626521 - Crash at JSObject::lastProperty // Possible memory hazard

Status: RESOLVED DUPLICATE of bug 626464

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

Attachment: Test case for shell (run without -j, contains options() call)

The attached test case crashes on tm tip both 32 and 64 bit. In the 64 bit version, the stack trace in gdb looks scrambled, valgrind shows a different trace though. This is what I see on 64 bit with gdb:

Program received signal SIGSEGV, Segmentation fault.
0x00000000004361cf in JSObject::lastProperty (this=0x7ffff690a500) at jsscope.h:702
702         JS_ASSERT(!JSID_IS_VOID(lastProp->id));
(gdb) bt
#0  0x00000000004361cf in JSObject::lastProperty (this=0x7ffff690a500) at jsscope.h:702
#1  0x0000000000642767 in AddPropertyHelper (cx=0xab4da0, obj=0x7ffff690a500, shape=0xaf19f0, isDefinitelyAtom=false) at jsbuiltins.cpp:200
#2  0x00000000006428ee in js_AddProperty (cx=0xab4da0, obj=0x7ffff690a500, shape=0xaf19f0) at jsbuiltins.cpp:226
#3  0x00007ffff67dcfad in ?? ()
#4  0x00007fffffffbbc0 in ?? ()
#5  0xfffafffff690a500 in ?? ()
#6  0x00007ffff6903048 in ?? ()
#7  0x00007fffffffbc20 in ?? ()
#8  0x00007ffff6abf0a8 in ?? ()
#9  0x00007fffffffda70 in ?? ()
#10 0x0000000000000000 in ?? ()

Might be a memory corruption, locking.

Comment 1

[Jesse Ruderman]

It is usually possible to convert infinite-loop TM testcases to testcases that run a loop (tracemonkey.HOTLOOP+1 == 9) or so times.

The first good revision is:
changeset:   e4e1e187bc9b
user:        Jason Orendorff
date:        Mon Jan 17 17:33:45 2011 -0600
summary:     Tracer generates bad code for {__proto__: ...}, leading to a crash. Bug 626464, r=brendan.

Comment 2

[Daniel Veditz [:dveditz]]

If it's a dupe of bug 626464 then it should also be a regression of bug 559653

Comment 3

[Christian Holler (:decoder)]

Duped bug is already open, so opening this as well.