Closed Bug 647537 Opened 13 years ago Closed 13 years ago

TI: Crash [@ JSObject::getClass]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: decoder, Unassigned)

References

Details

(Keywords: crash, testcase)

Crash Data

The following testcase crashes on TI tip (run with -n -m -a), tested on 64 bit:

LocalDate = LocalDateFromTime( Number );
LocalDate.ms;

function LocalDateFromTime(t) {
  return isFinite--;
}


Backtrace:

==10113== Invalid read of size 8
==10113==    at 0x412688: JSObject::getClass() const (jsobj.h:426)
==10113==    by 0x43AE9D: JSObject::isDenseArray() const (jsarray.h:184)
==10113==    by 0x43D795: JSObject::getNewType(JSContext*) (jsobjinlines.h:840)
==10113==    by 0x4EAC13: JSScript::getTypeNewObject(JSContext*, JSProtoKey) (jsinferinlines.h:554)
==10113==    by 0x4DE9F9: js::types::GetPropertyObject(JSContext*, JSScript*, unsigned long) (jsinfer.cpp:811)
==10113==    by 0x4DEDFB: js::types::TypeConstraintProp::newType(JSContext*, js::types::TypeSet*, unsigned long) (jsinfer.cpp:900)
==10113==    by 0x41497F: js::types::TypeCompartment::resolvePending(JSContext*) (jsinferinlines.h:842)
==10113==    by 0x414D73: js::types::TypeSet::addType(JSContext*, unsigned long) (jsinferinlines.h:1121)
==10113==    by 0x4146ED: JSContext::addTypePropertyId(js::types::TypeObject*, jsid, unsigned long) (jsinferinlines.h:355)
==10113==    by 0x43C8A6: JSContext::addTypePropertyId(js::types::TypeObject*, jsid, js::Value const&) (jsinferinlines.h:364)
==10113==    by 0x4B9D8C: js_DefineFunction(JSContext*, JSObject*, jsid, int (*)(JSContext*, unsigned int, js::Value*), unsigned int, unsigned int, void (*)(JSContext*, JSTypeFunction*, JSTypeCallsite*), char const*) (jsfun.cpp:3130)
==10113==    by 0x432B0F: JS_DefineFunctionWithType (jsapi.cpp:4661)
==10113==  Address 0x8 is not stack'd, malloc'd or (recently) free'd
==10113== 
==10113== 
==10113== Process terminating with default action of signal 11 (SIGSEGV)
InitNumberClass and InitStringClass need to create the class objects before adding their static functions (parseInt, etc.), so that type constraints on those functions do not trigger a reentrant attempt to construct the classes.

http://hg.mozilla.org/projects/jaegermonkey/rev/17b68a623db1
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Crash Signature: [@ JSObject::getClass]
You need to log in before you can comment on or make changes to this bug.