Closed Bug 695666 Opened 13 years ago Closed 3 years ago

Aurora: Crash [@ SuppressDeletedPropertyHelper<SingleIdPredicate>]

Categories

(Core :: JavaScript Engine, defect)

9 Branch
x86
Linux
defect
Not set
critical

Tracking

()

RESOLVED WORKSFORME
Tracking Status
firefox9 --- affected

People

(Reporter: decoder, Unassigned)

Details

(Keywords: crash, testcase, Whiteboard: js-triage-needed)

Crash Data

The following test crashes on mozilla-aurora revision 4754469691db (32 bit optimized build, options -m -n):


loadFile();
function loadFile(unused) {
eval("\
function testUndemoteLateGlobalSlots() {\
    for each (aaa in [(null ), '', 0/0, '']) {\
        for each(let aaa in [0, 0]) {\
    try {\
      testUndemoteLateGlobalSlots(aaa);\
    } catch (aaa) {}\
  }\
    }\
    delete aaa;\
}\
assertEq(testUndemoteLateGlobalSlots(), 'ok');\
");
}


I cannot reproduce this issue on mozilla-central. It would be good if someone could check that the underlying bug is also not present on mozilla-central and if we need this fixed on aurora. The crash seems to be a near null-deref:

==36433== Invalid read of size 1
==36433==    at 0x80E3137: bool SuppressDeletedPropertyHelper<SingleIdPredicate>(JSContext*, JSObject*, SingleIdPredicate) (jsiter.cpp:847)
==36433==    by 0x80E3B6E: js_SuppressDeletedProperty(JSContext*, JSObject*, int) (jsiter.cpp:920)
==36433==    by 0x80F04C3: js_DeleteProperty(JSContext*, JSObject*, int, JS::Value*, int) (jsobj.cpp:6467)
==36433==    by 0x8073E3A: JSObject::deleteProperty(JSContext*, int, JS::Value*, int) (jsobjinlines.h:176)
==36433==    by 0x80D3929: js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) (jsinterp.cpp:3166)
==36433==    by 0x80E171A: js::ExecuteKernel(JSContext*, JSScript*, JSObject&, JS::Value const&, js::ExecuteType, js::StackFrame*, JS::Value*) (jsinterp.cpp:814)
==36433==    by 0x80FA932: EvalKernel(JSContext*, js::CallArgs const&, EvalType, js::StackFrame*, JSObject&) (jsobj.cpp:1283)
==36433==    by 0x80FAD86: js::DirectEval(JSContext*, js::CallArgs const&) (jsobj.cpp:1346)
==36433==    by 0x80DA90D: js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) (jsinterp.cpp:4006)
==36433==    by 0x80E2378: js::Execute(JSContext*, JSScript*, JSObject&, JS::Value*) (jsinterp.cpp:814)
==36433==    by 0x80617CD: JS_ExecuteScript (jsapi.cpp:4891)
==36433==    by 0x8050AA6: Process(JSContext*, JSObject*, char const*, bool) (js.cpp:483)
==36433==  Address 0x1c is not stack'd, malloc'd or (recently) free'd
Assignee: general → nobody
Crash Signature: [@ SuppressDeletedPropertyHelper<SingleIdPredicate>] → [@ SuppressDeletedPropertyHelper<SingleIdPredicate>] [@ SuppressDeletedPropertyHelper<T>]

Closing this issue as Resolved > Worksforme since no crashes with this Signature were reported in the last 6 months.

Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.