Closed
Bug 576729
Opened 14 years ago
Closed 14 years ago
Crash [@ js::JSProxyHandler::construct] or "Assertion failure: proto->isNative(),"
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
Tracking | Status | |
---|---|---|
blocking2.0 | --- | betaN+ |
status1.9.2 | --- | unaffected |
status1.9.1 | --- | unaffected |
People
(Reporter: gkw, Unassigned)
Details
(4 keywords, Whiteboard: [ccbr][sg:dos])
Crash Data
x = Proxy.createFunction((function() { return { get: function() { return x } } })(), eval) new(x) crashes js opt shell on TM tip without -j at js::JSProxyHandler::construct and asserts js debug shell on TM tip without -j at Assertion failure: proto->isNative(), at ../jsobjinlines.h:636 Seems like a null deref, assuming [sg:dos] but setting s-s just-in-case. Program received signal EXC_BAD_ACCESS, Could not access memory. Reason: KERN_PROTECTION_FAILURE at address: 0x0000002d 0x000b5dd8 in js::JSProxyHandler::construct () (gdb) bt #0 0x000b5dd8 in js::JSProxyHandler::construct () #1 0x000b472b in js::proxy_Construct () #2 0x0006695c in Invoke<int (*)(JSContext*, JSObject*, unsigned int, long*, long*)> () #3 0x00067244 in js_Invoke () #4 0x000679d6 in js_InvokeConstructor () #5 0x000592e0 in js_Interpret () #6 0x00066fa6 in js_Execute () #7 0x000132f8 in JS_ExecuteScript () #8 0x00004b9c in Process () #9 0x00008206 in shell () #10 0x00008717 in main () (gdb) x/i $eip 0xb5dd8 <_ZN2js14JSProxyHandler9constructEP9JSContextP8JSObjectS4_jPlS5_+424>: incl 0x2c(%eax) (gdb) x/b $eax 0x1: Cannot access memory at address 0x1
Reporter | ||
Comment 1•14 years ago
|
||
Assertion failure: proto->isNative(), at ../jsobjinlines.h:636 Program received signal EXC_BAD_ACCESS, Could not access memory. Reason: KERN_PROTECTION_FAILURE at address: 0x00000000 0x0014fb31 in JS_Assert (s=0x1ed938 "proto->isNative()", file=0x1e9568 "../jsobjinlines.h", ln=636) at ../jsutil.cpp:77 77 *((int *) NULL) = 0; /* To continue from here in GDB: "return" then "continue". */ (gdb) bt #0 0x0014fb31 in JS_Assert (s=0x1ed938 "proto->isNative()", file=0x1e9568 "../jsobjinlines.h", ln=636) at ../jsutil.cpp:77 #1 0x00104ccd in js::NewNativeClassInstance (cx=0x865200, clasp=0x20a300, proto=0x10022e0, parent=0x1002000) at jsobjinlines.h:636 #2 0x001057dd in js::JSProxyHandler::construct (this=0x210070, cx=0x865200, proxy=0x10022e0, receiver=0x1002320, argc=0, argv=0x5000e8, rval=0x50012c) at ../jsproxy.cpp:282 #3 0x00103831 in js::JSProxy::construct (cx=0x865200, proxy=0x10022e0, receiver=0x1002320, argc=0, argv=0x5000e8, rval=0x50012c) at ../jsproxy.cpp:809 #4 0x001038c4 in js::proxy_Construct (cx=0x865200, obj=0x1002320, argc=0, argv=0x5000e8, rval=0x50012c) at ../jsproxy.cpp:992 #5 0x000afc45 in js::callJSNative (cx=0x865200, native=0x103847 <js::proxy_Construct(JSContext*, JSObject*, unsigned int, long*, long*)>, thisobj=0x1002320, argc=0, argv=0x5000e8, rval=0x50012c) at jscntxtinlines.h:339 #6 0x000ac3a1 in Invoke<int (*)(JSContext*, JSObject*, unsigned int, long*, long*)> (cx=0x865200, fun=0x0, script=0x0, native=0x103847 <js::proxy_Construct(JSContext*, JSObject*, unsigned int, long*, long*)>, args=@0xbffff2dc, flags=1) at jsinterp.cpp:591 #7 0x000aecf7 in js_Invoke (cx=0x865200, args=@0xbffff2dc, flags=1) at jsinterp.cpp:715 #8 0x000af033 in js_InvokeConstructor (cx=0x865200, args=@0xbffff2dc) at jsinterp.cpp:1140 #9 0x0009b635 in js_Interpret (cx=0x865200) at jsops.cpp:1991 #10 0x000ae293 in js_Execute (cx=0x865200, chain=0x1002000, script=0x40d810, down=0x0, flags=0, result=0xbffff738) at jsinterp.cpp:891 #11 0x00015e69 in JS_ExecuteScript (cx=0x865200, obj=0x1002000, script=0x40d810, rval=0xbffff738) at ../jsapi.cpp:4751 #12 0x00009895 in Process (cx=0x865200, obj=0x1002000, filename=0x0, forceTTY=0) at ../../shell/js.cpp:522 #13 0x0000a259 in ProcessArgs (cx=0x865200, obj=0x1002000, argv=0xbffff908, argc=0) at ../../shell/js.cpp:843 #14 0x0000a372 in shell (cx=0x865200, argc=0, argv=0xbffff908, envp=0xbffff90c) at ../../shell/js.cpp:5025 #15 0x0000a496 in main (argc=0, argv=0xbffff908, envp=0xbffff90c) at ../../shell/js.cpp:5112
Reporter | ||
Comment 2•14 years ago
|
||
Tested with TM changeset: http://hg.mozilla.org/tracemonkey/rev/28de8731f08c
Reporter | ||
Comment 3•14 years ago
|
||
This is likely to be fixed by the patch in bug 575208. http://hg.mozilla.org/tracemonkey/rev/9749ef55a16b
Status: NEW → RESOLVED
Closed: 14 years ago
Flags: in-testsuite?
Resolution: --- → FIXED
Updated•14 years ago
|
blocking2.0: ? → betaN+
Updated•13 years ago
|
Updated•13 years ago
|
Crash Signature: [@ js::JSProxyHandler::construct]
You need to log in
before you can comment on or make changes to this bug.
Description
•