854448 - OdinMonkey: Crash [@ name]

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

The following testcase crashes on mozilla-central revision 3acbf951b3b1 (no options required):


__defineGetter__("eval", function() { 
	"use asm"; 
	function g() {} 
	return g 
})
eval
eval("");

Comment 1

[Christian Holler (:decoder)]

Crash trace:

Program received signal SIGSEGV, Segmentation fault.
name (this=(const JSFunction * const) 0xf7530550 [object Function <unnamed>]) at ../jsfun.h:168
168         js::PropertyName *name() const { return hasGuessedAtom() ? NULL : atom_->asPropertyName(); }
(gdb) bt
#0  name (this=(const JSFunction * const) 0xf7530550 [object Function <unnamed>]) at ../jsfun.h:168
#1  js::LinkAsmJS (cx=0x88f5278, argc=0, vp=0xf7716060) at /srv/repos/mozilla-central/js/src/ion/AsmJSLink.cpp:432
#2  0x081843e0 in CallJSNative (args=..., native=<optimized out>, cx=0x88f5278) at ../jscntxtinlines.h:338
#3  js::InvokeKernel (cx=0x88f5278, args=..., construct=js::NO_CONSTRUCT) at /srv/repos/mozilla-central/js/src/jsinterp.cpp:384
#4  0x081856be in Invoke (args=..., cx=0x88f5278, construct=<optimized out>) at /srv/repos/mozilla-central/js/src/jsinterp.h:135
#5  Invoke (rval=0xffffc670, argv=0x0, argc=0, fval=..., thisv=..., cx=0x88f5278) at /srv/repos/mozilla-central/js/src/jsinterp.cpp:431
#6  js::InvokeGetterOrSetter (cx=0x88f5278, obj=(JSObject *) 0xf7525040 [object global] delegate, fval=..., argc=0, argv=0x0, rval=0xffffc670) at /srv/repos/mozilla-central/js/src/jsinterp.cpp:502
#7  0x081aea31 in js::Shape::get (this=0xf75324d8, cx=0x88f5278, receiver=(JSObject * const) 0xf7525040 [object global] delegate, obj=(JSObject *) 0xf7525040 [object global] delegate, pobj=
    (JSObject *) 0xf7525040 [object global] delegate, vp=$jsval(-nan(0xfff8200000000))) at ../vm/Shape-inl.h:298
#8  0x081aed58 in NativeGetInline<(js::AllowGC)1> (vp=$jsval(-nan(0xfff8200000000)), shape=0xf75324d8, pobj=(JSObject * const) 0xf7525040 [object global] delegate, receiver=
    (JSObject * const) 0xf7525040 [object global] delegate, obj=(JSObject * const) 0xf7525040 [object global] delegate, cx=0x88f5278, getHow=<optimized out>) at /srv/repos/mozilla-central/js/src/jsobj.cpp:3633
#9  js_NativeGet (cx=0x88f5278, obj=(JSObject * const) 0xf7525040 [object global] delegate, pobj=(JSObject * const) 0xf7525040 [object global] delegate, shape=0xf75324d8, getHow=0, vp=$jsval(-nan(0xfff8200000000)))
    at /srv/repos/mozilla-central/js/src/jsobj.cpp:3653
#10 0x08173910 in NativeGet (vp=$jsval(-nan(0xfff8200000000)), getHow=0, shapeArg=<optimized out>, pobjArg=(JSObject *) 0xf7525040 [object global] delegate, objArg=(JSObject *) 0xf7525040 [object global] delegate, 
    cx=0x88f5278) at /srv/repos/mozilla-central/js/src/jsinterpinlines.h:205
#11 js::FetchName<false> (cx=0x88f5278, obj=(JSObject * const) 0xf7525040 [object global] delegate, obj2=(JSObject * const) 0xf7525040 [object global] delegate, name="eval", shape=0xf75324d8, vp=
    $jsval(-nan(0xfff8200000000))) at /srv/repos/mozilla-central/js/src/jsinterpinlines.h:404
#12 0x08173d3d in js::NameOperation (cx=0x88f5278, pc=0x88f4585  <incomplete sequence \323>, vp=$jsval(-nan(0xfff8200000000))) at /srv/repos/mozilla-central/js/src/jsinterpinlines.h:471
#13 0x081776ba in js::Interpret (cx=0x88f5278, entryFrame=0xf7716028, interpMode=js::JSINTERP_NORMAL) at /srv/repos/mozilla-central/js/src/jsinterp.cpp:2477
#14 0x08183f79 in js::RunScript (cx=0x88f5278, fp=0xf7716028) at /srv/repos/mozilla-central/js/src/jsinterp.cpp:341
#15 0x081862db in ExecuteKernel (result=0x0, evalInFrame=..., thisv=..., scopeChainArg=..., script=0xf7529100, cx=0x88f5278, type=<optimized out>) at /srv/repos/mozilla-central/js/src/jsinterp.cpp:529
#16 js::Execute (cx=0x88f5278, script=0xf7529100, scopeChainArg=(JSObject &) @0xf7525040 [object global] delegate, rval=0x0) at /srv/repos/mozilla-central/js/src/jsinterp.cpp:569
#17 0x0807f641 in JS_ExecuteScript (cx=0x88f5278, objArg=(JSObject *) 0xf7525040 [object global] delegate, scriptArg=0xf7529100, rval=0x0) at /srv/repos/mozilla-central/js/src/jsapi.cpp:5524
#18 0x08053447 in Process (cx=0x88f5278, obj_=<optimized out>, filename=0xffffd081 "min.js", forceTTY=false) at /srv/repos/mozilla-central/js/src/shell/js.cpp:473
#19 0x0805e150 in ProcessArgs (op=0xffffcdb0, obj_=(JSObject *) 0xf7525040 [object global] delegate, cx=0x88f5278) at /srv/repos/mozilla-central/js/src/shell/js.cpp:5083
#20 Shell (cx=0x88f5278, op=0xffffcdb0, envp=0xffffcee0) at /srv/repos/mozilla-central/js/src/shell/js.cpp:5120
#21 0x0804ba31 in main (argc=2, argv=0xffffced4, envp=0xffffcee0) at /srv/repos/mozilla-central/js/src/shell/js.cpp:5344
(gdb) x /i $pc
=> 0x863b3cb <js::LinkAsmJS(JSContext*, unsigned int, JS::Value*)+1563>:        mov    (%edx),%eax
(gdb) info reg edx
edx            0x0      0


Likely a null-deref, however the non-debug opt build does not crash while the debug+opt build does. This could be a crash in debug-only code, but it could also indicate some memory issue only manifesting in one of the builds. Please remove s-s if confirmed to be harmless.

Comment 2

[Luke Wagner [:luke]]

Safe NULL-deref of fun->atom_.

Comment 3

[Luke Wagner [:luke]]

Attachment: fix and test

Simple fix.

Comment 4

[Luke Wagner [:luke]]

https://hg.mozilla.org/integration/mozilla-inbound/rev/3a535bd50a23

Comment 5

[Ryan VanderMeulen [:RyanVM]]

https://hg.mozilla.org/mozilla-central/rev/3a535bd50a23