Closed
Bug 646393
Opened 13 years ago
Closed 13 years ago
TI: Crash [@ JSObject::getClass]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: decoder, Unassigned)
References
Details
(Keywords: crash, testcase)
Crash Data
The following code crashes on TI tip (run with -m -n -a), tested on 64 bit:
try {
x.y;
} catch(ex) {}
x = Number(1);
Backtrace (most likely a simple null pointer deref):
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7f7b4601e720 (LWP 24106)]
0x0000000000412688 in JSObject::getClass (this=0x0) at ./jsobj.h:426
426 js::Class *getClass() const { return clasp; }
(gdb) bt
#0 0x0000000000412688 in JSObject::getClass (this=0x0) at ./jsobj.h:426
#1 0x000000000043ae9e in JSObject::isDenseArray (this=0x0) at ./jsarray.h:180
#2 0x000000000043d796 in JSObject::getNewType (this=0x0, cx=0x1843bf0) at ./jsobjinlines.h:831
#3 0x00000000004eabaa in JSScript::getTypeNewObject (this=0x18b8030, cx=0x1843bf0, key=JSProto_Number) at ./jsinferinlines.h:527
#4 0x00000000004de9be in GetPropertyObject (cx=0x1843bf0, script=0x18b8030, type=5) at jsinfer.cpp:811
#5 0x00000000004dedc0 in js::types::TypeConstraintProp::newType (this=0x18b6e18, cx=0x1843bf0, source=0x18b6db0, type=5) at jsinfer.cpp:900
#6 0x0000000000414980 in js::types::TypeCompartment::resolvePending (this=0x1844480, cx=0x1843bf0) at ./jsinferinlines.h:815
#7 0x0000000000414d74 in js::types::TypeSet::addType (this=0x18b7078, cx=0x1843bf0, type=25935584) at ./jsinferinlines.h:1094
#8 0x00000000004146ee in JSContext::addTypePropertyId (this=0x1843bf0, obj=0x18a2610, id={asBits = 140167407994112}, type=25935584) at ./jsinferinlines.h:328
#9 0x000000000043c8a7 in JSContext::addTypePropertyId (this=0x1843bf0, obj=0x18a2610, id={asBits = 140167407994112}, value=@0x7fff8155f1e0) at jsinferinlines.h:337
#10 0x000000000051ba9c in js::DefineConstructorAndPrototype (cx=0x1843bf0, obj=0x7f7b44903048, key=JSProto_Number, atom=0x7f7b44900500, protoProto=0x7f7b449030d8, clasp=0xb12160,
constructor=0x50a181 <Number>, nargs=1, ctorHandler=0x50b69f <type_NewNumber>, ps=0x0, fs=0xb12320, static_ps=0x0, static_fs=0x0) at jsobj.cpp:3982
#11 0x000000000051c189 in js_InitClass (cx=0x1843bf0, obj=0x7f7b44903048, protoProto=0x7f7b449030d8, clasp=0xb12160, constructor=0x50a181 <Number>, nargs=1,
ctorHandler=0x50b69f <type_NewNumber>, ps=0x0, fs=0xb12320, static_ps=0x0, static_fs=0x0) at jsobj.cpp:4120
#12 0x000000000050b79c in js_InitNumberClass (cx=0x1843bf0, obj=0x7f7b44903048) at jsnum.cpp:1090
#13 0x000000000042b3f9 in JS_ResolveStandardClass (cx=0x1843bf0, obj=0x7f7b44903048, id={asBits = 140167407994112}, resolved=0x7fff8155f4bc) at jsapi.cpp:1842
#14 0x000000000040c606 in ResolveClass (cx=0x1843bf0, obj=0x7f7b44903048, id={asBits = 140167407994112}, resolved=0x7fff8155f4bc) at js.cpp:3130
#15 0x00000000004104e2 in global_resolve (cx=0x1843bf0, obj=0x7f7b44903048, id={asBits = 140167407994112}, flags=0, objp=0x7fff8155f550) at js.cpp:5388
#16 0x000000000051e62c in CallResolveOp (cx=0x1843bf0, start=0x7f7b44903048, obj=0x7f7b44903048, id={asBits = 140167407994112}, flags=0, objp=0x7fff8155f6f8,
propp=0x7fff8155f6e8, recursedp=0x7fff8155f61f) at jsobj.cpp:5001
#17 0x000000000051e882 in js_LookupPropertyWithFlagsInline (cx=0x1843bf0, obj=0x7f7b44903048, id={asBits = 140167407994112}, flags=65535, objp=0x7fff8155f6f8,
propp=0x7fff8155f6e8) at jsobj.cpp:5056
#18 0x000000000051ead7 in js_LookupPropertyWithFlags (cx=0x1843bf0, obj=0x7f7b44903048, id={asBits = 140167407994112}, flags=65535, objp=0x7fff8155f6f8, propp=0x7fff8155f6e8)
at jsobj.cpp:5119
#19 0x000000000051eba7 in js_FindPropertyHelper (cx=0x1843bf0, id={asBits = 140167407994112}, cacheResult=1, objp=0x7fff8155f760, pobjp=0x7fff8155f790, propp=0x7fff8155f778)
at jsobj.cpp:5145
#20 0x0000000000779e04 in NameOp (f=@0x7fff8155f8a0, obj=0x7f7b44903048, markresult=false, callname=false) at ./methodjit/StubCalls.cpp:373
#21 0x000000000077a216 in js::mjit::stubs::GetGlobalName (f=@0x7fff8155f8a0) at ./methodjit/StubCalls.cpp:429
#22 0x00000000006fb368 in js::mjit::ic::GetGlobalName (f=@0x7fff8155f8a0, ic=0x18b83f0) at ./methodjit/MonoIC.cpp:97
#23 0x00007f7b44abd4ea in ?? ()
#24 0x00007f7b44abd080 in ?? ()
#25 0x00000000018b8760 in ?? ()
#26 0x0000000000000000 in ?? ()
|
||
Comment 1•13 years ago
|
||
Since we don't try to resolve lazy standard classes during inference anymore (removed yesterday), we can add constraints on those lazy classes before they have been constructed, trigger those constraints while adding the class which then try to re-resolve the classes (inference may still try to get the prototypes of a few standard classes --- Number/Boolean/String/Array/Object I think, which should be well behaved and not reenter scripted code), which fails because of the reentrance. This fixes things by cacheing the standard classes earlier during their instantiation, so that the type constraints can find them. http://hg.mozilla.org/projects/jaegermonkey/rev/81ee9f8d4c34
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
|
||
Updated•13 years ago
|
Crash Signature: [@ JSObject::getClass]
|
Reporter | |
Comment 2•11 years ago
|
||
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/bug646393.js.
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•