Closed Bug 705091 Opened 13 years ago Closed 13 years ago

Crash [@ JSObject::lookupGeneric] with JS shell workers

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: decoder, Unassigned)

Details

(Keywords: crash, testcase, Whiteboard: js-triage-needed)

The following test crashes on mozilla-central revision 5ebeef1eabcb (no options required): var N = 100 * 1000; var a = new Array(N); for (var i = 0; i != N; ++i) { a[i] = ( 'test' || a+1 ? this : this ); } var w = Worker(a); w.postMessage("8\t"); I assume this issue is shell-only due to how the Worker object is used here (and this test doesn't work in browser), but you might want to confirm that. Backtrace: (gdb) bt #0 0x0000000000416221 in JSObject::lookupGeneric (this=0x7fffe9e00060, cx=0x1032270, id=..., objp=0x7fffec4f8c10, propp=0x7fffec4f8c08) at ../../jsobjinlines.h:1271 #1 0x000000000044837b in LookupPropertyById (cx=0x1032270, obj=0x7fffe9e00060, id=..., flags=5, objp=0x7fffec4f8c10, propp=0x7fffec4f8c08) at /home/ownhero/homes/mozilla/repos/mozilla-central/js/src/jsapi.cpp:3357 #2 0x0000000000448ba6 in JS_HasPropertyById (cx=0x1032270, obj=0x7fffe9e00060, id=..., foundp=0x7fffec4f8d04) at /home/ownhero/homes/mozilla/repos/mozilla-central/js/src/jsapi.cpp:3466 #3 0x0000000000448d82 in JS_HasProperty (cx=0x1032270, obj=0x7fffe9e00060, name=0x79fbe2 "onmessage", foundp=0x7fffec4f8d04) at /home/ownhero/homes/mozilla/repos/mozilla-central/js/src/jsapi.cpp:3485 #4 0x000000000041902a in js::workers::Event::dispatch (this=0x1036130, cx=0x1032270, thisobj=0x7fffe9e00060, dataPropName=0x79fbec "data", methodName=0x79fbe2 "onmessage", noHandler=js::workers::Event::ok) at /home/ownhero/homes/mozilla/repos/mozilla-central/js/src/shell/jsworkers.cpp:332 #5 0x000000000041b52b in js::workers::DownMessageEvent::process (this=0x1036130, cx=0x1032270) at /home/ownhero/homes/mozilla/repos/mozilla-central/js/src/shell/jsworkers.cpp:939 #6 0x0000000000418158 in js::workers::Worker::processOneEvent (this=0xb83430) at /home/ownhero/homes/mozilla/repos/mozilla-central/js/src/shell/jsworkers.cpp:1147 #7 0x0000000000417a59 in js::workers::WorkerQueue::work (this=0xb8b990) at /home/ownhero/homes/mozilla/repos/mozilla-central/js/src/shell/jsworkers.cpp:1036 #8 0x000000000041983f in js::workers::ThreadPool::start (arg=0xb8b990) at /home/ownhero/homes/mozilla/repos/mozilla-central/js/src/shell/jsworkers.cpp:460 #9 0x00007ffff75a66b3 in ?? () from /lib64/libnspr4.so #10 0x00007ffff7bc87e1 in start_thread () from /lib64/libpthread.so.0 #11 0x00007ffff692f73d in clone () from /lib64/libc.so.6 (gdb) x /4i $pc => 0x416221 <JSObject::lookupGeneric(JSContext*, jsid, JSObject**, JSProperty**)+41>: mov (%rax),%rax 0x416224 <JSObject::lookupGeneric(JSContext*, jsid, JSObject**, JSProperty**)+44>: mov %rax,-0x18(%rbp) 0x416228 <JSObject::lookupGeneric(JSContext*, jsid, JSObject**, JSProperty**)+48>: cmpq $0x0,-0x18(%rbp) 0x41622d <JSObject::lookupGeneric(JSContext*, jsid, JSObject**, JSProperty**)+53>: je 0x416235 <JSObject::lookupGeneric(JSContext*, jsid, JSObject**, JSProperty**)+61> (gdb) info register rax rax 0xdadadadadadadb92 -2676586395008836718
See bug 771281.
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → WONTFIX
Resolution: WONTFIX → FIXED
(actually, FIXED by the removal of Worker, a known patch in bug 771281 - hurray!)
You need to log in before you can comment on or make changes to this bug.