Closed Bug 654073 Opened 13 years ago Closed 13 years ago

Crash [@ js_GetClassPrototype] or [@ JSID_IS_VOID] or [@ js::PropertyTable::search]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
firefox6 - ---

People

(Reporter: gkw, Assigned: paul.biggar)

References

Details

(Keywords: crash, regression, testcase, Whiteboard: [fixed-in-tracemonkey])

Crash Data

Attachments

(2 files)

stack
16.80 KB, text/plain
Details
Fix
1.21 KB, patch
Waldo
: review+
Details | Diff | Splinter Review
Attached file stack 
for (i = 0; i < 9; i++) {
    for (x in Math.__proto__) {}
    try {
        Math.__proto__.__proto__ = this
    } catch (e) {}
    __proto__ = null
}

crashes js opt shell on TM changeset e2843f43757e without -m nor -j at js_GetClassPrototype and crashes js debug shell at JSID_IS_VOID or js::PropertyTable::search.

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   68345:881c06ebc5ee
user:        Paul Biggar
date:        Wed Apr 27 04:13:56 2011 -0700
summary:     Bug 642772: Don't recreate a class during enumeration, if it has been deleted (r=bhackett)
It's a stack overflow trying to init the Iterator class for the StopIteration object, which has JSCLASS_FREEZE_PROTO, and it looks like that [[Prototype]] is somehow the global object, which means you enumerate standard classes before freezing, which means you init the Iterator class...

Did a MarkStandardClassInitializedNoProto get omitted for the Iterator class or something?  That's the only thing that looks obviously plausible as the blame-catcher in the regressor.

Bootstrapping genericity delenda est.
Assignee: general → pbiggar
Attached patch FixSplinter Review 

        Attachment #529700 -
        Flags: review?(jwalden+bmo)

    
    

    
  
Comment on attachment 529700 [details] [diff] [review]
Fix

>diff --git a/js/src/jit-test/tests/basic/bug654073.js b/js/src/jit-test/tests/basic/bug654073.js

>+this.__proto__ = null;
>+Math.__proto__.__proto__ = this;
>+for (x in Math.__proto__) {}

I think this would be a clearer equivalent that's easier to read, because it doesn't require dredging up prototype chain details from memory:

this.__proto__ = null;
Object.prototype.__proto__ = this;
for (var x in Object.prototype);

        Attachment #529700 -
        Flags: review?(jwalden+bmo) → review+

    
    

    
  
http://hg.mozilla.org/tracemonkey/rev/a15c6194d2f0
Whiteboard: [fixed-in-tracemonkey]
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Crash Signature: [@ js_GetClassPrototype]
[@ JSID_IS_VOID]
[@ js::PropertyTable::search]

    
    

    
  
TB9.0.1 crashed. OS is openSuSE 11.4.
Please re-open this bug.
Crash Signature: [@ js::PropertyTable::search ]
ID: 0463ff9f-d0fd-4642-bb16-50e2d2120108

    
    

    
  
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/bug654073.js.
Flags: in-testsuite+

          You need to log in
          before you can comment on or make changes to this bug.