Closed Bug 727341 Opened 14 years ago Closed 14 years ago

JS OOM Testing: Assertion failure: function() && types && types->hasScope(), at ../jsscriptinlines.h:224 or Crash [@ JSScript::nesting]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla14

People

(Reporter: decoder, Assigned: bhackett1024)

References

Details

(Keywords: assertion, crash, testcase, Whiteboard: js-triage-needed)

Attachments

(1 file)

patch
4.29 KB, patch
luke
: review+
Details | Diff | Splinter Review
The following command crashes/aborts on mozilla-central revision d45c7d7b0079: js -m -n -a -A 1325 -f js/src/tests/shell.js -f js/src/tests/ecma_5/shell.js -f js/src/tests/ecma_5/strict/shell.js -f js/src/tests/ecma_5/strict/10.4.2.js Stepping through assertion crashes: Program received signal SIGSEGV, Segmentation fault. 0x00000000004ac050 in JSScript::nesting (this=0x7ffff651cb78) at ../jsscriptinlines.h:225 225 return types->nesting; (gdb) bt #0 0x00000000004ac050 in JSScript::nesting (this=0x7ffff651cb78) at ../jsscriptinlines.h:225 #1 0x000000000050b160 in js::StackFrame::functionPrologue (this=0x7ffff676e0d8, cx=0xb5fae0) at /home/decoder/LangFuzz/mozilla-central/js/src/vm/Stack-inl.h:380 #2 0x00000000004f1791 in js::InvokeKernel (cx=0xb5fae0, args=..., construct=js::NO_CONSTRUCT) at /home/decoder/LangFuzz/mozilla-central/js/src/jsinterp.cpp:510 #3 0x000000000045e49d in js::Invoke (cx=0xb5fae0, args=..., construct=js::NO_CONSTRUCT) at /home/decoder/LangFuzz/mozilla-central/js/src/jsinterp.h:157 #4 0x00000000004a6dd2 in js_fun_call (cx=0xb5fae0, argc=1, vp=0x7ffff676e0a0) at /home/decoder/LangFuzz/mozilla-central/js/src/jsfun.cpp:1641 #5 0x0000000000509afb in js::CallJSNative (cx=0xb5fae0, native=0x4a6c3a <js_fun_call(JSContext*, uintN, JS::Value*)>, args=...) at ../jscntxtinlines.h:311 #6 0x00000000004f16f4 in js::InvokeKernel (cx=0xb5fae0, args=..., construct=js::NO_CONSTRUCT) at /home/decoder/LangFuzz/mozilla-central/js/src/jsinterp.cpp:499 #7 0x00000000004fd514 in js::Interpret (cx=0xb5fae0, entryFrame=0x7ffff676e030, interpMode=js::JSINTERP_NORMAL) at /home/decoder/LangFuzz/mozilla-central/js/src/jsinterp.cpp:2702 #8 0x000000000068645f in js::mjit::EnterMethodJIT (cx=0xb5fae0, fp=0x7ffff676e030, code=0x7ffff7fc9ab0, stackLimit=0x7ffff6b4e000, partial=false) at /home/decoder/LangFuzz/mozilla-central/js/src/methodjit/MethodJIT.cpp:1079 225 return types->nesting; (gdb) p types $1 = (js::types::TypeScript *) 0x0 Safe null-pointer crash, no security impact.
Attached patch patchSplinter Review
TypeMonitorCall is used to ensure the callee script has had a TypeScript allocated, whether TI is enabled or not. If this allocation fails then the caller needs to throw.
Assignee: general → bhackett1024
Attachment #613608 - Flags: review?(luke)
Attachment #613608 - Flags: review?(luke) → review+
https://hg.mozilla.org/mozilla-central/rev/48881a94f5eb
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla14
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: