Closed Bug 790921 Opened 13 years ago Closed 13 years ago

Crash [@ js::ion::IonCode::raw] with OOM

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla18

People

(Reporter: decoder, Unassigned)

References

Details

(Keywords: crash, testcase, Whiteboard: [ion:p2])

Crash Data

Attachments

(1 file)

fix
1.33 KB, patch
dvander
: review+
Details | Diff | Splinter Review
The following testcase crashes on mozilla-central revision fdfaef738a00 (run with --ion-eager): evaluate("\ gcparam(\"maxBytes\", gcparam(\"gcBytes\") + 4 );\n\ test();\n\ function test() {\n\ function flatten(arr)\n\ actual = flatten([1, [2], 3]);\ }\n\ "); try {} catch (lfVare) {}
Valgrind shows: ==48471== Invalid read of size 8 ==48471== at 0x88CD9A: js::ion::IonCode::raw() const (IonCode.h:78) ==48471== by 0x8DBC5A: js::ion::Assembler::call(js::ion::IonCode*) (Assembler-x64.h:515) ==48471== by 0x8E5473: void js::ion::MacroAssembler::callPreBarrier<js::ion::Address>(js::ion::Address const&, js::ion::MIRType) (IonMacroAssembler.h:353) ==48471== by 0x9F4B84: js::ion::CodeOffsetLabel js::ion::MacroAssembler::patchableCallPreBarrier<js::ion::Address>(js::ion::Address const&, js::ion::MIRType) (IonMacroAssembler.h:369) ==48471== by 0x9F3ADC: js::ion::CodeGeneratorShared::emitPreBarrier(js::ion::Address, js::ion::MIRType) (CodeGenerator-shared.cpp:458) ==48471== by 0x9E1E8E: js::ion::CodeGenerator::visitStoreFixedSlotT(js::ion::LStoreFixedSlotT*) (CodeGenerator.cpp:3034) ==48471== by 0x91501A: js::ion::LStoreFixedSlotT::accept(js::ion::LInstructionVisitor*) (LIR-Common.h:2381) ==48471== by 0x9D8EF5: js::ion::CodeGenerator::generateBody() (CodeGenerator.cpp:1287) ==48471== by 0x9E0C7F: js::ion::CodeGenerator::generate() (CodeGenerator.cpp:2803) ==48471== by 0x8972D0: js::ion::TestCompiler(js::ion::IonBuilder*, js::ion::MIRGraph*, js::ion::AutoDestroyAllocator&) (Ion.cpp:917) ==48471== by 0x89C98C: bool js::ion::IonCompile<&(js::ion::TestCompiler(js::ion::IonBuilder*, js::ion::MIRGraph*, js::ion::AutoDestroyAllocator&))>(JSContext*, JSScript*, JSFunction*, unsigned char*, bool) (Ion.cpp:1022) ==48471== by 0x89CC25: js::ion::MethodStatus js::ion::Compile<&(js::ion::TestCompiler(js::ion::IonBuilder*, js::ion::MIRGraph*, js::ion::AutoDestroyAllocator&))>(JSContext*, JSScript*, JSFunction*, unsigned char*, bool) (Ion.cpp:1154) ==48471== Address 0x0 is not stack'd, malloc'd or (recently) free'd
Attached patch fixSplinter Review
Easy fix -- don't dereference a known-NULL value.
Attachment #660988 - Flags: review?(dvander)
Attachment #660988 - Flags: review?(dvander) → review+
https://hg.mozilla.org/mozilla-central/rev/d39c810749ce
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla18
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: