492904 - TM: Crash [@ TraceRecorder::test_property_cache]

Status: VERIFIED FIXED

(Core :: JavaScript Engine, defect, P1)

Description

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

eval;
f = function(){}
f();
(function() {
    for (var x = 0; x < 3; ++x) {
        if (x % 3 == 1) {
            this.setDay
        }
        eval("this")
    }
})()

crashes TM js shell with -j, both dbg and opt, near null at TraceRecorder::test_property_cache

Probably because obj in obj->classword in STOBJ_GET_CLASS function is null.


Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_PROTECTION_FAILURE at address: 0x00000004
0x000f107d in STOBJ_GET_CLASS (obj=0x0) at jsobj.h:254
254         return (JSClass *) (obj->classword & ~JSSLOT_CLASS_MASK_BITS);
(gdb) bt
#0  0x000f107d in STOBJ_GET_CLASS (obj=0x0) at jsobj.h:254
#1  0x00148e8d in TraceRecorder::test_property_cache (this=0x30dd90, obj=0x0, obj_ins=0x26f0f4, obj2=@0xbfffedd8, pcval=@0xbfffedd4) at ../jstracer.cpp:6332
#2  0x0014a32a in TraceRecorder::prop (this=0x30dd90, obj=0x0, obj_ins=0x26f0f4, slot=@0xbfffee54, v_ins=@0xbfffee50) at ../jstracer.cpp:8812
#3  0x0014ad50 in TraceRecorder::getProp (this=0x30dd90, obj=0x0, obj_ins=0x26f0f4) at ../jstracer.cpp:9040
#4  0x0014b1e3 in TraceRecorder::record_JSOP_GETTHISPROP (this=0x30dd90) at ../jstracer.cpp:10375
#5  0x00158501 in TraceRecorder::monitorRecording (cx=0x30bc60, tr=0x30dd90, op=JSOP_GETTHISPROP) at jsopcode.tbl:524
#6  0x0006ca3e in js_Interpret (cx=0x30bc60) at ../jsinterp.cpp:3019
#7  0x0009686c in js_Execute (cx=0x30bc60, chain=0x2b3000, script=0x30dac0, down=0x0, flags=0, result=0x0) at jsinterp.cpp:1603
#8  0x0001de06 in JS_ExecuteScript (cx=0x30bc60, obj=0x2b3000, script=0x30dac0, rval=0x0) at ../jsapi.cpp:5040
#9  0x00008083 in Process (cx=0x30bc60, obj=0x2b3000, filename=0xbffff9df "274a.js", forceTTY=0) at ../../shell/js.cpp:412
#10 0x000098b6 in ProcessArgs (cx=0x30bc60, obj=0x2b3000, argv=0xbffff90c, argc=2) at ../../shell/js.cpp:806
#11 0x0000ad60 in main (argc=2, argv=0xbffff90c, envp=0xbffff918) at ../../shell/js.cpp:4729
(gdb) l
249     #define JSSLOT_CLASS_MASK_BITS 3
250
251     JS_ALWAYS_INLINE JSClass*
252     STOBJ_GET_CLASS(const JSObject* obj)
253     {
254         return (JSClass *) (obj->classword & ~JSSLOT_CLASS_MASK_BITS);
255     }
256
257     #define STOBJ_IS_DELEGATE(obj)  (((obj)->classword & 1) != 0)
258     #define STOBJ_SET_DELEGATE(obj) ((obj)->classword |= 1)
(gdb) p obj
$1 = (const JSObject *) 0x0
(gdb)


This is a regression; window is from the start of -j implementation to http://hg.mozilla.org/tracemonkey/rev/04c360f123e5

Comment 1

[Brendan Eich [:brendan]]

Attachment: fix

Comment 2

[Brendan Eich [:brendan]]

Ancient bug, we have talked about it in the past -- sorry for not following up. Even the recent wrapped-this-related work failed to make the recorder match the interpreter by computing this if necessary.

/be

Comment 3

[Brendan Eich [:brendan]]

http://hg.mozilla.org/tracemonkey/rev/f942b5fa3935

/be

Comment 4

[Brendan Eich [:brendan]]

http://hg.mozilla.org/mozilla-central/rev/a27e28295c72

/be

Comment 5

[Robert Sayre]

http://hg.mozilla.org/releases/mozilla-1.9.1/rev/3a66a6f4649a

Comment 6

[Henrik Skupin [:whimboo][⌚️UTC+1]]

Verified fixed with testcase in comment 0 with the following debug builds:

Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.2a1pre)
Gecko/20090522 Minefield/3.6a1pre ID:20090522133810

Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1pre)
Gecko/20090522 Shiretoko/3.5pre ID:20090522153422

Comment 7

[Christian Holler (:decoder)]

Bug in removed tracer code, setting in-testsuite- flag.