Closed Bug 835495 Opened 11 years ago Closed 8 years ago

Crash [@ JSString::isAtom]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: decoder, Unassigned)

Details

(Keywords: crash, testcase, Whiteboard: [jsbugmon:update,ignore])

Crash Data

The following testcase crashes on mozilla-central revision 80fed51ae074 (no options required):


try {
  this.watch("x", '' .concat);
  for(var x in f1) { f1[x]; };
} catch(exc1) {}
for (var i = (null ); i < 100; ++i) {
	x += 5;
}
Crash Trace:

==5136== Invalid read of size 4
==5136==    at 0x804DB56: JSString::isAtom() const (String.h:380)
==5136==    by 0x834A459: JSString* js::ConcatStrings<(js::AllowGC)1>(JSContext*, js::MaybeRooted<JSString*, (js::AllowGC)1>::HandleType, js::MaybeRooted<JSString*, (js::AllowGC)1>::HandleType) (String.cpp:305)
==5136==    by 0x82502E3: str_concat(JSContext*, unsigned int, JS::Value*) (jsstr.cpp:3075)
==5136==    by 0x81745A6: js::CallJSNative(JSContext*, int (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) (jscntxtinlines.h:353)
==5136==    by 0x817E609: js::InvokeKernel(JSContext*, JS::CallArgs, js::MaybeConstruct) (jsinterp.cpp:390)
==5136==    by 0x80AFAA4: js::Invoke(JSContext*, js::InvokeArgsGuard&, js::MaybeConstruct) (jsinterp.h:131)
==5136==    by 0x817E97D: js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value*, JS::Value*) (jsinterp.cpp:437)
==5136==    by 0x8316D9F: obj_watch_handler(JSContext*, JSObject*, jsid, JS::Value, JS::Value*, void*) (Object.cpp:560)
==5136==    by 0x82A776A: js::WatchpointMap::triggerWatchpoint(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>) (jswatchpoint.cpp:150)
==5136==    by 0x81BC1B2: js::baseops::SetPropertyHelper(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSObject*>, JS::Handle<jsid>, unsigned int, JS::MutableHandle<JS::Value>, int) (jsobj.cpp:3908)
==5136==    by 0x817A661: js::SetNameOperation(JSContext*, JSScript*, unsigned char*, JS::Handle<JSObject*>, JS::Handle<JS::Value>) (jsinterpinlines.h:499)
==5136==    by 0x8185E47: js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) (jsinterp.cpp:2256)
==5136==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
Whiteboard: [jsbugmon:update,bisect]
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update,bisect,ignore]
JSBugMon: The testcase found in this bug no longer reproduces (tried revision a46bc920998d).
Whiteboard: [jsbugmon:update,bisect,ignore] → [jsbugmon:update,bisectfix]
Whiteboard: [jsbugmon:update,bisectfix] → [jsbugmon:update,ignore]
Assignee: general → nobody
More than 3 years old, WFM now with various JIT flags.
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.