Closed
Bug 787667
Opened 12 years ago
Closed 12 years ago
Crash [@ JS::Value::isMagic] with ParallelArray
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
mozilla18
Tracking | Status | |
---|---|---|
firefox15 | --- | unaffected |
firefox16 | --- | unaffected |
firefox17 | + | fixed |
firefox18 | + | fixed |
firefox-esr10 | --- | unaffected |
People
(Reporter: decoder, Assigned: shu)
References
Details
(Keywords: crash, regression, testcase, Whiteboard: [jsbugmon:update][qa?][adv-track-main17-])
Crash Data
Attachments
(1 file)
2.57 KB,
patch
|
dvander
:
review+
lsblakk
:
approval-mozilla-aurora+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision c64a9f342156 (run with -m -n -a): function testScatter() { var shape = [("x=new String();x.charAt(-1)")]; for (var i = 0; i < (271); i++) { shape.push(i+1); var p = new ParallelArray(shape, function(k) { return k; }); var r = p.scatter([0,1,0,3,(null )], 9, function (a,b) { return a+b; }, 10); } } testScatter();
Reporter | ||
Comment 1•12 years ago
|
||
GDB shows: Program received signal SIGSEGV, Segmentation fault. 0x0000000000466ec6 in JS::Value::isMagic (this=0x7ffff6100000) at /srv/repos/mozilla-central/js/src/jsapi.h:409 409 return JSVAL_IS_MAGIC_IMPL(data); (gdb) bt 8 #0 0x0000000000466ec6 in JS::Value::isMagic (this=0x7ffff6100000) at /srv/repos/mozilla-central/js/src/jsapi.h:409 #1 0x0000000000466ef1 in JS::Value::isMagic (this=0x7ffff6100000, why=JS_ARRAY_HOLE) at /srv/repos/mozilla-central/js/src/jsapi.h:414 #2 0x000000000072757c in js::ParallelArrayObject::toStringBufferImpl (this=0x7ffff5f1efc0, cx=0xcd5520, iv=..., useLocale=false, buffer=..., sb=...) at /srv/repos/mozilla-central/js/src/builtin/ParallelArray.cpp:1530 #3 0x0000000000727376 in js::ParallelArrayObject::toStringBufferImpl (this=0x7ffff5f1efc0, cx=0xcd5520, iv=..., useLocale=false, buffer=..., sb=...) at /srv/repos/mozilla-central/js/src/builtin/ParallelArray.cpp:1490 #4 0x0000000000727376 in js::ParallelArrayObject::toStringBufferImpl (this=0x7ffff5f1efc0, cx=0xcd5520, iv=..., useLocale=false, buffer=..., sb=...) at /srv/repos/mozilla-central/js/src/builtin/ParallelArray.cpp:1490 #5 0x0000000000727376 in js::ParallelArrayObject::toStringBufferImpl (this=0x7ffff5f1efc0, cx=0xcd5520, iv=..., useLocale=false, buffer=..., sb=...) at /srv/repos/mozilla-central/js/src/builtin/ParallelArray.cpp:1490 #6 0x0000000000727376 in js::ParallelArrayObject::toStringBufferImpl (this=0x7ffff5f1efc0, cx=0xcd5520, iv=..., useLocale=false, buffer=..., sb=...) at /srv/repos/mozilla-central/js/src/builtin/ParallelArray.cpp:1490 #7 0x0000000000727376 in js::ParallelArrayObject::toStringBufferImpl (this=0x7ffff5f1efc0, cx=0xcd5520, iv=..., useLocale=false, buffer=..., sb=...) at /srv/repos/mozilla-central/js/src/builtin/ParallelArray.cpp:1490 (More stack frames follow...) (gdb) x /i $pc => 0x466ec6 <JS::Value::isMagic() const+16>: mov (%rax),%rdi (gdb) info reg rax rdi rax 0x7ffff6100000 140737321631744 rdi 0x7ffff6100000 140737321631744 In Valgrind, I see lots of: ==15274== Invalid read of size 8 ==15274== at 0x7A0EFD: js::ValueToStringBufferSlow(JSContext*, JS::Value const&, js::StringBuffer&) (StringBuffer.cpp:86) ==15274== by 0x468F17: js::ValueToStringBuffer(JSContext*, JS::Value const&, js::StringBuffer&) (StringBuffer.h:137) ==15274== by 0x727765: js::ParallelArrayObject::toStringBufferImpl(JSContext*, js::ParallelArrayObject::IndexInfo&, bool, JS::Handle<JSObject*>, js::StringBuffer&) (ParallelArray.cpp:1549) [...] ==15274== Address 0x7200000 is not stack'd, malloc'd or (recently) free'd S-s due to possibly exploitable crash. This is likely a regression from the ParallelArray landing, but I'm doing a bisect anyway to be sure that this also affects Aurora.
Whiteboard: [jsbugmon:update,bisect]
Reporter | ||
Updated•12 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
Reporter | ||
Comment 2•12 years ago
|
||
JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: 102665:ea2ad8970f3e user: Shu-yu Guo date: Fri Aug 17 10:38:59 2012 -0700 summary: Bug 778559 - Implement ParallelArray API with sequential execution (r=dmandelin)
Reporter | ||
Updated•12 years ago
|
status-firefox-esr10:
--- → unaffected
status-firefox15:
--- → unaffected
status-firefox16:
--- → unaffected
status-firefox17:
--- → affected
status-firefox18:
--- → affected
tracking-firefox17:
--- → ?
tracking-firefox18:
--- → ?
Assignee | ||
Comment 3•12 years ago
|
||
This hits a corner case where getting a row (as opposed to a leaf value) of a multidimensional array with one of the dimensions being 0 is considered in bounds while it should not.
Assignee: general → shu
Assignee | ||
Updated•12 years ago
|
Attachment #657587 -
Flags: review?(dvander)
Updated•12 years ago
|
Attachment #657587 -
Flags: review?(dvander) → review+
Assignee | ||
Comment 4•12 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/b1f9a8d75e20
Comment 5•12 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/b1f9a8d75e20
Status: NEW → RESOLVED
Closed: 12 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla18
Reporter | ||
Updated•12 years ago
|
Status: RESOLVED → VERIFIED
Reporter | ||
Comment 6•12 years ago
|
||
JSBugMon: This bug has been automatically verified fixed.
Assignee | ||
Comment 7•12 years ago
|
||
Comment on attachment 657587 [details] [diff] [review] fix and testcases [Approval Request Comment] Bug caused by (feature/regressing bug #): 778559 User impact if declined: Uninitialized memory read Testing completed (on m-c, etc.): locally and on m-c Risk to taking this patch (and alternatives if risky): None, localized to a non-publicized and unused-in-the-wild API String or UUID changes made by this patch:
Attachment #657587 -
Flags: approval-mozilla-aurora?
Updated•12 years ago
|
Updated•12 years ago
|
Attachment #657587 -
Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Assignee | ||
Comment 8•12 years ago
|
||
https://hg.mozilla.org/releases/mozilla-aurora/rev/f5bac7fe975c
Updated•12 years ago
|
Does this need QA verification given comment 10?
Whiteboard: [jsbugmon:update] → [jsbugmon:update][qa?]
Updated•12 years ago
|
Whiteboard: [jsbugmon:update][qa?] → [jsbugmon:update][qa?][adv-track-main17-]
Updated•11 years ago
|
You need to log in
before you can comment on or make changes to this bug.
Description
•