1377407 - Crash [@ JSObject::getClass] or Assertion failure: isObject(), at js/Value.h:642 with Intl Collator

Status: RESOLVED DUPLICATE of bug 1376547

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

The following testcase crashes on mozilla-central revision 53477d584130 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-stdcxx-compat --disable-profiling --disable-debug --enable-optimize, run with --fuzzing-safe --ion-offthread-compile=off --baseline-eager):

eval(`
  try { 
    evaluate(\`
      class MyCollator extends Intl.Collator {}
      var obj = new MyCollator();
      Reflect.apply(MyCollator, "hi!", [" "])
    \`); 
  } catch(exc) {}
      Reflect.apply(MyCollator, "hi!", [" "])
`);



Backtrace:

 received signal SIGSEGV, Segmentation fault.
0x000000000081e3ea in JSObject::getClass (this=<optimized out>) at js/src/jsobj.h:127
#0  0x000000000081e3ea in JSObject::getClass (this=<optimized out>) at js/src/jsobj.h:127
#1  JSObject::getOpsGetProperty (this=0x0) at js/src/jsobj.h:139
#2  js::GetProperty (vp=..., id=..., receiver=..., obj=..., cx=0x7ffff6924000) at js/src/vm/NativeObject.h:1534
#3  js::GetProperty (vp=..., name=<optimized out>, receiver=..., obj=..., cx=0x7ffff6924000) at js/src/jsobj.h:853
#4  js::GetProperty (vp=..., name=0x7ffff46269a0, receiver=..., obj=..., cx=0x7ffff6924000) at js/src/jsobj.h:869
#5  js::GetPrototypeFromConstructor (cx=0x7ffff6924000, newTarget=newTarget@entry=..., proto=...) at js/src/jsobj.cpp:999
#6  0x000000000081e4e5 in js::GetPrototypeFromCallableConstructor (cx=cx@entry=0x7ffff6924000, args=..., proto=..., proto@entry=...) at js/src/jsobj.cpp:1013
#7  0x0000000000521f4f in Collator (args=..., cx=0x7ffff6924000) at js/src/builtin/Intl.cpp:1081
#8  js::intl_Collator (cx=0x7ffff6924000, argc=1, vp=0x7fffffffb690) at js/src/builtin/Intl.cpp:1122
#9  0x000034734ddd949f in ?? ()
[...]
#13 0x0000000000000000 in ?? ()
rax	0x0	0
rbx	0x7fffffffb5b0	140737488336304
rcx	0x7fffffffb530	140737488336176
rdx	0x7fffffffb510	140737488336144
rsi	0x7fffffffb560	140737488336224
rdi	0x7ffff6924000	140737330167808
rbp	0x7fffffffb5a0	140737488336288
rsp	0x7fffffffb4e0	140737488336096
r8	0x7fffffffb4f0	140737488336112
r9	0x7ffff4681a00	140737293851136
r10	0x0	0
r11	0x7ffff69161c8	140737330110920
r12	0x7ffff6924020	140737330167840
r13	0x7fffffffc088	140737488339080
r14	0x7ffff46a3380	140737293988736
r15	0x7ffff46a5650	140737293997648
rip	0x81e3ea <js::GetPrototypeFromConstructor(JSContext*, JS::Handle<JSObject*>, JS::MutableHandle<JSObject*>)+170>
=> 0x81e3ea <js::GetPrototypeFromConstructor(JSContext*, JS::Handle<JSObject*>, JS::MutableHandle<JSObject*>)+170>:	mov    (%rax),%rax
   0x81e3ed <js::GetPrototypeFromConstructor(JSContext*, JS::Handle<JSObject*>, JS::MutableHandle<JSObject*>)+173>:	mov    (%rax),%rax


This only triggers when jitting with baseline eager, without it just throws an error. Marking s-s until investigated.

Comment 1

[Fuzzing Team]

JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/68c84d4736ca
user:        Ted Campbell
date:        Tue Jun 06 10:34:08 2017 -0400
summary:     Bug 1169746 - Support |super()| in Baseline. r=jandem

This iteration took 0.587 seconds to run.

Comment 2

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Ted, is bug 1169746 a likely regressor?

Comment 3

[Ted Campbell [:tcampbell]]

This is a dupe of Bug 1376547. Awaiting review on patch.

Comment 4

[Liz Henry (:lizzard) (relman/hg->git project)]

Fixed in the duplicate, which also only affected trunk.