649263 - TI: Crash [@ JSObject::getClass] // Null pointer dereference

Status: RESOLVED DUPLICATE of bug 649261

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

The following testcase crashes on TI revision 23a746dac370 (run with -m -n -a),
tested on 64 bit:

try {
    BUGNUMBER;
    var o = {};
} catch(e) {}
eval("actual =  uneval(o);");


Backtrace:

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7fbf7a0d7720 (LWP 26426)]
0x000000000041319a in JSObject::getClass (this=0x0) at ./jsobj.h:442
442         js::Class *getClass() const { return clasp; }
(gdb) bt
#0  0x000000000041319a in JSObject::getClass (this=0x0) at ./jsobj.h:442
#1  0x00000000004131b8 in JSObject::getOps (this=0x0) at ./jsobj.h:450
#2  0x00000000005273fa in js_GetMethod (cx=0x2b3edb0, obj=0x0, id={asBits = 140460339239552}, getHow=2, vp=0x7fffb5914650) at jsobj.cpp:5675
#3  0x00000000005beb1a in js_ValueToSource (cx=0x2b3edb0, v=@0x7fffb59146b0) at jsstr.cpp:3933
#4  0x00000000005b71d0 in str_uneval (cx=0x2b3edb0, argc=1, vp=0x7fbf78b86170) at jsstr.cpp:673
#5  0x000000000050038a in js::CallJSNative (cx=0x2b3edb0, native=0x5b718a <str_uneval>, argc=1, vp=0x7fbf78b86170) at jscntxtinlines.h:716
#6  0x000000000071ab87 in CallCompiler::generateNativeStub (this=0x7fffb5915150) at ./methodjit/MonoIC.cpp:818
#7  0x00000000007156ee in js::mjit::ic::NativeCall (f=@0x7fffb5915190, ic=0x2ba97b0) at ./methodjit/MonoIC.cpp:1077
#8  0x00007fbf79f3893b in ?? ()
#9  0x00007fbf79f38430 in ?? ()
#10 0x0000000002ba8b80 in ?? ()
#11 0x00007fffb59156d0 in ?? ()
#12 0x0000000000000000 in ?? ()

Comment 2

[Christian Holler (:decoder)]

A testcase for this bug was already added in the original bug (bug 649261).