Closed Bug 728687 Opened 12 years ago Closed 9 years ago

OOM Crash [@ js::types::TypeObject::addProperty]

Categories

(Core :: JavaScript Engine, defect)

x86_64
Linux
defect
Not set
critical

Tracking

()

RESOLVED WORKSFORME

People

(Reporter: decoder, Unassigned)

Details

(Keywords: crash, testcase, Whiteboard: js-triage-needed)

Crash Data

Attachments

(1 file)

The attached test crashes on mozilla-central revision 78fde7e54d92 (see README for running instructions).


Crash trace:


==29250== Invalid read of size 8
==29250==    at 0x465D86: js::types::TypeObject::addProperty(JSContext*, long, js::types::Property**) (jsinfer.cpp:2837)
==29250==    by 0x471E03: js::types::TypeObject::getProperty(JSContext*, long, bool) (jsinferinlines.h:1207)
==29250==    by 0x467BB6: js::types::TypeSet::HasObjectFlags(JSContext*, js::types::TypeObject*, unsigned int) (jsinfer.cpp:1649)
==29250==    by 0x57C233: js::mjit::Compiler::scanInlineCalls(unsigned int, unsigned int) (Compiler.cpp:363)
==29250==    by 0x57C387: js::mjit::Compiler::scanInlineCalls(unsigned int, unsigned int) (Compiler.cpp:398)
==29250==    by 0x597CEF: js::mjit::Compiler::performCompilation() (Compiler.cpp:539)
==29250==    by 0x597E05: js::mjit::Compiler::compile() (Compiler.cpp:159)
==29250==    by 0x5986D9: js::mjit::CanMethodJIT(JSContext*, JSScript*, unsigned char*, bool, js::mjit::CompileRequest) (Compiler.cpp:996)
==29250==    by 0x47CEE2: js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) (jsinterp.cpp:1701)
==29250==    by 0x572499: js::mjit::EnterMethodJIT(JSContext*, js::StackFrame*, void*, JS::Value*, bool) (MethodJIT.cpp:1080)
==29250==    by 0x57259F: js::mjit::JaegerShot(JSContext*, bool) (MethodJIT.cpp:1112)
==29250==    by 0x481219: js::RunScript(JSContext*, JSScript*, js::StackFrame*) (jsinterp.cpp:451)
==29250==  Address 0x1 is not stack'd, malloc'd or (recently) free'd
Assignee: general → nobody
Mass-closing old JS OOM reports. I've confirmed that none of these signatures currently appear in FuzzManager, so we can safely assume that the code causing this is gone or has been fixed.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.