762907 - IonMonkey: Crash [@ exn_finalize] with use-after-free

Status: RESOLVED DUPLICATE of bug 762936

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

Attachment: Testcase for shell

The attached testcase crashes on ionmonkey revision 5cfb73435e06 (run with --ion -n -m --ion-eager).

Comment 1

[Christian Holler (:decoder)]

Crash trace:


==2706== Invalid read of size 4
==2706==    at 0x80F5923: exn_finalize(js::FreeOp*, JSObject*) (jsexn.cpp:376)
==2706==    by 0x810AE83: JSObject::finalize(js::FreeOp*) (jsobjinlines.h:233)
==2706==    by 0x811B088: bool js::gc::Arena::finalize<JSObject>(js::FreeOp*, js::gc::AllocKind, unsigned int) (jsgc.cpp:303)
==2706==    by 0x8116DD1: void js::gc::FinalizeTypedArenas<JSObject>(js::FreeOp*, js::gc::ArenaLists::ArenaList*, js::gc::AllocKind) (jsgc.cpp:350)
==2706==    by 0x810B1CC: js::gc::FinalizeArenas(js::FreeOp*, js::gc::ArenaLists::ArenaList*, js::gc::AllocKind) (jsgc.cpp:390)
==2706==    by 0x810DE34: js::gc::ArenaLists::finalizeNow(js::FreeOp*, js::gc::AllocKind) (jsgc.cpp:1495)
==2706==    by 0x810DF6D: js::gc::ArenaLists::finalizeObjects(js::FreeOp*) (jsgc.cpp:1598)
==2706==    by 0x8112A70: SweepPhase(JSRuntime*, js::JSGCInvocationKind, bool*) (jsgc.cpp:3333)
==2706==    by 0x8114277: GCCycle(JSRuntime*, bool, long long, js::JSGCInvocationKind) (jsgc.cpp:3770)
==2706==    by 0x81146C6: Collect(JSRuntime*, bool, long long, js::JSGCInvocationKind, js::gcreason::Reason) (jsgc.cpp:3866)
==2706==    by 0x811485B: js::GC(JSRuntime*, js::JSGCInvocationKind, js::gcreason::Reason) (jsgc.cpp:3890)
==2706==    by 0x80D0979: js::DestroyContext(JSContext*, js::DestroyContextMode) (jscntxt.cpp:319)
==2706==  Address 0xdadadada is not stack'd, malloc'd or (recently) free'd

Comment 3

[Christian Holler (:decoder)]

Will add the test in bug 763440 which should cover this.