Last Comment Bug 768436 - IonMonkey: Crash [@ JSScript::hasAnalysis] with use-after-free
: IonMonkey: Crash [@ JSScript::hasAnalysis] with use-after-free
: crash, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Other Branch
: x86 Linux
-- major (vote)
: ---
Assigned To: Jan de Mooij [:jandem]
: Jason Orendorff [:jorendorff]
Depends on:
Blocks: langfuzz IonFuzz
  Show dependency treegraph
Reported: 2012-06-26 06:29 PDT by Christian Holler (:decoder)
Modified: 2013-01-14 08:04 PST (History)
7 users (show)
choller: in‑testsuite+
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---

Patch (3.44 KB, patch)
2012-06-26 07:04 PDT, Jan de Mooij [:jandem]
no flags Details | Diff | Splinter Review
Patch (3.51 KB, patch)
2012-06-26 07:33 PDT, Jan de Mooij [:jandem]
dvander: review+
Details | Diff | Splinter Review

Description User image Christian Holler (:decoder) 2012-06-26 06:29:49 PDT
The following testcase crashes on ionmonkey revision 80a4e5dfeaaf (run with --ion -n -m --ion-eager):

new ({});
Comment 1 User image Christian Holler (:decoder) 2012-06-26 06:30:51 PDT
Crash trace:

==12410== Invalid read of size 4
==12410==    at 0x8122466: JSScript::hasAnalysis() (jsinferinlines.h:1470)
==12410==    by 0x849EA30: js::ion::ShouldMonitorReturnType(JSFunction*) (VMFunctions.cpp:60)
==12410==    by 0x849EB22: js::ion::InvokeConstructorFunction(JSContext*, JSFunction*, unsigned int, JS::Value*, JS::Value*) (VMFunctions.cpp:93)
==12410==    by 0x78B534C: ???
==12410==    by 0x840C2CA: EnterIon(JSContext*, js::StackFrame*, void*) (Ion.cpp:1112)
==12410==    by 0x840C53C: js::ion::Cannon(JSContext*, js::StackFrame*) (Ion.cpp:1143)
==12410==    by 0x814C794: js::RunScript(JSContext*, JSScript*, js::StackFrame*) (jsinterp.cpp:263)
==12410==    by 0x814D3CC: js::ExecuteKernel(JSContext*, JSScript*, JSObject&, JS::Value const&, js::ExecuteType, js::StackFrame*, JS::Value*) (jsinterp.cpp:474)
==12410==    by 0x814D60A: js::Execute(JSContext*, JSScript*, JSObject&, JS::Value*) (jsinterp.cpp:512)
==12410==    by 0x808F4F1: JS_ExecuteScript (jsapi.cpp:5370)
==12410==    by 0x804FB01: Process(JSContext*, JSObject*, char const*, bool) (js.cpp:440)
==12410==    by 0x805AB43: ProcessArgs(JSContext*, JSObject*, js::cli::OptionParser*) (js.cpp:4832)
==12410==  Address 0xdadadb02 is not stack'd, malloc'd or (recently) free'd

Jandem says this was caused by bug 766011.
Comment 2 User image Jan de Mooij [:jandem] 2012-06-26 07:04:57 PDT
Created attachment 636693 [details] [diff] [review]

Taking this fuzz blocker, we need to check if the callee is a function.
Comment 3 User image Jan de Mooij [:jandem] 2012-06-26 07:33:11 PDT
Created attachment 636706 [details] [diff] [review]
Comment 4 User image David Anderson [:dvander] 2012-06-26 11:26:48 PDT
Comment on attachment 636706 [details] [diff] [review]

Review of attachment 636706 [details] [diff] [review]:

Thanks for the quick fix - could we add a test case for this?
Comment 5 User image Jan de Mooij [:jandem] 2012-06-26 12:11:50 PDT

(In reply to David Anderson [:dvander] from comment #4)
> Thanks for the quick fix - could we add a test case for this?

Hrm I forgot to qref it, pushed with that fixed.
Comment 6 User image Christian Holler (:decoder) 2013-01-14 08:04:03 PST
A testcase for this bug was automatically identified at js/src/jit-test/tests/ion/bug768436.js.

Note You need to log in before you can comment on or make changes to this bug.