Closed
Bug 579256
Opened 14 years ago
Closed 14 years ago
Crash [@ js_TraceObject] with gc
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 579273
| Tracking | Status | |
|---|---|---|
| blocking2.0 | --- | betaN+ |
People
(Reporter: gkw, Unassigned)
References
Details
(Keywords: crash, regression, testcase, Whiteboard: [ccbr][sg:dupe 579273])
Crash Data
var a = evalcx('');
Object.defineProperty(a, "", ({
get: function() {},
}))
gc()
crashes js opt shell on TM tip without -j at js_TraceObject. It doesn't seem to crash a debug shell.
Locking s-s because this involves gc, even though it seems to be a +40 null dereference. Assuming [sg:dos].
js> var a = evalcx('');
js> Object.defineProperty(a, "", ({
get: function() {},
}))
({lazy:false})
js> gc()
Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_PROTECTION_FAILURE at address: 0x00000040
0x0007e205 in js_TraceObject ()
(gdb) bt
#0 0x0007e205 in js_TraceObject ()
#1 0x00057385 in js::Mark ()
#2 0x000ebe04 in JSScopeProperty::trace ()
#3 0x0007e1cf in js_TraceObject ()
#4 0x00057385 in js::Mark ()
#5 0x0007e2d9 in js_TraceObject ()
#6 0x00057385 in js::Mark ()
#7 0x000c1feb in js::proxy_TraceObject ()
#8 0x00057385 in js::Mark ()
#9 0x000c1fb7 in js::proxy_TraceObject ()
#10 0x00057385 in js::Mark ()
#11 0x0007e36f in js_TraceObject ()
#12 0x00057385 in js::Mark ()
#13 0x00057e25 in js_TraceContext ()
#14 0x00057fff in js_TraceRuntime ()
#15 0x000584fd in js_GC ()
#16 0x00010d6d in JS_GC ()
#17 0x00006f23 in GC ()
#18 0x00065a7c in js::Interpret ()
#19 0x0006e65b in js::Execute ()
#20 0x00014a18 in JS_ExecuteScript ()
#21 0x00005fcc in Process ()
#22 0x00009826 in shell ()
#23 0x00009d37 in main ()
(gdb) x/i $eip
0x7e205 <_Z14js_TraceObjectP8JSTracerP8JSObject+149>: mov 0x40(%ecx),%edx
(gdb) x/b $ecx
0x0: Cannot access memory at address 0x0
|
Reporter | |
Comment 1•14 years ago
|
||
autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: 47546:9c869e64ee26 user: Luke Wagner date: Wed Jul 14 23:19:36 2010 -0700 summary: Bug 549143 - fatvals
Blocks: fatvals
|
|
||
Comment 2•14 years ago
|
||
Dup, but this is a nice short test case, so I'll throw it in with the next push.
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → DUPLICATE
|
||
Updated•14 years ago
|
blocking2.0: ? → betaN+
|
||
Updated•13 years ago
|
Crash Signature: [@ js_TraceObject]
|
||
Updated•13 years ago
|
Group: core-security
Whiteboard: [ccbr][sg:dos] → [ccbr][sg:dupe 579273]
You need to log in
before you can comment on or make changes to this bug.
Description
•