call to mjitChunkLimit without arguments
: assertion, crash, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: x86_64 Linux
-- critical (vote)
: mozilla13
Assigned To: Brian Hackett (:bhackett)
: Jason Orendorff [:jorendorff]
Depends on:
Blocks: langfuzz
  Show dependency treegraph
Reported: 2012-02-13 09:26 PST by Christian Holler (:decoder)
Modified: 2013-01-19 14:20 PST (History)
6 users (show)
choller: in‑testsuite+
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---

patch (555 bytes, patch)
2012-02-13 15:54 PST, Brian Hackett (:bhackett)
dvander: review+
Details | Diff | Splinter Review

Description User image Christian Holler (:decoder) 2012-02-13 09:26:34 PST
The following test asserts on mozilla-central revision 4a9a6ffd1f21 (options -m -n):

function jsTestDriverEnd() {}
this.__defineSetter__("x", function () {});
x %= 5;

I'm getting 

Assertion failure: v.isObject(), at js/src/jsnum.cpp:1257

for this test, but it can also cause other assertions (e.g. ptrBits) or crashes. I assume this is a shell only issue with the debug function mjitChunkLimit, which is supposed to take one parameter.

It would be nice if this could be fixed (I assume it's an easy thing), because it causes multiple signatures in the fuzzer.
Comment 1 User image Gary Kwong [:gkw] [:nth10sd] 2012-02-13 15:03:10 PST
function tryItOut(code) {
    sandboxResult(code, "new-compartment")
function nestingConsistencyTest(c) {
    var e
    depth = rnd() + 4
    for (var i; depth;)(p)
function sandboxResult(code, globalType) {
    try {
        var sandbox = newGlobal(globalType)
        t = evalcx(code, sandbox)
    } catch (e) {}
function f() {
    this.g1 = function() {}
    this.g2 = function() {
        return this.g1()
}(function() {
    fInst = new f
    rnd = function(n) {

Here's another testcase w/ 32-bit debug shell on Linux on m-c changeset ebafee0cea36

*** Compartment mismatch 0x8b14520 vs. 0x8b0ad00
Assertion failure: compartment mismatched, at /home/fuzz2lin/Desktop/jsfunfuzz-dbg-32-mc-86707-ebafee0cea36/compilePath/js/src/jscntxtinlines.h:153
Comment 2 User image Brian Hackett (:bhackett) 2012-02-13 15:54:24 PST
Created attachment 596830 [details] [diff] [review]

Dumb bug, mjitChunkLimit checks for argument overflow but not underflow.
Comment 3 User image Brian Hackett (:bhackett) 2012-02-14 05:17:49 PST
Comment 4 User image Marco Bonardo [::mak] 2012-02-15 08:52:31 PST
Comment 5 User image Christian Holler (:decoder) 2013-01-19 14:20:33 PST
Automatically extracted testcase for this bug was committed:

Note You need to log in before you can comment on or make changes to this bug.