Closed Bug 764374 Opened 12 years ago Closed 12 years ago

IonMonkey: Crash [@ js::Shape::getObjectClass] with gcPreserveCode

Categories

(Core :: JavaScript Engine, defect)

Other Branch
x86_64
Linux
defect
Not set
major

Tracking

()

RESOLVED DUPLICATE of bug 763989

People

(Reporter: decoder, Unassigned)

References

Details

(Keywords: crash, testcase, Whiteboard: [jsbugmon:update][fuzzblocker])

Crash Data

The following testcase crashes on ionmonkey revision 71b71dcbf9fe (run with --ion -n):


gcPreserveCode();
(function () {
    for (var q = 0; q < 6; +q) {
        x: (function () {
            var m = (function (parent) {})()
        })([0, , 0, 0, 0, , 0, 0, 0, , 0, 0, 0, , 0, 0, 0, 0, 0, 0, Number((1))])
    }
})()
Crash trace:


==22993== Invalid read of size 8
==22993==    at 0x406350: js::Shape::getObjectClass() const (jsscope.h:605)
==22993==    by 0x40771B: js::ObjectImpl::getClass() const (ObjectImpl-inl.h:245)
==22993==    by 0x51B415: js::InvokeKernel(JSContext*, js::CallArgs, js::MaybeConstruct) (jsinterp.cpp:310)
==22993==    by 0x45E84F: js::Invoke(JSContext*, js::InvokeArgsGuard&, js::MaybeConstruct) (jsinterp.h:100)
==22993==    by 0x51B8B1: js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value*, JS::Value*) (jsinterp.cpp:373)
==22993==    by 0x8ACB0C: js::ion::InvokeFunction(JSContext*, JSFunction*, unsigned int, JS::Value*, JS::Value*) (VMFunctions.cpp:65)
==22993==    by 0x40347AF: ???
==22993==    by 0x10403469F: ???
==22993==    by 0x7FEFFE497: ???
==22993==    by 0xF: ???
==22993==    by 0xDE47DF: ???
==22993==    by 0xDE47BF: ???
==22993==  Address 0xdadadadadadadada is not stack'd, malloc'd or (recently) free'd


Likely responsible for quite a few signatures I've been picking up recently, marking as fuzzblocker.
Whiteboard: [jsbugmon:update] → [jsbugmon:update][fuzzblocker]
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → DUPLICATE
Group: core-security
A testcase for this bug was already added in the original bug (bug 763989).
Flags: in-testsuite-
You need to log in before you can comment on or make changes to this bug.