Closed Bug 579256 Opened 15 years ago Closed 15 years ago

Crash [@ js_TraceObject] with gc

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 579273
Tracking Flags:
Tracking Status
blocking2.0 --- betaN+

People

(Reporter: gkw, Unassigned)

References

Details

(Keywords: crash, regression, testcase, Whiteboard: [ccbr][sg:dupe 579273])

Crash Data

var a = evalcx(''); Object.defineProperty(a, "", ({ get: function() {}, })) gc() crashes js opt shell on TM tip without -j at js_TraceObject. It doesn't seem to crash a debug shell. Locking s-s because this involves gc, even though it seems to be a +40 null dereference. Assuming [sg:dos]. js> var a = evalcx(''); js> Object.defineProperty(a, "", ({ get: function() {}, })) ({lazy:false}) js> gc() Program received signal EXC_BAD_ACCESS, Could not access memory. Reason: KERN_PROTECTION_FAILURE at address: 0x00000040 0x0007e205 in js_TraceObject () (gdb) bt #0 0x0007e205 in js_TraceObject () #1 0x00057385 in js::Mark () #2 0x000ebe04 in JSScopeProperty::trace () #3 0x0007e1cf in js_TraceObject () #4 0x00057385 in js::Mark () #5 0x0007e2d9 in js_TraceObject () #6 0x00057385 in js::Mark () #7 0x000c1feb in js::proxy_TraceObject () #8 0x00057385 in js::Mark () #9 0x000c1fb7 in js::proxy_TraceObject () #10 0x00057385 in js::Mark () #11 0x0007e36f in js_TraceObject () #12 0x00057385 in js::Mark () #13 0x00057e25 in js_TraceContext () #14 0x00057fff in js_TraceRuntime () #15 0x000584fd in js_GC () #16 0x00010d6d in JS_GC () #17 0x00006f23 in GC () #18 0x00065a7c in js::Interpret () #19 0x0006e65b in js::Execute () #20 0x00014a18 in JS_ExecuteScript () #21 0x00005fcc in Process () #22 0x00009826 in shell () #23 0x00009d37 in main () (gdb) x/i $eip 0x7e205 <_Z14js_TraceObjectP8JSTracerP8JSObject+149>: mov 0x40(%ecx),%edx (gdb) x/b $ecx 0x0: Cannot access memory at address 0x0
autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: 47546:9c869e64ee26 user: Luke Wagner date: Wed Jul 14 23:19:36 2010 -0700 summary: Bug 549143 - fatvals
Blocks: fatvals
Dup, but this is a nice short test case, so I'll throw it in with the next push.
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → DUPLICATE
blocking2.0: ? → betaN+
Crash Signature: [@ js_TraceObject]
Group: core-security
Whiteboard: [ccbr][sg:dos] → [ccbr][sg:dupe 579273]
You need to log in before you can comment on or make changes to this bug.