Closed
Bug 579261
Opened 14 years ago
Closed 14 years ago
Crash [@ JSObject::getClass] or [@ JSCompartment::wrap]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 579273
| Tracking | Status | |
|---|---|---|
| blocking2.0 | --- | betaN+ |
People
(Reporter: gkw, Unassigned)
References
Details
(Keywords: crash, regression, testcase, Whiteboard: [ccbr])
Crash Data
var b = evalcx('')
with({
d: Object.defineProperty(b, "", ({
get: JSON.e,
}))
}) {}
crashes js debug shell on TM tip without -j at JSObject::getClass and crashes js opt shell on TM tip without -j at JSCompartment::wrap
(This looks like a +4 null dereference)
Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_PROTECTION_FAILURE at address: 0x00000004
0x00080d01 in JSObject::getClass (this=0x0) at jsobj.h:297
297 return clasp;
(gdb) bt
#0 0x00080d01 in JSObject::getClass (this=0x0) at jsobj.h:297
#1 0x000297f8 in JSObject::isObjectProxy (this=0x0) at jsproxy.h:140
#2 0x00029851 in JSObject::isProxy (this=0x0) at jsproxy.h:152
#3 0x0015ccc0 in JSObject::isWrapper (this=0x0) at ../jswrapper.cpp:58
#4 0x0015cd18 in JSObject::unwrap (this=0x0, flagsp=0xbfffe1d4) at ../jswrapper.cpp:66
#5 0x0015d5b3 in JSCompartment::wrap (this=0x40ccc0, cx=0x809400, vp=0xbfffe228) at ../jswrapper.cpp:325
#6 0x0015da82 in JSCompartment::wrap (this=0x40ccc0, cx=0x809400, propp=0xbfffe340) at ../jswrapper.cpp:429
#7 0x0015e057 in JSCompartment::wrap (this=0x40ccc0, cx=0x809400, desc=0xbfffe338) at ../jswrapper.cpp:440
#8 0x001600b4 in JSCrossCompartmentWrapper::defineProperty (this=0x21de34, cx=0x809400, wrapper=0x601a80, id={asBits = 6291456}, desc=0xbfffe3f0) at ../jswrapper.cpp:597
#9 0x0010f317 in js::JSProxy::defineProperty (cx=0x809400, proxy=0x601a80, id={asBits = 6291456}, desc=0xbfffe3f0) at ../jsproxy.cpp:698
#10 0x00111ef4 in js::JSProxy::defineProperty (cx=0x809400, proxy=0x601a80, id={asBits = 6291456}, v=@0xbfffe4b4) at ../jsproxy.cpp:707
#11 0x000d1a63 in DefineProperty (cx=0x809400, obj=0x601a80, desc=@0xbfffe4b4, throwError=true, rval=0xbfffe4eb) at ../jsobj.cpp:2366
#12 0x000d28b2 in js_DefineOwnProperty (cx=0x809400, obj=0x601a80, id={asBits = 6291456}, descriptor=@0xbfffe560, bp=0xbfffe534) at ../jsobj.cpp:2383
#13 0x000d2a3c in obj_defineProperty (cx=0x809400, argc=3, vp=0x1000110) at ../jsobj.cpp:2409
#14 0x000a17ce in js::Interpret (cx=0x809400) at ../jsinterp.cpp:4741
#15 0x000b45a1 in js::Execute (cx=0x809400, chain=0x601000, script=0x40ce40, down=0x0, flags=0, result=0x0) at jsinterp.cpp:880
#16 0x000178a5 in JS_ExecuteScript (cx=0x809400, obj=0x601000, script=0x40ce40, rval=0x0) at ../jsapi.cpp:4638
#17 0x0000c3d3 in Process (cx=0x809400, obj=0x601000, filename=0xbffff94c "w4094-cj-in.js", forceTTY=0) at ../../shell/js.cpp:439
#18 0x0000d119 in ProcessArgs (cx=0x809400, obj=0x601000, argv=0xbffff834, argc=1) at ../../shell/js.cpp:853
#19 0x0000d232 in shell (cx=0x809400, argc=1, argv=0xbffff834, envp=0xbffff83c) at ../../shell/js.cpp:5029
#20 0x0000d356 in main (argc=1, argv=0xbffff834, envp=0xbffff83c) at ../../shell/js.cpp:5116
(gdb) x/i $eip
0x80d01 <_ZNK8JSObject8getClassEv+9>: mov 0x4(%eax),%eax
(gdb) x/b $eax
0x0: Cannot access memory at address 0x0
|
||
Updated•14 years ago
|
blocking2.0: --- → ?
|
|
Reporter | |
Comment 1•14 years ago
|
||
autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: 47546:9c869e64ee26 user: Luke Wagner date: Wed Jul 14 23:19:36 2010 -0700 summary: Bug 549143 - fatvals
Blocks: fatvals
|
|
||
Updated•14 years ago
|
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → DUPLICATE
|
||
Updated•14 years ago
|
blocking2.0: ? → betaN+
|
||
Updated•13 years ago
|
Crash Signature: [@ JSObject::getClass]
[@ JSCompartment::wrap]
You need to log in
before you can comment on or make changes to this bug.
Description
•