Last Comment Bug 768436 - IonMonkey: Crash [@ JSScript::hasAnalysis] with use-after-free
: IonMonkey: Crash [@ JSScript::hasAnalysis] with use-after-free
Status: RESOLVED FIXED
[jsbugmon:update][fuzzblocker]
: crash, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Other Branch
: x86 Linux
: -- major (vote)
: ---
Assigned To: Jan de Mooij [:jandem] (PTO until July 31)
:
Mentors:
Depends on:
Blocks: langfuzz IonFuzz
  Show dependency treegraph
 
Reported: 2012-06-26 06:29 PDT by Christian Holler (:decoder)
Modified: 2013-01-14 08:04 PST (History)
7 users (show)
choller: in‑testsuite+
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
Patch (3.44 KB, patch)
2012-06-26 07:04 PDT, Jan de Mooij [:jandem] (PTO until July 31)
no flags Details | Diff | Splinter Review
Patch (3.51 KB, patch)
2012-06-26 07:33 PDT, Jan de Mooij [:jandem] (PTO until July 31)
dvander: review+
Details | Diff | Splinter Review

Description Christian Holler (:decoder) 2012-06-26 06:29:49 PDT
The following testcase crashes on ionmonkey revision 80a4e5dfeaaf (run with --ion -n -m --ion-eager):


new ({});
Comment 1 Christian Holler (:decoder) 2012-06-26 06:30:51 PDT
Crash trace:


==12410== Invalid read of size 4
==12410==    at 0x8122466: JSScript::hasAnalysis() (jsinferinlines.h:1470)
==12410==    by 0x849EA30: js::ion::ShouldMonitorReturnType(JSFunction*) (VMFunctions.cpp:60)
==12410==    by 0x849EB22: js::ion::InvokeConstructorFunction(JSContext*, JSFunction*, unsigned int, JS::Value*, JS::Value*) (VMFunctions.cpp:93)
==12410==    by 0x78B534C: ???
==12410==    by 0x840C2CA: EnterIon(JSContext*, js::StackFrame*, void*) (Ion.cpp:1112)
==12410==    by 0x840C53C: js::ion::Cannon(JSContext*, js::StackFrame*) (Ion.cpp:1143)
==12410==    by 0x814C794: js::RunScript(JSContext*, JSScript*, js::StackFrame*) (jsinterp.cpp:263)
==12410==    by 0x814D3CC: js::ExecuteKernel(JSContext*, JSScript*, JSObject&, JS::Value const&, js::ExecuteType, js::StackFrame*, JS::Value*) (jsinterp.cpp:474)
==12410==    by 0x814D60A: js::Execute(JSContext*, JSScript*, JSObject&, JS::Value*) (jsinterp.cpp:512)
==12410==    by 0x808F4F1: JS_ExecuteScript (jsapi.cpp:5370)
==12410==    by 0x804FB01: Process(JSContext*, JSObject*, char const*, bool) (js.cpp:440)
==12410==    by 0x805AB43: ProcessArgs(JSContext*, JSObject*, js::cli::OptionParser*) (js.cpp:4832)
==12410==  Address 0xdadadb02 is not stack'd, malloc'd or (recently) free'd


Jandem says this was caused by bug 766011.
Comment 2 Jan de Mooij [:jandem] (PTO until July 31) 2012-06-26 07:04:57 PDT
Created attachment 636693 [details] [diff] [review]
Patch

Taking this fuzz blocker, we need to check if the callee is a function.
Comment 3 Jan de Mooij [:jandem] (PTO until July 31) 2012-06-26 07:33:11 PDT
Created attachment 636706 [details] [diff] [review]
Patch
Comment 4 David Anderson [:dvander] 2012-06-26 11:26:48 PDT
Comment on attachment 636706 [details] [diff] [review]
Patch

Review of attachment 636706 [details] [diff] [review]:
-----------------------------------------------------------------

Thanks for the quick fix - could we add a test case for this?
Comment 5 Jan de Mooij [:jandem] (PTO until July 31) 2012-06-26 12:11:50 PDT
https://hg.mozilla.org/projects/ionmonkey/rev/bd0eba3ea397

(In reply to David Anderson [:dvander] from comment #4)
>
> Thanks for the quick fix - could we add a test case for this?

Hrm I forgot to qref it, pushed with that fixed.
Comment 6 Christian Holler (:decoder) 2013-01-14 08:04:03 PST
A testcase for this bug was automatically identified at js/src/jit-test/tests/ion/bug768436.js.

Note You need to log in before you can comment on or make changes to this bug.