Closed Bug 704138 Opened 13 years ago Closed 13 years ago

[ObjShrink]: Crash on Heap with Proxy

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Version:
Other Branch
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla11
Tracking Flags:
Tracking Status
firefox11 --- verified
firefox12 --- verified
firefox13 --- verified

People

(Reporter: decoder, Assigned: bhackett1024)

References

Details

(Keywords: crash, testcase, Whiteboard: [qa!])

Attachments

(1 file)

patch
1.80 KB, patch
luke
: review+
Details | Diff | Splinter Review
The following testcase crashes on jaegermonkey branch revision a335853be219 (run with -m -n -a), tested on 64 bit: function TestCase(n, d, e, a) this.name=n; function reportCompare (expected, actual, description) { new TestCase } reportCompare(true, "isGenerator" in Function, "Function.prototype.isGenerator present"); var p = Proxy.create({ has : function(id) {} }); function test() { Object.prototype.__proto__=null if (new TestCase) Object.prototype.__proto__=p } test(); new TestCase; test()
Backtrace from GDB: Program received signal SIGSEGV, Segmentation fault. 0x00007ffff7f5c909 in ?? () (gdb) bt #0 0x00007ffff7f5c909 in ?? () #1 0x00007ffff7f5c940 in ?? () #2 0x0000000000000001 in ?? () #3 0x0000000000000000 in ?? () (gdb) x /4i $pc => 0x7ffff7f5c909: cmp %r11,(%r8) 0x7ffff7f5c90c: jne 0x7ffff7f5c937 0x7ffff7f5c912: movabs $0xfff9000000000000,%r10 0x7ffff7f5c91c: or %r9,%r10 (gdb) info register r8 r11 r8 0x0 0 r11 0x7ffff6010d30 140737320652080
Attached patch patchSplinter Review
Regression from bug 703047. The ADDPROP IC did not check at all for uncacheable or non-native prototypes on the prototype chain, which earlier could manifest in incorrect behavior but now can cause a NULL deref. https://hg.mozilla.org/projects/jaegermonkey/rev/fedb520c3f3a
Assignee: general → bhackett1024
Attachment #576293 - Flags: review?(luke)
Attachment #576293 - Flags: review?(luke) → review+
In November 2011, This landed on mozilla-inbound: hg.mozilla.org/integration/mozilla-inbound/rev/fedb520c3f3a and mozilla-central: http://hg.mozilla.org/mozilla-central/rev/fedb520c3f3a which should be Firefox 11 in the nightlies.
Status: NEW → RESOLVED
Closed: 13 years ago
status-firefox11: --- → fixed
status-firefox12: --- → fixed
status-firefox13: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla11
Whiteboard: [qa+]
Ubuntu 11.04 64bit I built jaegermonkey for latest beta build(rev d46a4577a631) and run the test from comment #: no crash occured. Marking verified for Firefox 11.
status-firefox11: fixedverified
Ubuntu 11.04 64bit I built jaegermonkey for latest beta build(rev 4027017bbaba) and run the test from comment #: no crash occured. Marking verified for Firefox 12.
Ubuntu 11.10 64bit I built jaegermonkey for latest beta review (64ffbdd90ac0) and run the test from bug description: no crash occured. Marking verified for Firefox 13.
Status: RESOLVED → VERIFIED
status-firefox13: fixedverified
Whiteboard: [qa+] → [qa!]
A testcase for this bug was automatically identified at js/src/jit-test/tests/jaeger/bug704138.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: