Bug 1514682 Comment 0 Edit History

Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.

Original comment by
on
(Hidden by Administrator)
Revision 1 by
on 
The following testcase crashes the latest debug build of the jsshell. It requires the --ion-eager flag.

Testcase:


o0=(class Cl26349 extends ReferenceError{ set stack (x) {super.stack=fun0()}});
o1=new o0(o0,null);
o0.__proto__=o1.__proto__;
o26=[1.1,2.2,3.3];
o26.__proto__=o0.__proto__;
o39=[1.1,2.2,3.3];
o26['stack']={};
function fun0() {
        o26.__proto__=o39.__proto__;
        return 0xdead;
}


Debugger output:
lldb-4.0 -- ./build/js --ion-eager bug.js
(lldb) target create "./build/js"
Current executable set to './build/js' (x86_64).
(lldb) settings set -- target.run-args  "--ion-eager" "bug.js"
(lldb) r
Process 18223 launched: './build/js' (x86_64)
Assertion failure: obj->is<PlainObject>(), at /builds/worker/workspace/build/src/js/src/jit/CacheIR.cpp:4626
Process 18223 stopped
* thread #1, name = 'js', stop reason = signal SIGSEGV: invalid address (fault address: 0x0)
    frame #0: 0x00005555561bd340 js`js::jit::SetPropIRGenerator::tryAttachAddSlotStub(JS::Handle<js::ObjectGroup*>, JS::Handle<js::Shape*>) + 4800
js`js::jit::SetPropIRGenerator::tryAttachAddSlotStub:
->  0x5555561bd340 <+4800>: movl   $0x1212, 0x0              ; imm = 0x1212
    0x5555561bd34b <+4811>: callq  0x5555557655f2            ; abort
    0x5555561bd350 <+4816>: leaq   0x7f4676(%rip), %rdi      ;  + 10701
    0x5555561bd357 <+4823>: leaq   0x7f467d(%rip), %rsi      ;  + 10715
(lldb) bt 16
* thread #1, name = 'js', stop reason = signal SIGSEGV: invalid address (fault address: 0x0)
  * frame #0: 0x00005555561bd340 js`js::jit::SetPropIRGenerator::tryAttachAddSlotStub(JS::Handle<js::ObjectGroup*>, JS::Handle<js::Shape*>) + 4800
    frame #1: 0x000055555609e9a2 js`js::jit::DoSetPropFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICSetProp_Fallback*, JS::Value*, JS::Handle<JS::Value>, J                                                                                        S::Handle<JS::Value>) + 2738
    frame #2: 0x000025b6efb8e9f5
    frame #3: 0x000025b6efb7cac4
    frame #4: 0x000055555632c914 js`js::jit::MaybeEnterJit(JSContext*, js::RunState&) + 1636
    frame #5: 0x00005555557e2ac7 js`js::RunScript(JSContext*, js::RunState&) + 535
    frame #6: 0x00005555557f7d75 js`js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::AbstractFramePtr, JS::Value*) + 1077
    frame #7: 0x00005555557f837d js`js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) + 621
    frame #8: 0x000055555591fa96 js`ExecuteScript(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSScript*>, JS::Value*) + 294
    frame #9: 0x000055555591fc06 js`JS_ExecuteScript(JSContext*, JS::Handle<JSScript*>) + 150
    frame #10: 0x00005555557422d9 js`RunFile(JSContext*, char const*, _IO_FILE*, CompileUtf8, bool) + 521
    frame #11: 0x000055555574165f js`Process(JSContext*, char const*, bool, FileKind) + 2463
    frame #12: 0x00005555556f9ed0 js`main + 17552
    frame #13: 0x00007ffff6af81c1 libc.so.6`__libc_start_main + 241
    frame #14: 0x00005555556f0f55 js`_start + 41

Back to Bug 1514682 Comment 0