649278 - TI: Crash [@ js::types::GetValueType] // Null pointer dereference

Status: RESOLVED DUPLICATE of bug 649261

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

The following testcase crashes on TI revision 23a746dac370 (run with -m -n -a),
tested on 64 bit:

try {
    String.prototype.m=function () {
        assertEq(this, "s")
        return [, ];
    }
    var a = "s".m();
} catch(e) {}
var b = 45;
var obj = function() {};
eval('bar = b; foo=a');


The original code caused:

Assertion failure: obj, at ../jsval.h:711

Backtrace:

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7fa273058720 (LWP 9415)]
0x000000000043e00f in js::types::GetValueType (cx=0x2040db0, val=@0x7fff9435b660) at ./jsinferinlines.h:76
76              JS_ASSERT(obj->type);
(gdb) bt
#0  0x000000000043e00f in js::types::GetValueType (cx=0x2040db0, val=@0x7fff9435b660) at ./jsinferinlines.h:76
#1  0x00000000004e7009 in js::types::TypeCompartment::dynamicAssign (this=0x2041688, cx=0x2040db0, obj=0x7fa271a020c8, id={asBits = 140335667808352}, rval=@0x7fff9435b660)
    at jsinfer.cpp:2089
#2  0x000000000079195a in JSContext::typeMonitorAssign (this=0x2040db0, obj=0x7fa271a020c8, id={asBits = 140335667808352}, rval=@0x7fff9435b660) at ./jsinferinlines.h:512
#3  0x000000000079ff1f in js::mjit::stubs::SetName<0> (f=@0x7fff9435b720, origAtom=0x7fa271a10860) at ./methodjit/StubCalls.cpp:131
#4  0x00000000007a09e2 in js::mjit::stubs::SetGlobalName<0> (f=@0x7fff9435b720, atom=0x7fa271a10860) at ./methodjit/StubCalls.cpp:328
#5  0x00000000007154e5 in js::mjit::ic::SetGlobalName (f=@0x7fff9435b720, ic=0x20b1538) at ./methodjit/MonoIC.cpp:331
#6  0x00007fa272ebaaeb in ?? ()
#7  0x00007fa272eba878 in ?? ()
#8  0x00000000020b0fc0 in ?? ()
#9  0x00007fff9435bc60 in ?? ()
#10 0x0000000000000000 in ?? ()

Comment 2

[Christian Holler (:decoder)]

A testcase for this bug was already added in the original bug (bug 649261).