jsscope.c, lines 77-78, in function js_GetMutableScope: > scope = (JSScope *) js_DropObjectMap(cx, &scope->map, obj); > JS_TRANSFER_SCOPE_LOCK(cx, scope, newscope); jslock.h, lines 188-189: > #define JS_TRANSFER_SCOPE_LOCK(cx, scope, newscope) \ > js_TransferTitle(cx, &scope->title, &newscope->title) jslock.c, lines 1155 ff., in function js_TransferTitle: > /* > * If the last reference to oldtitle went away, newtitle needs no lock > * state update. > */ > if (!oldtitle) > return; If js_DropObjectMap returns NULL, then oldtitle here is not null but some small offset from null. This was causing crashes for me in js shell yesterday. I rebuilt and the symptom vanished (could be anything), but this still looks like a bug to me.
Yeah, should JS_TRANSFER_SCOPE_LOCK use scope ? &scope->title : NULL instead?
Stop, wait -- how can scope be null? If js_DropObjectMap returns null, we somehow lost the prototype's reference to the shared scope. How did that happen? /be
Is this still happening? /be
I suspect comment 2 was right, it should never have happened. I hit it while debugging some other crash. It was probably just a bogus build. Marking INVALID.