Persona is no longer an option for authentication on BMO. For more details see Persona Deprecated.
Last Comment Bug 704138 - [ObjShrink]: Crash on Heap with Proxy
: [ObjShrink]: Crash on Heap with Proxy
: crash, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Other Branch
: x86_64 Linux
: -- critical (vote)
: mozilla11
Assigned To: Brian Hackett (:bhackett)
: Jason Orendorff [:jorendorff]
Depends on:
Blocks: infer-regress langfuzz
  Show dependency treegraph
Reported: 2011-11-21 07:29 PST by Christian Holler (:decoder)
Modified: 2013-01-14 07:50 PST (History)
6 users (show)
choller: in‑testsuite+
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---

patch (1.80 KB, patch)
2011-11-22 14:26 PST, Brian Hackett (:bhackett)
luke: review+
Details | Diff | Splinter Review

Description Christian Holler (:decoder) 2011-11-21 07:29:51 PST
The following testcase crashes on jaegermonkey branch revision a335853be219 (run with -m -n -a), tested on 64 bit:

function TestCase(n, d, e, a);
function reportCompare (expected, actual, description) {
  new TestCase
reportCompare(true, "isGenerator" in Function, "Function.prototype.isGenerator present");
var p = Proxy.create({
    has : function(id) {}
function test() {
    if (new TestCase)
new TestCase;
Comment 1 Christian Holler (:decoder) 2011-11-21 07:30:35 PST
Backtrace from GDB:

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7f5c909 in ?? ()
(gdb) bt
#0  0x00007ffff7f5c909 in ?? ()
#1  0x00007ffff7f5c940 in ?? ()
#2  0x0000000000000001 in ?? ()
#3  0x0000000000000000 in ?? ()
(gdb) x /4i $pc
=> 0x7ffff7f5c909:      cmp    %r11,(%r8)
   0x7ffff7f5c90c:      jne    0x7ffff7f5c937
   0x7ffff7f5c912:      movabs $0xfff9000000000000,%r10
   0x7ffff7f5c91c:      or     %r9,%r10
(gdb) info register r8 r11
r8             0x0      0
r11            0x7ffff6010d30   140737320652080
Comment 2 Brian Hackett (:bhackett) 2011-11-22 14:26:19 PST
Created attachment 576293 [details] [diff] [review]

Regression from bug 703047.  The ADDPROP IC did not check at all for uncacheable or non-native prototypes on the prototype chain, which earlier could manifest in incorrect behavior but now can cause a NULL deref.
Comment 3 Gary Kwong [:gkw] [:nth10sd] 2012-03-05 11:18:31 PST
In November 2011,

This landed on mozilla-inbound:

and mozilla-central:

which should be Firefox 11 in the nightlies.
Comment 4 Mihaela Velimiroviciu (:mihaelav) 2012-03-07 01:49:06 PST
Ubuntu 11.04 64bit

I built jaegermonkey for latest beta build(rev d46a4577a631) and run the test from comment #: no crash occured.

Marking verified for Firefox 11.
Comment 5 Mihaela Velimiroviciu (:mihaelav) 2012-03-16 06:55:49 PDT
Ubuntu 11.04 64bit

I built jaegermonkey for latest beta build(rev 4027017bbaba) and run the test from comment #: no crash occured.

Marking verified for Firefox 12.
Comment 6 Mihaela Velimiroviciu (:mihaelav) 2012-05-08 23:19:05 PDT
Ubuntu 11.10 64bit

I built jaegermonkey for latest beta review (64ffbdd90ac0) and run the test from bug description: no crash occured.

Marking verified for Firefox 13.
Comment 7 Christian Holler (:decoder) 2013-01-14 07:50:41 PST
A testcase for this bug was automatically identified at js/src/jit-test/tests/jaeger/bug704138.js.

Note You need to log in before you can comment on or make changes to this bug.