Closed
Bug 616508
Opened 14 years ago
Closed 14 years ago
JM: Crash [@ js::mjit::ic::Name] or "Assertion failure: shape,"
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
| Tracking | Status | |
|---|---|---|
| blocking2.0 | --- | final+ |
People
(Reporter: gkw, Assigned: dvander)
References
Details
(4 keywords, Whiteboard: [ccbr][fixed-in-tracemonkey])
Crash Data
Attachments
(1 file)
|
1.95 KB,
patch
|
dmandelin
:
review+
|
Details | Diff | Splinter Review |
try {
(function () {
__proto__ = Uint32Array()
}())
} catch (e) {}(function () {
length, ([eval()] ? x : 7)
})()
asserts js debug shell on TM changeset 25fd3451c0ae with -m at Assertion failure: shape, and crashes js opt shell with -m at js::mjit::ic::Name.
Program received signal SIGSEGV, Segmentation fault.
0x0824ab76 in js::mjit::ic::Name(js::VMFrame&, js::mjit::ic::PICInfo*) ()
(gdb) bt
#0 0x0824ab76 in js::mjit::ic::Name(js::VMFrame&, js::mjit::ic::PICInfo*) ()
#1 0xffffd044 in ?? ()
#2 0xf7500820 in ?? ()
Backtrace stopped: previous frame inner to this frame (corrupt stack?)
(gdb) x/i $eip
=> 0x824ab76 <_ZN2js4mjit2ic4NameERNS_7VMFrameEPNS1_7PICInfoE+454>: movzbl 0x1c(%edx),%edi
(gdb) x/b $edx
0x0: Cannot access memory at address 0x0
|
Reporter | |
Comment 1•14 years ago
|
||
Although this seems to be a null crash, it's probably best to set s-s just-in-case.
Group: core-security
|
|
Assignee | |
Updated•14 years ago
|
blocking2.0: --- → final+
|
|
Reporter | |
Comment 2•14 years ago
|
||
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: 57018:728eedc664b2
user: David Mandelin
date: Thu Nov 04 18:05:39 2010 -0700
summary: Bug 608868: check for non-native objects when binding in scope name ICs, r=dvander, a=beta8+
Blocks: 608868
|
|
Assignee | |
Updated•14 years ago
|
Group: core-security
OS: Linux → All
Hardware: x86 → All
|
|
Assignee | |
Comment 3•14 years ago
|
||
We decide not to cache property lookups when anything from [obj, holder] on the proto chain is non-native. That is, we don't store "shape" casted from "prop".
But ic::Name checks whether we've cached by looking at just |obj| and |holder|. Instead, it should just check whether the caching occurred or not.
|
|
||
Updated•14 years ago
|
Attachment #495067 -
Flags: review?(dmandelin) → review+
|
|
Assignee | |
Comment 4•14 years ago
|
||
Whiteboard: [ccbr] → [ccbr][fixed-in-tracemonkey]
|
||
Comment 5•14 years ago
|
||
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
|
||
Updated•14 years ago
|
Crash Signature: [@ js::mjit::ic::Name]
|
||
Comment 6•12 years ago
|
||
A testcase for this bug was automatically identified at js/src/jit-test/tests/jaeger/bug616508.js.
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•