Closed Bug 784187 Opened 12 years ago Closed 12 years ago

crash on null deref in js::Vector<js::types::CompilerOutput, 0ul, js::TempAllocPolicy>::operator[]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: dholbert, Unassigned)

References

Details

Attachments

(1 file, 1 obsolete file)

backtrace in GDB
(deleted), text/plain
Details
Attached file backtrace in GDB (obsolete) (deleted) —
My mozilla-inbound debug build is crashing when I run mochitests in layout/style like so: TEST_PATH=layout/style/ make mochitest-plain with null-pointer crash in JS engine code. Backtrace attached. Here are the top few lines of the backtrace (from GDB): { Program received signal SIGSEGV, Segmentation fault. 0x00002ae108f46b38 in js::Vector<js::types::CompilerOutput, 0ul, js::TempAllocPolicy>::operator[] (this=0x0, i=3) at ./../../dist/include/js/Vector.h:342 (gdb) bt #0 0x00002ae108f46b38 in js::Vector<js::types::CompilerOutput, 0ul, js::TempAllocPolicy>::operator[] (this=0x0, i=3) at ./../../dist/include/js/Vector.h:342 #1 0x00002ae108f331fc in js::types::RecompileInfo::compilerOutput (this=0x2ae124b63de8, cx=0x2ae1261cdc10) at ../../../mozilla/js/src/jsinferinlines.h:84 #2 0x00002ae108f39ca9 in js::types::TypeCompartment::addPendingRecompile (this=0x2ae123fc1448, cx=0x2ae1261cdc10, info=...) at ../../../mozilla/js/src/jsinfer.cpp:2109 #3 0x00002ae108f37e10 in TypeConstraintFreeze::newType (this=0x2ae124b63dd0, cx=0x2ae1261cdc10, source=0x2ae124b5e868, type=...) at ../../../mozilla/js/src/jsinfer.cpp:1376 }
Attached file backtrace in GDB (deleted) —
(sorry, that last attachment had an extra copy of the backtrace -- pasted in too much GDB output. This one's more concise)
Attachment #653551 - Attachment is obsolete: true
The crash here is from this chunk, at level #1 in the backtrace (jsinferinlines.h:84): > inline CompilerOutput* > RecompileInfo::compilerOutput(JSContext *cx) const > { > return &(*cx->compartment->types.constrainedOutputs)[outputIndex]; > } As shown in the attached gdb log (attachment 653552 [details]), cx->compartment->types.constrainedOutputs is null here, and we're dereferencing it, which makes us crash.
Summary: null-"this" JS crash in js::Vector<js::types::CompilerOutput, 0ul, js::TempAllocPolicy>::operator[] → crash on null deref in js::Vector<js::types::CompilerOutput, 0ul, js::TempAllocPolicy>::operator[]
Ah, my m-i build was at revision https://hg.mozilla.org/integration/mozilla-inbound/rev/1906fe4159fe, which has since been backed out for causing failures. I'm pretty sure this was just one of the issues that it caused. After updating my tree, I haven't crashed (yet) in a run through the layout/style mochitests, so I think the backout fixed this. Marking dependency on that bug and resolving as WORKSFORME.
Status: NEW → RESOLVED
Closed: 12 years ago
Depends on: 783464
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: