851474 - Rooting Analysis: Crash [@ js::CompartmentChecker::check] with uninitialized values [@ CheckStackRoot]

Status: RESOLVED INVALID

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

The following testcase crashes on mozilla-central built with --enable-root-analysis, revision 8e68f4d73ec4 (run with --ion-eager):


gczeal(6);
var t = true;
x = [];
for (var i = 0; i < 10; ++i) {
    x[0] = t == i + - {} + "o = {}; o.toString()"; 
}

Comment 1

[Christian Holler (:decoder)]

Trace:

==7900== Use of uninitialised value of size 4
==7900==    at 0x8452051: CheckStackRoot(JSRuntime*, unsigned int*, Rooter*, Rooter*) (Verifier.cpp:61)
==7900==    by 0x8453896: JS::CheckStackRoots(JSContext*) (Verifier.cpp:104)
==7900==    by 0x819083C: js::MulValues(JSContext*, JS::Handle<JSScript*>, unsigned char*, JS::MutableHandle<JS::Value>, JS::MutableHandle<JS::Value>, JS::Value*) (RootingAPI.h:783)
==7900==    by 0x7D40AD3: ???
==7900== 
==7900== Invalid read of size 1
==7900==    at 0x807222A: _ZN2js18CompartmentChecker5checkERKN2JS5ValueE.constprop.545 (jscntxtinlines.h:185)
==7900==    by 0x808593B: JS::AssertArgumentsAreSane(JSContext*, JS::Value const&) (jscntxtinlines.h:256)
==7900==    by 0x8192DA0: js::LooselyEqual(JSContext*, JS::Value const&, JS::Value const&, bool*) (jsapi.h:1692)
==7900==    by 0x867FC61: bool js::ion::LooselyEqual<true>(JSContext*, JS::MutableHandle<JS::Value>, JS::MutableHandle<JS::Value>, int*) (VMFunctions.cpp:175)
==7900==    by 0x7D4060F: ???
==7900==  Address 0xda431060 is not stack'd, malloc'd or (recently) free'd


And a lot more of the use of uninitialized value warnings here. Note that this is a Valgrind build :)

Comment 2

[Terrence Cole [:terrence]]

This analysis explicitly reads uninitialized memory. For this reason and others we have switched to a static analysis and zeal mode 7.