Closed
Bug 654073
Opened 12 years ago
Closed 12 years ago
Crash [@ js_GetClassPrototype] or [@ JSID_IS_VOID] or [@ js::PropertyTable::search]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
| Tracking | Status | |
|---|---|---|
| firefox6 | - | --- |
People
(Reporter: gkw, Assigned: paul.biggar)
References
Details
(Keywords: crash, regression, testcase, Whiteboard: [fixed-in-tracemonkey])
Crash Data
Attachments
(2 files)
|
16.80 KB,
text/plain
|
Details | |
|
1.21 KB,
patch
|
Waldo
:
review+
|
Details | Diff | Splinter Review |
for (i = 0; i < 9; i++) {
for (x in Math.__proto__) {}
try {
Math.__proto__.__proto__ = this
} catch (e) {}
__proto__ = null
}
crashes js opt shell on TM changeset e2843f43757e without -m nor -j at js_GetClassPrototype and crashes js debug shell at JSID_IS_VOID or js::PropertyTable::search.
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: 68345:881c06ebc5ee
user: Paul Biggar
date: Wed Apr 27 04:13:56 2011 -0700
summary: Bug 642772: Don't recreate a class during enumeration, if it has been deleted (r=bhackett)
|
||
Comment 1•12 years ago
|
||
It's a stack overflow trying to init the Iterator class for the StopIteration object, which has JSCLASS_FREEZE_PROTO, and it looks like that [[Prototype]] is somehow the global object, which means you enumerate standard classes before freezing, which means you init the Iterator class... Did a MarkStandardClassInitializedNoProto get omitted for the Iterator class or something? That's the only thing that looks obviously plausible as the blame-catcher in the regressor. Bootstrapping genericity delenda est.
|
Assignee | |
Updated•12 years ago
|
Assignee: general → pbiggar
|
|
Assignee | |
Comment 2•12 years ago
|
||
Attachment #529700 -
Flags: review?(jwalden+bmo)
|
|
||
Comment 3•12 years ago
|
||
Comment on attachment 529700 [details] [diff] [review] Fix >diff --git a/js/src/jit-test/tests/basic/bug654073.js b/js/src/jit-test/tests/basic/bug654073.js >+this.__proto__ = null; >+Math.__proto__.__proto__ = this; >+for (x in Math.__proto__) {} I think this would be a clearer equivalent that's easier to read, because it doesn't require dredging up prototype chain details from memory: this.__proto__ = null; Object.prototype.__proto__ = this; for (var x in Object.prototype);
Attachment #529700 -
Flags: review?(jwalden+bmo) → review+
|
|
Assignee | |
Comment 4•12 years ago
|
||
http://hg.mozilla.org/tracemonkey/rev/a15c6194d2f0
Whiteboard: [fixed-in-tracemonkey]
|
||
Comment 5•12 years ago
|
||
cdleary-bot mozilla-central merge info: http://hg.mozilla.org/mozilla-central/rev/a15c6194d2f0
|
|
||
Updated•12 years ago
|
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
|
||
Updated•12 years ago
|
|
||
Updated•12 years ago
|
Crash Signature: [@ js_GetClassPrototype]
[@ JSID_IS_VOID]
[@ js::PropertyTable::search]
|
||
Comment 6•12 years ago
|
||
TB9.0.1 crashed. OS is openSuSE 11.4. Please re-open this bug. Crash Signature: [@ js::PropertyTable::search ] ID: 0463ff9f-d0fd-4642-bb16-50e2d2120108
|
||
Comment 7•11 years ago
|
||
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/bug654073.js.
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•