Closed Bug 580712 Opened 14 years ago Closed 14 years ago

JM: Crash [@ js::DefaultValue] or "Assertion failure: &obj != NULL,"

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: gkw, Assigned: adrake)

References

Details

(4 keywords)

Crash Data

Attachments

(1 file)

Patch
2.29 KB, patch
dvander
: review+
Details | Diff | Splinter Review 
__defineSetter__("x", function () {})
try {
    print(x = function () {})
} catch (e) {}

asserts js debug shell on JM changeset 7c6f62fcbd91 with -m at Assertion failure: &obj != NULL, at ../../jsvalue.h:356 and crashes js opt shell at js::DefaultValue.

Program received signal SIGSEGV, Segmentation fault.
0x080c66ee in js::DefaultValue(JSContext*, JSObject*, JSType, js::Value*) ()
(gdb) bt
#0  0x080c66ee in js::DefaultValue(JSContext*, JSObject*, JSType, js::Value*) ()
#1  0x0000007f in ?? ()
#2  0x08278e89 in ?? ()
Backtrace stopped: previous frame inner to this frame (corrupt stack?)
(gdb) x/i $eip
=> 0x80c66ee <_ZN2js12DefaultValueEP9JSContextP8JSObject6JSTypePNS_5ValueE+238>:	cmp    %edx,0x4(%esi)
(gdb) x/b $edx
0x822da60 <js_StringClass>:	0xe1
Works for me on moo tip 64-bit, but fails on 32-bit.
Works for me on 32-bit with ICs disabled.
Assignee: general → adrake
The MIC-ified implementation of JSOP_SETGNAME is correctly using the known type of the new value of x (OBJECT), but is incorrectly using the return value of the setter. This leads to the return value of the setter (i.e., undefined) being coerced to an OBJECT with predictable results later (return a non-zero integer from the setter and you'll crash/dereference arbitrary memory because it's not NULL).
The same "using the result of the setter" mistake is in TM tip (introduced by fatvals).  Thus, the fixes in bug 582162 need to be propagated to the JM stub calls.
Attached patch PatchSplinter Review 
Incorporates changes in bug mentioned in luke's comment.
Attachment #460444 - Flags: review?(dvander)
Attachment #460444 - Flags: review?(dvander) → review+
http://hg.mozilla.org/users/danderson_mozilla.com/moo/rev/e0988eae6c08
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Crash Signature: [@ js::DefaultValue]
A testcase for this bug was automatically identified at js/src/jit-test/tests/jaeger/bug580712.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: