Closed
Bug 1109922
Opened 11 years ago
Closed 11 years ago
Crash [@ NewObject]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla37
People
(Reporter: decoder, Assigned: jonco)
References
Details
(Keywords: crash, testcase, Whiteboard: [jsbugmon:ignore])
Crash Data
Attachments
(1 file)
|
1.14 KB,
patch
|
terrence
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision 47f0671e2c65 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --target=i686-pc-linux-gnu --enable-debug --enable-gccompacting, run with --fuzzing-safe --thread-count=2):
gczeal(14);
b = {};
b.__proto__ = evalcx("lazy");
(function m(b) {})(b.Intl.Collator(float64))
Backtrace:
Program received signal SIGSEGV, Segmentation fault.
NewObject (cx=0x95ff870, type_=0xf63590c0, parent=0xf635c040, kind=js::gc::FINALIZE_OBJECT0_BACKGROUND, newKind=js::SingletonObject) at js/src/jsobj.cpp:1287
1287 MOZ_ASSERT_IF(parent, &parent->global() == cx->global());
#0 NewObject (cx=0x95ff870, type_=0xf63590c0, parent=0xf635c040, kind=js::gc::FINALIZE_OBJECT0_BACKGROUND, newKind=js::SingletonObject) at js/src/jsobj.cpp:1287
#1 0x085aa1a9 in js::NewObjectWithGivenProto (cxArg=cxArg@entry=0x95ff870, clasp=clasp@entry=0x958ffc0 <js::IntlClass>, protoArg=..., parentArg=parentArg@entry=0xf635c040, allocKind=js::gc::FINALIZE_OBJECT0_BACKGROUND, newKind=newKind@entry=js::SingletonObject) at js/src/jsobj.cpp:1411
#2 0x081892d0 in NewObjectWithGivenProto (newKind=js::SingletonObject, parent=0xf635c040, proto=..., clasp=0x958ffc0 <js::IntlClass>, cx=0x95ff870) at js/src/jsobjinlines.h:607
#3 NewObjectWithGivenProto (newKind=js::SingletonObject, parent=0xf635c040, proto=<optimized out>, clasp=0x958ffc0 <js::IntlClass>, cx=0x95ff870) at js/src/jsobjinlines.h:614
#4 initIntlObject (global=..., cx=0x95ff870) at js/src/builtin/Intl.cpp:2074
#5 js::GlobalObject::getOrCreateObject (this=<optimized out>, cx=cx@entry=0x95ff870, init=0x8189080 <js::GlobalObject::initIntlObject(JSContext*, JS::Handle<js::GlobalObject*>)>, slot=41) at js/src/vm/GlobalObject.h:451
#6 0x0818d71d in getOrCreateIntlObject (cx=0x95ff870, this=<optimized out>) at js/src/vm/GlobalObject.h:384
#7 js_InitIntlClass (cx=0x95ff870, obj=...) at js/src/builtin/Intl.cpp:2044
#8 0x0865f1d5 in js::GlobalObject::resolveConstructor (cx=0x95ff870, global=..., key=JSProto_Intl) at js/src/vm/GlobalObject.cpp:126
#9 0x0865f67a in js::GlobalObject::ensureConstructor (cx=cx@entry=0x95ff870, global=..., global@entry=..., key=JSProto_Intl) at js/src/vm/GlobalObject.cpp:95
#10 0x084f27da in JS_ResolveStandardClass (cx=cx@entry=0x95ff870, obj=obj@entry=..., id=id@entry=..., resolved=resolved@entry=0xffffd004) at js/src/jsapi.cpp:1271
#11 0x080b24cf in sandbox_resolve (cx=0x95ff870, obj=..., id=..., resolvedp=0xffffd004) at js/src/shell/js.cpp:2565
#12 0x0863e758 in CallResolveOp (recursedp=<synthetic pointer>, propp=..., objp=..., id=..., obj=..., cx=0x95ff870) at js/src/vm/NativeObject-inl.h:474
#13 js::LookupOwnPropertyInline<(js::AllowGC)1> (cx=cx@entry=0x95ff870, obj=obj@entry=..., id=id@entry=..., objp=objp@entry=..., propp=propp@entry=..., donep=donep@entry=0xffffd07c) at js/src/vm/NativeObject-inl.h:549
#14 0x08648ff5 in js::LookupPropertyInline<(js::AllowGC)1> (cx=0x95ff870, obj=..., id=..., objp=..., propp=...) at js/src/vm/NativeObject-inl.h:589
#15 0x0869c163 in js::baseops::LookupProperty<(js::AllowGC)1> (cx=<optimized out>, cx@entry=0x95ff870, obj=..., obj@entry=..., id=..., id@entry=..., objp=objp@entry=..., propp=propp@entry=...) at js/src/vm/NativeObject.cpp:1550
#16 0x08545cec in JSObject::lookupGeneric (cx=cx@entry=0x95ff870, obj=..., id=id@entry=..., objp=objp@entry=..., propp=propp@entry=...) at js/src/jsobj.cpp:2940
#17 0x084e7247 in LookupPropertyById (cx=cx@entry=0x95ff870, obj=..., obj@entry=..., id=id@entry=..., objp=objp@entry=..., propp=propp@entry=...) at js/src/jsapi.cpp:2585
#18 0x084eff06 in JS_HasPropertyById (cx=cx@entry=0x95ff870, obj=obj@entry=..., id=id@entry=..., foundp=foundp@entry=0xffffd1bc) at js/src/jsapi.cpp:2676
#19 0x08608e1b in js::DirectProxyHandler::has (this=this@entry=0x95b2064 <js::CrossCompartmentWrapper::singleton>, cx=cx@entry=0x95ff870, proxy=proxy@entry=..., id=id@entry=..., bp=bp@entry=0xffffd2ec) at js/src/proxy/DirectProxyHandler.cpp:200
#20 0x08608f0a in js::CrossCompartmentWrapper::has (this=0x95b2064 <js::CrossCompartmentWrapper::singleton>, cx=0x95ff870, wrapper=..., id=..., bp=0xffffd2ec) at js/src/proxy/CrossCompartmentWrapper.cpp:138
#21 0x08613278 in js::Proxy::has (cx=cx@entry=0x95ff870, proxy=proxy@entry=..., id=id@entry=..., bp=bp@entry=0xffffd2ec) at js/src/proxy/Proxy.cpp:258
#22 0x086132b7 in js::proxy_LookupGeneric (cx=0x95ff870, obj=..., id=..., objp=..., propp=...) at js/src/proxy/Proxy.cpp:580
#23 0x08545c94 in JSObject::lookupGeneric (cx=cx@entry=0x95ff870, obj=obj@entry=..., id=id@entry=..., objp=objp@entry=..., propp=propp@entry=...) at js/src/jsobj.cpp:2939
#24 0x08649113 in js::LookupPropertyInline<(js::AllowGC)1> (cx=cx@entry=0x95ff870, obj=..., obj@entry=..., id=id@entry=..., objp=objp@entry=..., propp=propp@entry=...) at js/src/vm/NativeObject-inl.h:605
#25 0x0868588a in GetPropertyHelperInline<(js::AllowGC)1> (cx=0x95ff870, obj=..., receiver=..., id=..., vp=...) at js/src/vm/NativeObject.cpp:1787
#26 0x08685e73 in js::baseops::GetProperty (cx=<optimized out>, cx@entry=0x95ff870, obj=..., obj@entry=..., receiver=..., receiver@entry=..., id=id@entry=..., vp=vp@entry=...) at js/src/vm/NativeObject.cpp:1894
#27 0x08113b4c in JSObject::getGeneric (cx=0x95ff870, obj=..., receiver=..., id=..., vp=...) at js/src/vm/NativeObject.h:1413
#28 0x08671eb0 in GetPropertyOperation (vp=..., lval=..., pc=<optimized out>, script=..., fp=<optimized out>, cx=0xffffd6a8) at js/src/vm/Interpreter.cpp:253
#29 Interpret (cx=cx@entry=0x95ff870, state=...) at js/src/vm/Interpreter.cpp:2359
#30 0x0867ef81 in js::RunScript (cx=cx@entry=0x95ff870, state=...) at js/src/vm/Interpreter.cpp:434
#31 0x0868f691 in js::ExecuteKernel (cx=cx@entry=0x95ff870, script=script@entry=..., scopeChainArg=..., thisv=..., type=type@entry=js::EXECUTE_GLOBAL, evalInFrame=evalInFrame@entry=..., result=result@entry=0x0) at js/src/vm/Interpreter.cpp:643
#32 0x086918c7 in js::Execute (cx=cx@entry=0x95ff870, script=script@entry=..., scopeChainArg=..., rval=rval@entry=0x0) at js/src/vm/Interpreter.cpp:680
#33 0x0850e8b7 in ExecuteScript (cx=0x95ff870, obj=..., scriptArg=..., rval=0x0) at js/src/jsapi.cpp:4708
#34 0x0850ea4c in JS_ExecuteScript (cx=<optimized out>, cx@entry=0x95ff870, obj=..., obj@entry=..., scriptArg=scriptArg@entry=...) at js/src/jsapi.cpp:4730
#35 0x0804d11c in RunFile (compileOnly=false, file=0x96a42d0, filename=0xffffdf6a "min.js", obj=..., cx=0x95ff870) at js/src/shell/js.cpp:450
#36 Process (cx=cx@entry=0x95ff870, obj_=<optimized out>, filename=0xffffdf6a "min.js", forceTTY=forceTTY@entry=false) at js/src/shell/js.cpp:583
#37 0x080a81c9 in ProcessArgs (op=0xffffdc80, obj_=<optimized out>, cx=0x95ff870) at js/src/shell/js.cpp:5434
#38 Shell (envp=<optimized out>, op=0xffffdc80, cx=0x95ff870) at js/src/shell/js.cpp:5673
#39 main (argc=4, argv=0xffffde34, envp=0xffffde48) at js/src/shell/js.cpp:6020
eax 0xf635c040 -164249536
ebx 0x95bbff4 157007860
ecx 0x95ff87c 157284476
edx 0xf63590c0 -164261696
esi 0x95ff870 157284464
edi 0x958ffc0 156827584
ebp 0xffffcba8 4294953896
esp 0xffffcb00 4294953728
eip 0x85a9b88 <NewObject(js::ExclusiveContext*, js::types::TypeObject*, JSObject*, js::gc::AllocKind, js::NewObjectKind)+72>
=> 0x85a9b88 <NewObject(js::ExclusiveContext*, js::types::TypeObject*, JSObject*, js::gc::AllocKind, js::NewObjectKind)+72>: mov (%eax),%eax
0x85a9b8a <NewObject(js::ExclusiveContext*, js::types::TypeObject*, JSObject*, js::gc::AllocKind, js::NewObjectKind)+74>: test %eax,%eax
Not s-s because compacting GC is not enabled yet in any builds.
|
Assignee | |
Comment 1•11 years ago
|
||
Here's a fix for this situation.
We should probably make all the NewObjectWithBlah() methods take handles to prevent this kind of error in the future.
Assignee: nobody → jcoppeard
Attachment #8535666 -
Flags: review?(terrence)
|
||
Comment 2•11 years ago
|
||
Comment on attachment 8535666 [details] [diff] [review]
bug1109922-fix
Review of attachment 8535666 [details] [diff] [review]:
-----------------------------------------------------------------
Good idea.
Attachment #8535666 -
Flags: review?(terrence) → review+
|
|
Assignee | |
Comment 3•11 years ago
|
||
|
||
Comment 4•11 years ago
|
||
Status: NEW → RESOLVED
Closed: 11 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla37
|
|
||
Comment 5•11 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/def6ed9d1c1a
For those of us that frequently skip Intl for faster builds.
|
|
||
Comment 6•11 years ago
|
||
You need to log in
before you can comment on or make changes to this bug.
Description
•