875804 - Crash [@ check] or Opt-Crash [@ QuoteString]

Status: VERIFIED FIXED

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

The following testcase crashes on mozilla-central revision df526497d949 (no options required):


eval('(function () {\
function range(n) {\
  for (var i = 0; i < 100000; i++)\
    yield i;\
}\
var r = range(10);\
var i = 0;\
for (var x in r)\
  assertEq(x,i++);\
' + '})();');

Comment 1

[Christian Holler (:decoder)]

Attachment: [crash-signature] Machine-readable crash signature

Comment 2

[Christian Holler (:decoder)]

Opt-crash trace:


Program received signal SIGSEGV, Segmentation fault.
QuoteString (sp=0x7fffffffbd10, str=<error reading variable: Cannot access memory at address 0x449>, quote=<optimized out>) at js/src/jsopcode.cpp:988
988         const jschar *s = str->getChars(sp->context);
#0  QuoteString (sp=0x7fffffffbd10, str=<error reading variable: Cannot access memory at address 0x449>, quote=<optimized out>) at js/src/jsopcode.cpp:988
#1  0x0000000000500b61 in js_QuoteString (cx=0x161f2c0, str=<error reading variable: Cannot access memory at address 0x449>, quote=34) at js/src/jsopcode.cpp:1057
#2  0x0000000000537c57 in js::ValueToSource (cx=<optimized out>, v=...) at s/src/jsstr.cpp:3759
#3  0x0000000000427d77 in JS_ValueToSource (cx=<optimized out>, valueArg=...) at js/src/jsapi.cpp:491
#4  0x000000000041eff4 in ToSource (bytes=<synthetic pointer>, vp=0x7fffffffbe78, cx=0x161f2c0) at js/src/shell/js.cpp:1354
#5  AssertEq (cx=0x161f2c0, argc=2, vp=0x7fffffffbe68) at js/src/shell/js.cpp:1384
#6  0x00007ffff7f9a074 in ?? ()
#7  0x00007ffff5f3c820 in ?? ()
rbp     0x449   1097
=> 0x4ff684 <QuoteString(js::Sprinter*, JSString*, uint32_t)+852>:      testb  $0xf,0x0(%rbp)


S-s because this crash signature is known to be dangerous and the crash at 0x449 is pretty sure not a null-deref but likely some memory corruption/invalid object.

Comment 3

[Christian Holler (:decoder)]

Attachment: [crash-signature] Machine-readable crash signature

Comment 4

[Christian Holler (:decoder)]

JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   132801:4370f503d69f
user:        Brian Hackett
date:        Thu May 23 13:25:19 2013 -0600
summary:     Bug 875276 - Don't profile types in scripts until they are compiled by baseline, r=jandem.

This iteration took 337.106 seconds to run.

Comment 5

[Christian Holler (:decoder)]

Needinfo from Brian based on comment 4.

Comment 7

[Brian Hackett [Laid off!]]

Attachment: patch

During OSR Ion won't notice that an active iterator object is a generator or other custom iterator, and can produce values other than strings from 'for in' loops.  Whenever these iterators are used the script's types need to be instantiated immediately so the information can be remembered.

Comment 8

[Jan de Mooij [:jandem]]

Comment on attachment 754840 [details] [diff] [review]
patch

Review of attachment 754840 [details] [diff] [review]:
-----------------------------------------------------------------

Please add the testcase as well.

Comment 9

[Christian Holler (:decoder)]

Bug 875806 might be a dup of this one. If it is, it might be easier to take the test from there, since it's a little less ugly ;)

Comment 10

[Brian Hackett [Laid off!]]

https://hg.mozilla.org/integration/mozilla-inbound/rev/5f6f8a2600cb

Comment 12

[Christian Holler (:decoder)]

JSBugMon: The testcase found in this bug no longer reproduces (tried revision 75407626ba46).

Comment 13

[Christian Holler (:decoder)]

I'll take that back, didn't see this is on inbound already ^^

Comment 14

[Ryan VanderMeulen [:RyanVM]]

https://hg.mozilla.org/mozilla-central/rev/5f6f8a2600cb

Comment 15

[Christian Holler (:decoder)]

JSBugMon: This bug has been automatically verified fixed.