Closed Bug 756778 Opened 12 years ago Closed 12 years ago

IonMonkey: Crash [@ js::HeapPtr<JSObject, unsigned int>::operator] with use-after-free

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Version:
Other Branch
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED DUPLICATE of bug 756851

People

(Reporter: decoder, Unassigned)

References

Details

(Keywords: crash, testcase, Whiteboard: [jsbugmon:update,ignore])

Crash Data

The following testcase crashes on ionmonkey revision 890dd17b4187 (run with --ion -n -m):


gczeal(2);
evaluate("");
evaluate("\
function TreeNode(left,right,item){\
   this.left = left;\
}\
TreeNode.prototype.itemCheck = function() {};\
function bottomUpTree(item,depth){\
   if (depth>0){\
      return new TreeNode(bottomUpTree(2*item-1, depth-1));\
   }\
}\
for ( var n = 4; n <= 7; n += 1 ) {\
    var minDepth = 4;\
    var maxDepth = Math.max(minDepth + 2, n);\
    var stretchDepth = maxDepth + 1;\
    var check = bottomUpTree(0,stretchDepth).itemCheck();\
    for (var depth=minDepth; depth<=maxDepth; depth+=2) {\
        var iterations = 1 << (maxDepth - depth + minDepth);\
        for (var i=1; i<=iterations; i++) {\
            check += bottomUpTree(i,depth).itemCheck();\
        }\
    }\
}\
");
Backtrace:


Program received signal SIGSEGV, Segmentation fault.
0x0805b62c in js::HeapPtr<JSObject, unsigned int>::operator JSObject* (this=0xdadadade) at ../../gc/Barrier.h:212
212         operator T*() const { return value; }
Missing separate debuginfos, use: debuginfo-install libgcc-4.4.6-3.el6.i686 libstdc++-4.4.6-3.el6.i686
(gdb) bt 
#0  0x0805b62c in js::HeapPtr<JSObject, unsigned int>::operator JSObject* (this=0xdadadade) at ../../gc/Barrier.h:212
#1  0x0806bed3 in js::ObjectImpl::hasSingletonType (this=0xf7717fe0) at ../vm/ObjectImpl.h:1057
#2  0x0809e7af in js::types::Type::ObjectType (obj=0xf7717fe0) at ../jsinferinlines.h:67
#3  0x0809e87e in js::types::GetValueType (cx=0x87acf88, val=...) at ../jsinferinlines.h:93
#4  0x0812ea78 in js::types::TypeMonitorResult (cx=0x87acf88, script=0xf7706268, pc=0x87b6d9f ":", rval=...) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/jsinfer.cpp:4998
#5  0x08141671 in js::types::TypeScript::Monitor (cx=0x87acf88, script=0xf7706268, pc=0x87b6d9f ":", rval=...) at ../jsinferinlines.h:623
#6  0x084eb1f0 in js::ion::ReflowTypeInfo (bailoutResult=4) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/ion/Bailouts.cpp:477
#7  0x004143f9 in ?? ()
Backtrace stopped: previous frame inner to this frame (corrupt stack?)
(gdb) x /i $pc
=> 0x805b62c <js::HeapPtr<JSObject, unsigned int>::operator JSObject*() const+6>:       mov    (%eax),%eax
(gdb) info reg eax
eax            0xdadadade       -623191330
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 80e4ab0d24bc).
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → DUPLICATE
Group: core-security
You need to log in before you can comment on or make changes to this bug.