Closed Bug 705895 Opened 12 years ago Closed 12 years ago

[ObjShrink] Crash with testcase at weird location (likely null deref)

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: gkw, Assigned: bhackett1024)

References

Details

(Keywords: crash, regression, testcase)

Attachments

(2 files)

stack
480 bytes, text/plain
Details
patch
4.72 KB, patch
luke
: review+
Details | Diff | Splinter Review
Attached file stack 
c = (0).__proto__
function f(o) {
    o.__proto__ = null
    for (x in o) {}
}
for (i = 0; i < 9; i++) {
    f(c)
    Function.prototype.__proto__.__proto__ = c
    for (x in Function.prototype.__proto__) {}
    f(Math.__proto__)
}

crashes js debug shell on JM changeset 5546f57c9567 with -m at an unknown location, but likely a null deref (see the weird stack).

function f(o) {
    for (j = 0; j < 9; j++) {
        if (j) {
            o.__proto__ = null
        }
        for (v in o) {}
    }
}
for (i = 0; i < 9; i++) {
    (new Boolean).__proto__.__defineGetter__("toString", function() {})
    f(Boolean.prototype)
}

is another testcase which crashes weirdly, but with -m and -a.

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   80261:fedf9dae8db5
user:        Brian Hackett
date:        Fri Nov 18 13:28:07 2011 -0800
summary:     Mark uncacheable prototypes on objects whose prototype has dynamically changed, bug 703047.
Attached patch patchSplinter Review 
Two related problems.  First, marking an object as having an uncacheable proto did not guarantee a shape change for dictionaries.  Second, entries in the native iterator cache could be generated for objects with uncacheable protos.  I also noticed a third problem, which is that shape accesses when checking for a match on the last native iterator were doing 32 bit rather than pointer-size loads and compares.
Assignee: general → bhackett1024
Attachment #577441 - Flags: review?(luke)
Attachment #577441 - Flags: review?(luke) → review+
This eventually landed on m-c:

http://hg.mozilla.org/mozilla-central/rev/1e8c03ba91d0
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/bug705895-1.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.