Closed
Bug 583688
Opened 14 years ago
Closed 14 years ago
JM: Crash [@ JSObject::isNative] or [@ js::mjit::ic::Name]
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
People
(Reporter: gkw, Unassigned)
References
Details
(Keywords: crash, regression, testcase)
Crash Data
__defineSetter__("x", function () {}) try { __defineGetter__("d", (Function("x"))) } catch (e) {} d print(delete x) throw d crashes js debug shell on JM changeset 2ee92d697741 with -m at JSObject::isNative and crashes js opt shell with -m at js::mjit::ic::Name Program received signal SIGSEGV, Segmentation fault. 0x0805593f in JSObject::isNative (this=0x0) at ../../jsobj.h:287 287 return map->isNative(); (gdb) bt #0 0x0805593f in JSObject::isNative (this=0x0) at ../../jsobj.h:287 #1 0x08253270 in ScopeNameCompiler::update (this=0xffffcb54) at ../methodjit/PolyIC.cpp:1470 #2 0x0824b012 in js::mjit::ic::Name (f=..., index=0) at ../methodjit/PolyIC.cpp:1936 #3 0xf76a86ca in ?? () #4 0x08212004 in js::mjit::JaegerShot (cx=0x833ecf0) at ../methodjit/MethodJIT.cpp:696 #5 0x080d803c in js::RunScript (cx=0x833ecf0, script=0x8343a00, fun=0xf7506558, scopeChain=0xf7502000) at ../jsinterp.cpp:461 #6 0x080daf06 in InvokeCommon<JSBool (*)(JSContext*, JSObject*, uintN, js::Value*, js::Value*)> (cx=0x833ecf0, fun=0xf7506558, script=0x8343a00, native=0, args=..., flags=0) at ../jsinterp.cpp:631 #7 0x080d8644 in js::Invoke (cx=0x833ecf0, args=..., flags=0) at ../jsinterp.cpp:756 #8 0x080d884c in js::InternalInvoke (cx=0x833ecf0, thisv=..., fval=..., flags=0, argc=0, argv=0x0, rval=0xffffcf48) at ../jsinterp.cpp:796 #9 0x080d6e7a in InternalCall (cx=0x833ecf0, obj=0xf7502000, fval=..., argc=0, argv=0x0, rval=0xffffcf48) at ../jsinterp.h:371 #10 0x080d890c in js::InternalGetOrSet (cx=0x833ecf0, obj=0xf7502000, id=..., fval=..., mode=JSACC_READ, argc=0, argv=0x0, rval=0xffffcf48) at ../jsinterp.cpp:824 #11 0x080fd24e in JSScopeProperty::get (this=0x8340f38, cx=0x833ecf0, obj=0xf7502000, pobj=0xf7502000, vp=0xffffcf48) at ../jsscopeinlines.h:306 #12 0x080f6d63 in js_NativeGet (cx=0x833ecf0, obj=0xf7502000, pobj=0xf7502000, sprop=0x8340f38, getHow=0, vp=0xffffcf48) at ../jsobj.cpp:4661 #13 0x082870eb in NameOp (f=..., obj=0xf7502000, callname=false) at ../methodjit/StubCalls.cpp:389 #14 0x0828729a in js::mjit::stubs::GetGlobalName (f=...) at ../methodjit/StubCalls.cpp:425 #15 0x082491cc in js::mjit::ic::GetGlobalName (f=..., index=0) at ../methodjit/MonoIC.cpp:83 #16 0xf76a8772 in ?? () #17 0x08212004 in js::mjit::JaegerShot (cx=0x833ecf0) at ../methodjit/MethodJIT.cpp:696 #18 0x080d803c in js::RunScript (cx=0x833ecf0, script=0x8342ee0, fun=0x0, scopeChain=0xf7502000) at ../jsinterp.cpp:461 #19 0x080d8e35 in js::Execute (cx=0x833ecf0, chain=0xf7502000, script=0x8342ee0, down=0x0, flags=0, result=0xffffd200) at ../jsinterp.cpp:949 #20 0x0806f778 in JS_ExecuteScript (cx=0x833ecf0, obj=0xf7502000, script=0x8342ee0, rval=0xffffd200) at ../jsapi.cpp:4736 #21 0x0804c167 in Process (cx=0x833ecf0, obj=0xf7502000, filename=0x0, forceTTY=0) at ../../shell/js.cpp:533 #22 0x0804ccf9 in ProcessArgs (cx=0x833ecf0, obj=0xf7502000, argv=0xffffd408, argc=1) at ../../shell/js.cpp:860 #23 0x08055314 in shell (cx=0x833ecf0, argc=1, argv=0xffffd408, envp=0xffffd410) at ../../shell/js.cpp:4981 #24 0x08055430 in main (argc=1, argv=0xffffd408, envp=0xffffd410) at ../../shell/js.cpp:5077 (gdb) x/i $eip => 0x805593f <_ZNK8JSObject8isNativeEv+9>: mov (%eax),%eax (gdb) x/b $eax 0x0: Cannot access memory at address 0x0
Comment 1•14 years ago
|
||
Only crashes on 32-bit with ICs enabled.
Comment 2•14 years ago
|
||
Bisection results: Changeset 43819:18b8df733e33: bad The first bad revision is: changeset: 43819:18b8df733e33 user: David Anderson <danderson@mozilla.com> date: Sun Jul 04 13:18:55 2010 -0700 summary: [JAEGER] PIC for not-escaped call objects (bug 576733).
http://hg.mozilla.org/users/danderson_mozilla.com/moo/rev/52d4858323d0
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Updated•13 years ago
|
Crash Signature: [@ JSObject::isNative]
[@ js::mjit::ic::Name]
Comment 4•12 years ago
|
||
A testcase for this bug was automatically identified at js/src/jit-test/tests/jaeger/bug583688.js.
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•