Closed
Bug 600128
Opened 14 years ago
Closed 14 years ago
TM: Crash [@ js_DeflateString]
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
VERIFIED
FIXED
mozilla2.0b7
Tracking | Status | |
---|---|---|
blocking2.0 | --- | beta8+ |
status1.9.2 | --- | unaffected |
status1.9.1 | --- | unaffected |
People
(Reporter: gkw, Assigned: Waldo)
References
Details
(Keywords: crash, regression, testcase, Whiteboard: [sg:critical?][ccbr] fixed-in-tracemonkey)
Crash Data
Attachments
(1 file)
(deleted),
patch
|
jimb
:
review+
|
Details | Diff | Splinter Review |
__defineSetter__("x", Object.freeze)
x = this;
for (let z = 0; z < 5; z++) {
for each(let y in [0, 0, 0]) {
print(u = "")
}
}
crashes js debug and opt shell on TM changeset 54700fad8cf9 with -j at js_DeflateString
s-s because it seems to be accessing weird memory addresses.
dbg gdb info:
(gdb) bt
#0 0x081857d0 in js_DeflateString (cx=0x83e0be8, chars=0x838e440, nchars=8652393) at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-tm-54576-54700fad8cf9/compilePath/jsstr.cpp:3920
#1 0x08072d12 in JS_EncodeString (cx=0x83e0be8, str=0xf7502038) at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-tm-54576-54700fad8cf9/compilePath/jsapi.cpp:5203
#2 0x0804db10 in Print (cx=0x83e0be8, argc=1, vp=0xffffc450) at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-tm-54576-54700fad8cf9/compilePath/shell/js.cpp:1110
#3 0xf76a2f64 in ?? ()
#4 0x081d553b in ExecuteTrace (cx=0x83e0be8, f=0x83dfdc4, state=...) at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-tm-54576-54700fad8cf9/compilePath/jstracer.cpp:6566
#5 0x081d5abb in ExecuteTree (cx=0x83e0be8, f=0x83dfdc4, inlineCallCount=@0xffffd0e8, innermostNestedGuardp=0xffffc5b8, lrp=0xffffc5bc)
at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-tm-54576-54700fad8cf9/compilePath/jstracer.cpp:6667
#6 0x081d6e64 in js::MonitorLoopEdge (cx=0x83e0be8, inlineCallCount=@0xffffd0e8) at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-tm-54576-54700fad8cf9/compilePath/jstracer.cpp:7171
#7 0x082ac2ec in js::Interpret (cx=0x83e0be8, entryFrame=0xf77ac088, inlineCallCount=0, interpFlags=0) at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-tm-54576-54700fad8cf9/compilePath/jsinterp.cpp:2770
#8 0x080ec41b in js::RunScript (cx=0x83e0be8, script=0x8408bc8, fun=0x0, scopeChain=...) at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-tm-54576-54700fad8cf9/compilePath/jsinterp.cpp:485
#9 0x080ed275 in js::Execute (cx=0x83e0be8, chain=0xf7502038, script=0x8408bc8, prev=0x0, flags=0, result=0xffffd200)
at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-tm-54576-54700fad8cf9/compilePath/jsinterp.cpp:750
#10 0x08071dac in JS_ExecuteScript (cx=0x83e0be8, obj=0xf7502038, script=0x8408bc8, rval=0xffffd200) at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-tm-54576-54700fad8cf9/compilePath/jsapi.cpp:4725
#11 0x0804c690 in Process (cx=0x83e0be8, obj=0xf7502038, filename=0x0, forceTTY=0) at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-tm-54576-54700fad8cf9/compilePath/shell/js.cpp:536
#12 0x0804d231 in ProcessArgs (cx=0x83e0be8, obj=0xf7502038, argv=0xffffd408, argc=1) at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-tm-54576-54700fad8cf9/compilePath/shell/js.cpp:867
#13 0x080561f1 in shell (cx=0x83e0be8, argc=1, argv=0xffffd408, envp=0xffffd410) at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-tm-54576-54700fad8cf9/compilePath/shell/js.cpp:5250
#14 0x0805630d in main (argc=1, argv=0xffffd408, envp=0xffffd410) at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-tm-54576-54700fad8cf9/compilePath/shell/js.cpp:5346
opt gdb info:
(gdb) bt
#0 0x08148630 in js_DeflateString(JSContext*, unsigned short const*, unsigned int) ()
#1 0xffffcb38 in ?? ()
Backtrace stopped: previous frame inner to this frame (corrupt stack?)
(gdb) x/i $eip
Reporter | ||
Updated•14 years ago
|
blocking2.0: --- → ?
Reporter | ||
Comment 1•14 years ago
|
||
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: 54277:1a49e9c79d5a
user: Jim Blandy
date: Tue Sep 21 11:35:29 2010 -0700
summary: Bug 492844: Implement Object.freeze, Object.isFrozen r=brendan,jorendorff
Blocks: 492844
Updated•14 years ago
|
Whiteboard: [sg:critical?][ccbr]
Updated•14 years ago
|
Assignee: general → jim
Updated•14 years ago
|
status1.9.1:
--- → unaffected
status1.9.2:
--- → unaffected
Assignee | ||
Updated•14 years ago
|
Assignee: jim → jwalden+bmo
Status: NEW → ASSIGNED
OS: Linux → All
Hardware: x86 → All
Assignee | ||
Comment 2•14 years ago
|
||
Minimized:
(gdb) r
Starting program: /home/jwalden/moz/shell-js/js/src/dbg/js -j
[Thread debugging using libthread_db enabled]
js> Object.freeze(this); for (let j = 0; j < 10; j++) print(u = "");
Program received signal SIGSEGV, Segmentation fault.
0x000000000054b775 in js_DeflateString (cx=0xa50fd0, chars=0x9ebec0, nchars=700043) at ../jsstr.cpp:3920
3920 bytes[i] = (char) chars[i];
(gdb) p i
$1 = 469152
The let is very very much necessary (var quickly causes a non-extensible exception). Using 9 doesn't crash for me, but I think that's mostly execution-environment vagaries.
Assignee | ||
Comment 3•14 years ago
|
||
I feel like I've heard this song before.
Attachment #479237 -
Flags: review?(jim)
Updated•14 years ago
|
blocking2.0: ? → beta8+
Updated•14 years ago
|
Attachment #479237 -
Flags: review?(jimb) → review+
Assignee | ||
Comment 4•14 years ago
|
||
Whiteboard: [sg:critical?][ccbr] → [sg:critical?][ccbr] fixed-in-tracemonkey
Target Milestone: --- → mozilla2.0b8
Comment 5•14 years ago
|
||
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Updated•14 years ago
|
Target Milestone: mozilla2.0b8 → mozilla2.0b7
Updated•14 years ago
|
Group: core-security
Updated•13 years ago
|
Crash Signature: [@ js_DeflateString]
Comment 10•13 years ago
|
||
JSBugMon: This bug has been automatically verified fixed.
Updated•13 years ago
|
Status: RESOLVED → VERIFIED
Comment 11•12 years ago
|
||
Automatically extracted testcase for this bug was committed:
https://hg.mozilla.org/mozilla-central/rev/efaf8960a929
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•