Closed
Bug 1112585
Opened 11 years ago
Closed 10 years ago
Assertion failure: this->is<T>(), at js/src/jsobj.h:735 or Crash [@ js::ScriptedIndirectProxyHandler::defineProperty]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
| Tracking | Status | |
|---|---|---|
| firefox37 | --- | affected |
People
(Reporter: decoder, Unassigned)
References
Details
(4 keywords, Whiteboard: [jsbugmon:])
Crash Data
The following testcase crashes on mozilla-central revision b7eb1ce0237d (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --target=i686-pc-linux-gnu --disable-debug, run with --fuzzing-safe --thread-count=2 --ion-offthread-compile=off):
var gTestcases = new Array();
var gTc = gTestcases.length;
function startTest() {
gTestcases[gTc++] = this;
}
var protoArr = Proxy.create({
getOwnPropertyDescriptor: function(name) {
if ("for (var x of y) @") return { get: function() { return this[0]; } };
},
}, null);
void (Array.prototype.__proto__ = protoArr);
startTest();
Backtrace:
Program received signal SIGSEGV, Segmentation fault.
js::ScriptedIndirectProxyHandler::defineProperty (this=0x9310ab4, cx=0x933a1e8, proxy=(JSObject * const) 0xf6900050 [object Array], id=$jsid(0), desc={obj = (JSObject *) 0xf6346040 [object Proxy], attrs = 61524, getter = 0xf69000c0, setter = 0, value = $jsval(-nan(0xfff88f6345040))}) at js/src/proxy/ScriptedIndirectProxyHandler.cpp:201
201 RootedObject handler(cx, GetIndirectProxyHandlerObject(proxy));
#0 js::ScriptedIndirectProxyHandler::defineProperty (this=0x9310ab4, cx=0x933a1e8, proxy=(JSObject * const) 0xf6900050 [object Array], id=$jsid(0), desc={obj = (JSObject *) 0xf6346040 [object Proxy], attrs = 61524, getter = 0xf69000c0, setter = 0, value = $jsval(-nan(0xfff88f6345040))}) at js/src/proxy/ScriptedIndirectProxyHandler.cpp:201
#1 0x084abf80 in js::SetPropertyIgnoringNamedGetter (cx=0x933a1e8, handler=0x9310ab4, proxy=(JSObject * const) 0xf6346040 [object Proxy], receiver=(JSObject * const) 0xf6900050 [object Array], id=$jsid(0), desc={obj = (JSObject *) 0xf6346040 [object Proxy], attrs = 61524, getter = 0xf69000c0, setter = 0, value = $jsval(-nan(0xfff88f6345040))}, descIsOwn=true, strict=false, vp=$jsval(-nan(0xfff88f6345040))) at js/src/proxy/BaseProxyHandler.cpp:186
#2 0x084b0117 in js::ScriptedIndirectProxyHandler::derivedSet (this=0x9310ab4, cx=0x933a1e8, proxy=(JSObject * const) 0xf6346040 [object Proxy], receiver=(JSObject * const) 0xf6900050 [object Array], id=$jsid(0), strict=false, vp=$jsval(-nan(0xfff88f6345040))) at js/src/proxy/ScriptedIndirectProxyHandler.cpp:332
#3 0x084b0348 in js::ScriptedIndirectProxyHandler::set (this=0x9310ab4, cx=0x933a1e8, proxy=(JSObject * const) 0xf6346040 [object Proxy], receiver=(JSObject * const) 0xf6900050 [object Array], id=$jsid(0), strict=false, vp=$jsval(-nan(0xfff88f6345040))) at js/src/proxy/ScriptedIndirectProxyHandler.cpp:311
#4 0x084ae5f9 in js::Proxy::set (cx=0x933a1e8, proxy=(JSObject * const) 0xf6346040 [object Proxy], receiver=(JSObject * const) 0xf6900050 [object Array], id=$jsid(0), strict=false, vp=$jsval(-nan(0xfff88f6345040))) at js/src/proxy/Proxy.cpp:336
#5 0x08534e30 in setGeneric (strict=<optimized out>, vp=..., id=..., receiver=..., obj=(JSObject * const) 0xf6346040 [object Proxy], cx=0x933a1e8) at js/src/vm/NativeObject.h:1428
#6 js::baseops::SetPropertyHelper<(js::ExecutionMode)0> (cxArg=0x933a1e8, obj=(js::NativeObject * const) 0xf6900050 [object Array], receiver=(JSObject * const) 0xf6900050 [object Array], id=$jsid(0), qualified=js::baseops::Qualified, vp=$jsval(-nan(0xfff88f6345040)), strict=false) at js/src/vm/NativeObject.cpp:2353
#7 0x08505eea in setGeneric (strict=<optimized out>, vp=..., id=..., receiver=..., obj=..., cx=<optimized out>) at js/src/vm/NativeObject.h:1430
#8 SetObjectElementOperation (pc=<optimized out>, script=<optimized out>, strict=<optimized out>, value=..., id=..., obj=..., cx=<optimized out>) at js/src/vm/Interpreter.cpp:1330
#9 Interpret (cx=0x933a1e8, state=...) at js/src/vm/Interpreter.cpp:2445
#10 0x08507a4b in js::RunScript (cx=0x933a1e8, state=...) at js/src/vm/Interpreter.cpp:432
#11 0x08507cba in js::ExecuteKernel (cx=0x933a1e8, script=0xf63490d0, scopeChainArg=(JSObject &) @0xf6345040 [object global] delegate, thisv=..., type=js::EXECUTE_GLOBAL, evalInFrame=..., result=0x0) at js/src/vm/Interpreter.cpp:641
#12 0x08507dea in js::Execute (cx=0x933a1e8, script=0xf63490d0, scopeChainArg=(JSObject &) @0xf6345040 [object global] delegate, rval=0x0) at js/src/vm/Interpreter.cpp:678
#13 0x083e15e9 in ExecuteScript (cx=0x933a1e8, obj=..., scriptArg=0xf63490d0, rval=0x0) at js/src/jsapi.cpp:4310
#14 0x08058f13 in RunFile (compileOnly=false, file=0x93d9840, filename=0xffffdf6c "min.js", obj=..., cx=0x933a1e8) at js/src/shell/js.cpp:450
#15 Process (cx=0x933a1e8, obj_=<optimized out>, filename=0xffffdf6c "min.js", forceTTY=false) at js/src/shell/js.cpp:583
#16 0x0805c63a in ProcessArgs (op=0xffffdc58, obj_=<optimized out>, cx=0x933a1e8) at js/src/shell/js.cpp:5320
#17 Shell (op=<optimized out>, cx=0x933a1e8, envp=<optimized out>) at js/src/shell/js.cpp:5559
#18 main (argc=154169288, argv=0x879f581, envp=0x0) at js/src/shell/js.cpp:5898
eax 0x0 0
ebx 0x930fff4 154206196
ecx 0x9310ab4 154208948
edx 0xffffd20c -11764
esi 0x933a1e8 154378728
edi 0x933a21c 154378780
ebp 0xffffd1fc 4294955516
esp 0xffffd170 4294955376
eip 0x84a901d <js::ScriptedIndirectProxyHandler::defineProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::MutableHandle<JSPropertyDescriptor>) const+61>
=> 0x84a901d <js::ScriptedIndirectProxyHandler::defineProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::MutableHandle<JSPropertyDescriptor>) const+61>: mov (%eax),%eax
0x84a901f <js::ScriptedIndirectProxyHandler::defineProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::MutableHandle<JSPropertyDescriptor>) const+63>: movl $0x0,0x58(%esp)
|
Reporter | |
Updated•10 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
|
|
Reporter | |
Comment 2•10 years ago
|
||
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/6a71021584ff
user: Jason Orendorff
date: Fri Nov 07 13:45:23 2014 -0600
summary: Bug 1090636, part 14 - Rewrite SetPropertyHelper. r=efaust.
This iteration took 624.226 seconds to run.
|
||
Comment 3•10 years ago
|
||
Jason, is bug 1090636 a likely regressor?
Blocks: 1090636
Flags: needinfo?(jorendorff)
|
|
Reporter | |
Updated•10 years ago
|
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
|
|
Reporter | |
Comment 4•10 years ago
|
||
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 13fe5ad0364d).
|
|
||
Updated•10 years ago
|
Whiteboard: [jsbugmon:update,ignore] → [jsbugmon:bisectfix]
|
|
||
Comment 5•10 years ago
|
||
Suspecting that this might be fixed by bug 1113980 comment 10.
|
|
Reporter | |
Updated•10 years ago
|
Whiteboard: [jsbugmon:bisectfix] → [jsbugmon:]
|
|
Reporter | |
Comment 6•10 years ago
|
||
JSBugMon: Fix Bisection requested, result:
autoBisect shows this is probably related to the following changeset:
The first good revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/7fbd629599de
user: Tom Schuster
date: Thu Jan 01 16:42:41 2015 +0100
summary: Bug 1113980 - Try to fix a bug with [[Set]] and old proxies. r=Waldo
This iteration took 495.115 seconds to run.
|
|
||
Comment 7•10 years ago
|
||
This was indeed fixed.
Status: NEW → RESOLVED
Closed: 10 years ago
Flags: needinfo?(jorendorff)
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•