Closed Bug 785736 Opened 12 years ago Closed 12 years ago

Crash [@ JSString::isRope], possibly memory corruption

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 785576

People

(Reporter: decoder, Unassigned)

References

Details

(Keywords: crash, testcase, Whiteboard: [jsbugmon:update,ignore])

Crash Data

Attachments

(1 file)

Testcase for shell
2.04 KB, application/javascript
Details
Attached file Testcase for shell 
The attached testcase crashes on mozilla-central revision f077de66e52d (run with -m -a -n).
The test is very fragile and likely not stable under bisection. Symptoms switched during minimization, including a GC related assert, so I assume this could be a memory corruption of some sort. Backtrace of the crash:

==8885== Invalid read of size 4
==8885==    at 0x804D68A: JSString::isRope() const (String.h:280)
==8885==    by 0x832A090: JSFlatString* JSRope::flattenInternal<(JSRope::UsingBarrier)1>(JSContext*) (String.cpp:225)
==8885==    by 0x8328D0A: JSRope::flatten(JSContext*) (String.cpp:277)
==8885==    by 0x806EC31: JSString::ensureLinear(JSContext*) (String.h:819)
==8885==    by 0x8256B9F: js::str_split(JSContext*, unsigned int, JS::Value*) (jsstr.cpp:2758)
==8885==    by 0x81722F8: js::CallJSNative(JSContext*, int (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) (jscntxtinlines.h:372)
==8885==    by 0x84826A5: js::mjit::CallCompiler::generateNativeStub() (MonoIC.cpp:774)
==8885==    by 0x848371E: js::mjit::ic::NativeCall(js::VMFrame&, js::mjit::ic::CallICInfo*) (MonoIC.cpp:1007)
==8885==    by 0x989FA82: ???
==8885==    by 0x85A8FF3: ??? (in /srv/repos/mozilla-central/js/src/debug32/shell/js)
==8885==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
sandbox = newGlobal('');
evalcx("x = [];y = {};", sandbox);
evalcx("x[0] = y;", sandbox);
gc();
evalcx("x.push('');", sandbox);
evalcx("x.pop();x.pop();", sandbox);

is a more reliable testcase that crashes at the same signature on m-c changeset e08a67884b9b with -m, -n and -a.

Can JSBugMon try bisecting this testcase instead?
Blocks: 785824
(In reply to Gary Kwong [:gkw, :nth10sd] from comment #2)
> 
> Can JSBugMon try bisecting this testcase instead?

I filed a new bug with this testcase (see bug 785824) and requested a bisect there :) Not sure if these are dups, but since we can't be sure right now, it might be worth tracking those as two bugs and fix the easier first to check.
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 8af2ff9c6018).
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → DUPLICATE
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: