OOM Crash [@ js::types::TypeObject::addProperty]

RESOLVED WORKSFORME

Status

()

Core
JavaScript Engine
--
critical
RESOLVED WORKSFORME
6 years ago
3 years ago

People

(Reporter: decoder, Unassigned)

Tracking

(Blocks: 1 bug, {crash, testcase})

Trunk
x86_64
Linux
crash, testcase
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: js-triage-needed, crash signature)

Attachments

(1 attachment)

(Reporter)

Description

6 years ago
Created attachment 598661 [details]
Test case for shell (see README file inside).

The attached test crashes on mozilla-central revision 78fde7e54d92 (see README for running instructions).


Crash trace:


==29250== Invalid read of size 8
==29250==    at 0x465D86: js::types::TypeObject::addProperty(JSContext*, long, js::types::Property**) (jsinfer.cpp:2837)
==29250==    by 0x471E03: js::types::TypeObject::getProperty(JSContext*, long, bool) (jsinferinlines.h:1207)
==29250==    by 0x467BB6: js::types::TypeSet::HasObjectFlags(JSContext*, js::types::TypeObject*, unsigned int) (jsinfer.cpp:1649)
==29250==    by 0x57C233: js::mjit::Compiler::scanInlineCalls(unsigned int, unsigned int) (Compiler.cpp:363)
==29250==    by 0x57C387: js::mjit::Compiler::scanInlineCalls(unsigned int, unsigned int) (Compiler.cpp:398)
==29250==    by 0x597CEF: js::mjit::Compiler::performCompilation() (Compiler.cpp:539)
==29250==    by 0x597E05: js::mjit::Compiler::compile() (Compiler.cpp:159)
==29250==    by 0x5986D9: js::mjit::CanMethodJIT(JSContext*, JSScript*, unsigned char*, bool, js::mjit::CompileRequest) (Compiler.cpp:996)
==29250==    by 0x47CEE2: js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) (jsinterp.cpp:1701)
==29250==    by 0x572499: js::mjit::EnterMethodJIT(JSContext*, js::StackFrame*, void*, JS::Value*, bool) (MethodJIT.cpp:1080)
==29250==    by 0x57259F: js::mjit::JaegerShot(JSContext*, bool) (MethodJIT.cpp:1112)
==29250==    by 0x481219: js::RunScript(JSContext*, JSScript*, js::StackFrame*) (jsinterp.cpp:451)
==29250==  Address 0x1 is not stack'd, malloc'd or (recently) free'd
(Assignee)

Updated

4 years ago
Assignee: general → nobody
(Reporter)

Comment 1

3 years ago
Mass-closing old JS OOM reports. I've confirmed that none of these signatures currently appear in FuzzManager, so we can safely assume that the code causing this is gone or has been fixed.
Status: NEW → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.