Closed
Bug 745802
Opened 12 years ago
Closed 12 years ago
JS OOM Testing: Crash [@ js::HeapId::operator jsid]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla15
People
(Reporter: decoder, Assigned: jorendorff)
References
Details
(Keywords: crash, testcase)
Crash Data
Attachments
(1 file)
897 bytes,
patch
|
bhackett1024
:
review+
|
Details | Diff | Splinter Review |
The following command crashes on mozilla-central revision fd06332733e5 (dbg build): js -m -n -a -A 8936 -f js/src/jit-test/tests/debug/Environment-identity-02.js
Reporter | ||
Comment 1•12 years ago
|
||
This crash looks like a null-pointer deref in Valgrind at first glance. However, the test itself (without valgrind) does not reliably reproduce which could indicate a memory corruption problem: ==10637== Invalid read of size 8 ==10637== at 0x405206: js::HeapId::operator jsid() const (Barrier.h:451) ==10637== by 0x4059C1: js::types::Property::getKey(js::types::Property*) (jsinfer.h:644) ==10637== by 0x44A484: js::types::Property* js::types::HashSetLookup<jsid, js::types::Property, js::types::Property>(js::types::Property**, unsigned int, jsid) (jsinferinlines.h:994) ==10637== by 0x427548: js::types::TypeObject::maybeGetProperty(JSContext*, jsid) (jsinferinlines.h:1277) ==10637== by 0x4E717C: ObjectStateChange(JSContext*, js::types::TypeObject*, bool, bool) (jsinfer.cpp:1641) ==10637== by 0x4EBAE9: js::types::TypeObject::setFlags(JSContext*, unsigned int) (jsinfer.cpp:2967) ==10637== by 0x42728D: js::types::MarkTypeObjectFlags(JSContext*, JSObject*, unsigned int) (jsinferinlines.h:403) ==10637== by 0x6E9B44: js::mjit::Compiler::compile() (Compiler.cpp:154) ==10637== by 0x6ECE69: js::mjit::CanMethodJIT(JSContext*, JSScript*, unsigned char*, bool, js::mjit::CompileRequest) (Compiler.cpp:992) ==10637== by 0x78C955: UncachedInlineCall(js::VMFrame&, js::InitialFrameFlags, void**, bool*, unsigned int) (InvokeHelpers.cpp:308) ==10637== by 0x78D151: js::mjit::stubs::UncachedCallHelper(js::VMFrame&, unsigned int, bool, js::mjit::stubs::UncachedCallResult*) (InvokeHelpers.cpp:459) ==10637== by 0x78CEA9: js::mjit::stubs::UncachedCall(js::VMFrame&, unsigned int) (InvokeHelpers.cpp:416) ==10637== Address 0x0 is not stack'd, malloc'd or (recently) free'd
Crash Signature: [@ js::HeapId::operator jsid]
Summary: JS OOM Testing: Crash/Signal 11 (no signature available) → JS OOM Testing: Crash [@ js::HeapId::operator jsid]
Reporter | ||
Comment 2•12 years ago
|
||
The test seems to be jsdbg2 only, so removing s-s and Ccing jsdbg2 devs.
Group: core-security
Assignee | ||
Updated•12 years ago
|
Assignee: general → jorendorff
Target Milestone: --- → mozilla14
Version: Trunk → Other Branch
Assignee | ||
Comment 3•12 years ago
|
||
Out of memory first happens here: #0 js_ReportOutOfMemory (cx=0x100b152a0) at /Users/jorendorff/dev/mi/js/src/jscntxt.cpp:362 #1 0x00000001000df2bb in js::types::TypeCompartment::setPendingNukeTypes (this=0x1010534e0, cx=0x100b152a0) at /Users/jorendorff/dev/mi/js/src/jsinfer.cpp:2115 #2 0x00000001000e6944 in js::types::TypeObject::addProperty (this=0x100f12220, cx=0x100b152a0, id={asBits = 4}, pprop=0x100f12240) at /Users/jorendorff/dev/mi/js/src/jsinfer.cpp:2768 #3 0x000000010033fdbb in js::types::TypeObject::getProperty (this=0x100f12220, cx=0x100b152a0, id={asBits = 4}, assign=false) at jsinferinlines.h:1251 #4 0x00000001000e8099 in js::types::TypeSet::HasObjectFlags (cx=0x100b152a0, object=0x100f12220, flags=524288) at /Users/jorendorff/dev/mi/js/src/jsinfer.cpp:1626 This causes TypeObject::getProperty to return false with this->propertySet == NULL. We error out; but later we do eventually try to run this code again, and then #0 0x00000001000b86e4 in js::HeapId::operator jsid (this=0x0) at Barrier.h:466 #1 0x000000010014b559 in js::types::Property::getKey (p=0x0) at jsinfer.h:644 #2 0x0000000100024622 in js::types::HashSetLookup<jsid, js::types::Property, js::types::Property> (values=0x0, count=1, key={asBits = 4}) at jsinferinlines.h:994 #3 0x0000000100050a03 in js::types::TypeObject::maybeGetProperty (this=0x100f12220, cx=0x100b152a0, id={asBits = 4}) at jsinferinlines.h:1277 #4 0x00000001000df3ba in ObjectStateChange (cx=0x100b152a0, object=0x100f12220, markingUnknown=false, force=false) at /Users/jorendorff/dev/mi/js/src/jsinfer.cpp:1641 #5 0x00000001000e2b4d in js::types::TypeObject::setFlags (this=0x100f12220, cx=0x100b152a0, flags=524288) at /Users/jorendorff/dev/mi/js/src/jsinfer.cpp:2967 #6 0x000000010005048e in js::types::MarkTypeObjectFlags (cx=0x100b152a0, obj=0x100f227c0, flags=524288) at jsinferinlines.h:403 #7 0x000000010031bae8 in js::mjit::Compiler::compile (this=0x7fff5fbf8a20) at /Users/jorendorff/dev/mi/js/src/methodjit/Compiler.cpp:154 we crash because propertySet is NULL. I confirmed that the TypeObject in frame 3 is the same one from before.
Assignee | ||
Comment 4•12 years ago
|
||
Oh, we bump the property count and then we can fail without rolling that back. 1250 setBasePropertyCount(propertyCount); 1251 if (!addProperty(cx, id, pprop)) 1252 return NULL;
Assignee | ||
Comment 5•12 years ago
|
||
Attachment #618679 -
Flags: review?(bhackett1024)
Updated•12 years ago
|
Attachment #618679 -
Flags: review?(bhackett1024) → review+
Comment 6•12 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/5e80edf4c2dd
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Target Milestone: mozilla14 → mozilla15
You need to log in
before you can comment on or make changes to this bug.
Description
•