Closed
Bug 1191763
Opened 9 years ago
Closed 9 years ago
Crash [@ proto] with super
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1185961
| Tracking | Status | |
|---|---|---|
| firefox42 | --- | affected |
People
(Reporter: decoder, Unassigned)
Details
(Keywords: crash, regression, testcase, Whiteboard: [jsbugmon:update,bisect])
Crash Data
The following testcase crashes on mozilla-central revision d3228c82badd (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-debug, run with --fuzzing-safe --thread-count=2):
function throwIfNoSuchProperty(obj) {
return new Proxy(obj, {
get(t, id) {
if ((super.try[!hadWerror].shift.f++) in t)
return t[id];
}
});
};
var touchyHandler = throwIfNoSuchProperty({});
var target = {};
var proto = new Proxy(target, touchyHandler);
var receiver = Object.create(proto);
receiver.x = 2;
Backtrace:
Program terminated with signal SIGSEGV, Segmentation fault.
#0 proto (this=<optimized out>) at js/src/vm/ObjectGroup.h:201
#1 getTaggedProto (this=<optimized out>) at js/src/jsobj.h:360
#2 GetPrototype (protop=..., obj=..., cx=<optimized out>) at js/src/jsobjinlines.h:153
#3 Interpret (cx=0x7fc5f1282210, state=...) at js/src/vm/Interpreter.cpp:3969
#4 0x00000000005c161d in js::RunScript (cx=cx@entry=0x7fc5f1282210, state=...) at js/src/vm/Interpreter.cpp:661
#5 0x00000000005c1c05 in js::Invoke (cx=cx@entry=0x7fc5f1282210, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:738
#6 0x00000000005c30c8 in js::Invoke (cx=cx@entry=0x7fc5f1282210, thisv=..., fval=..., argc=argc@entry=3, argv=argv@entry=0x7fffe6018180, rval=..., rval@entry=...) at js/src/vm/Interpreter.cpp:775
#7 0x0000000000956b1f in js::ScriptedDirectProxyHandler::get (this=<optimized out>, cx=0x7fc5f1282210, proxy=..., receiver=..., id=..., vp=...) at js/src/proxy/ScriptedDirectProxyHandler.cpp:883
#8 0x0000000000971fbe in js::Proxy::get (cx=0x7fc5f1282210, proxy=..., receiver=..., id=..., vp=...) at js/src/proxy/Proxy.cpp:286
#9 0x0000000000961255 in GetProperty (vp=..., id=..., receiver=..., obj=..., cx=0x7fc5f1282210) at js/src/vm/NativeObject.h:1416
#10 GetProperty (vp=..., name=<optimized out>, receiver=..., obj=..., cx=0x7fc5f1282210) at js/src/jsobj.h:828
#11 js::ScriptedDirectProxyHandler::set (this=<optimized out>, cx=0x7fc5f1282210, proxy=..., id=..., v=..., receiver=..., result=...) at js/src/proxy/ScriptedDirectProxyHandler.cpp:931
#12 0x0000000000971a81 in js::Proxy::set (cx=0x7fc5f1282210, proxy=..., id=..., v=..., receiver=..., result=...) at js/src/proxy/Proxy.cpp:326
#13 0x00000000008f2f15 in JSObject::nonNativeSetProperty (cx=0x7fc5f1282210, obj=..., id=..., v=..., receiver=..., result=...) at js/src/jsobj.cpp:1050
#14 0x0000000000604844 in js::NativeSetProperty (cx=0x7fc5f1282210, obj=..., id=..., value=..., receiver=..., qualified=js::Qualified, result=...) at js/src/vm/NativeObject.cpp:2356
#15 0x00000000005bd912 in SetProperty (result=..., receiver=..., v=..., id=..., obj=..., cx=<optimized out>) at js/src/vm/NativeObject.h:1434
#16 SetPropertyOperation (rval=..., id=..., lval=..., op=<optimized out>, cx=<optimized out>) at js/src/vm/Interpreter.cpp:317
#17 Interpret (cx=0x7fc5f1282210, state=...) at js/src/vm/Interpreter.cpp:2777
#18 0x00000000005c161d in js::RunScript (cx=cx@entry=0x7fc5f1282210, state=...) at js/src/vm/Interpreter.cpp:661
#19 0x00000000005c1c05 in js::Invoke (cx=cx@entry=0x7fc5f1282210, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:738
#20 0x00000000005c30c8 in js::Invoke (cx=cx@entry=0x7fc5f1282210, thisv=..., fval=..., argc=argc@entry=0, argv=argv@entry=0x7fffe60197c8, rval=..., rval@entry=...) at js/src/vm/Interpreter.cpp:775
#21 0x000000000075995d in js::jit::DoCallFallback (cx=0x7fc5f1282210, frame=0x7fffe60197f8, stub_=0x7fc5eef2f720, argc=0, vp=0x7fffe60197b8, res=...) at js/src/jit/BaselineIC.cpp:9867
#22 0x00007fc5f2905184 in ?? ()
[...]
#32 0x0000000000000000 in ?? ()
rax 0x0 0
rbx 0x7fc5f1282210 140488131224080
rcx 0x7fffe60179f0 140737052244464
rdx 0x7fc5ef106e90 140488096116368
rsi 0x7fc5f1282210 140488131224080
rdi 0x7fffe60179d0 140737052244432
rbp 0x7fc5f1282228 140488131224104
rsp 0x7fffe60172b0 140737052242608
r8 0x0 0
r9 0x0 0
r10 0x7fc5ef106f70 140488096116592
r11 0xfff9000000000000 -1970324836974592
r12 0x17865c0 24667584
r13 0x17e6e60 25063008
r14 0x1788c60 24677472
r15 0x17892a0 24679072
rip 0x5b8277 <Interpret(JSContext*, js::RunState&)+22999>
=> 0x5b8277 <Interpret(JSContext*, js::RunState&)+22999>: mov (%rax),%rax
0x5b827a <Interpret(JSContext*, js::RunState&)+23002>: lea 0x10(%rdi),%rsi
|
Reporter | |
Comment 1•9 years ago
|
||
Needinfo from efaust because it could be related to ES6 classes.
Flags: needinfo?(efaustbmo)
|
||
Updated•9 years ago
|
Status: NEW → RESOLVED
Closed: 9 years ago
Flags: needinfo?(efaustbmo)
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•