Closed Bug 852801 Opened 12 years ago Closed 12 years ago

BaselineCompiler: Crash [@ js::ion::ICUpdatedStub::addUpdateStubForValue]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Version:
Other Branch
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: decoder, Assigned: jandem)

References

Details

(Keywords: crash, testcase, Whiteboard: [fuzzblocker] [jsbugmon:update])

Crash Data

Attachments

(2 files)

Testcase for shell
2.91 KB, application/javascript
Details
Patch
5.24 KB, patch
djvj
: review+
Details | Diff | Splinter Review
Attached file Testcase for shell
The attached testcase crashes on baseline compiler branch revision ff681c5eadaf (run with --ion-eager).
This is an OOM issue (hence the test, which is a mess), but it seems important to fix because I'm seeing now a large number of different signatures that are all OOM and most likely have the same source. These even include random jumps on the heap it seems. Here's a Valgrind trace for this crash: ==16717== Invalid read of size 2 ==16717== at 0x8752A8F: js::ion::ICUpdatedStub::addUpdateStubForValue(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>, jsid, JS::Handle<JS::Value>) (BaselineIC.h:591) ==16717== by 0x875364B: js::ion::DoTypeUpdateFallback(JSContext*, js::ion::BaselineFrame*, js::ion::ICUpdatedStub*, JS::Handle<JS::Value>, JS::Handle<JS::Value>) (BaselineIC.cpp:1219) ==16717== by 0x9B4726A: ??? ==16717== by 0x976C33F: ??? ==16717== by 0x9B40B2C: ??? ==16717== by 0x84E7461: EnterBaseline(JSContext*, js::StackFrame*, void*, bool) (BaselineJIT.cpp:149) ==16717== by 0x818727A: js::RunScript(JSContext*, js::StackFrame*) (jsinterp.cpp:335) ==16717== by 0x818984A: js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) (jsinterp.cpp:549) ==16717== by 0x80805C0: JS_ExecuteScript(JSContext*, JSObject*, JSScript*, JS::Value*) (jsapi.cpp:5535) ==16717== by 0x8054D76: Process(JSContext*, JSObject*, char const*, bool) (js.cpp:469) ==16717== by 0x805F657: Shell(JSContext*, js::cli::OptionParser*, char**) (js.cpp:5053) ==16717== by 0x804B9A0: main (js.cpp:5320) ==16717== Address 0x0 is not stack'd, malloc'd or (recently) free'd Marking as fuzzblocker due to high amount of signatures.
Whiteboard: [jsbugmon:update] → [fuzzblocker] [jsbugmon:update]
Crash Signature: [@ js::ion::ICUpdatedStub::addUpdateStubForValue] → [@ js::ion::ICUpdatedStub::addUpdateStubForValue(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>, jsid, JS::Handle<JS::Value>)]
Attached patch PatchSplinter Review
Add missing NULL check.
Assignee: general → jdemooij
Status: NEW → ASSIGNED
Attachment #727207 - Flags: review?(kvijayan)
Comment on attachment 727207 [details] [diff] [review] Patch Review of attachment 727207 [details] [diff] [review]: ----------------------------------------------------------------- Nice find.
Attachment #727207 - Flags: review?(kvijayan) → review+
https://hg.mozilla.org/projects/ionmonkey/rev/e9103474ab60
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: