Last Comment Bug 705895 - [ObjShrink] Crash with testcase at weird location (likely null deref)
: [ObjShrink] Crash with testcase at weird location (likely null deref)
Status: RESOLVED FIXED
: crash, regression, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: x86 Linux
: -- critical (vote)
: ---
Assigned To: Brian Hackett (:bhackett)
:
: Jason Orendorff [:jorendorff]
Mentors:
: 705859 (view as bug list)
Depends on:
Blocks: 703047 630996
  Show dependency treegraph
 
Reported: 2011-11-28 14:31 PST by Gary Kwong [:gkw] [:nth10sd]
Modified: 2013-01-14 07:55 PST (History)
3 users (show)
choller: in‑testsuite+
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
stack (480 bytes, text/plain)
2011-11-28 14:31 PST, Gary Kwong [:gkw] [:nth10sd]
no flags Details
patch (4.72 KB, patch)
2011-11-28 17:30 PST, Brian Hackett (:bhackett)
luke: review+
Details | Diff | Splinter Review

Description Gary Kwong [:gkw] [:nth10sd] 2011-11-28 14:31:22 PST
Created attachment 577381 [details]
stack

c = (0).__proto__
function f(o) {
    o.__proto__ = null
    for (x in o) {}
}
for (i = 0; i < 9; i++) {
    f(c)
    Function.prototype.__proto__.__proto__ = c
    for (x in Function.prototype.__proto__) {}
    f(Math.__proto__)
}

crashes js debug shell on JM changeset 5546f57c9567 with -m at an unknown location, but likely a null deref (see the weird stack).

function f(o) {
    for (j = 0; j < 9; j++) {
        if (j) {
            o.__proto__ = null
        }
        for (v in o) {}
    }
}
for (i = 0; i < 9; i++) {
    (new Boolean).__proto__.__defineGetter__("toString", function() {})
    f(Boolean.prototype)
}

is another testcase which crashes weirdly, but with -m and -a.

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   80261:fedf9dae8db5
user:        Brian Hackett
date:        Fri Nov 18 13:28:07 2011 -0800
summary:     Mark uncacheable prototypes on objects whose prototype has dynamically changed, bug 703047.
Comment 1 Brian Hackett (:bhackett) 2011-11-28 17:30:55 PST
Created attachment 577441 [details] [diff] [review]
patch

Two related problems.  First, marking an object as having an uncacheable proto did not guarantee a shape change for dictionaries.  Second, entries in the native iterator cache could be generated for objects with uncacheable protos.  I also noticed a third problem, which is that shape accesses when checking for a match on the last native iterator were doing 32 bit rather than pointer-size loads and compares.
Comment 2 Brian Hackett (:bhackett) 2011-11-28 17:31:26 PST
https://hg.mozilla.org/projects/jaegermonkey/rev/1e8c03ba91d0
Comment 3 Brian Hackett (:bhackett) 2011-11-28 17:34:56 PST
*** Bug 705859 has been marked as a duplicate of this bug. ***
Comment 4 Gary Kwong [:gkw] [:nth10sd] 2011-12-12 17:46:03 PST
This eventually landed on m-c:

http://hg.mozilla.org/mozilla-central/rev/1e8c03ba91d0
Comment 5 Christian Holler (:decoder) 2013-01-14 07:55:57 PST
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/bug705895-1.js.

Note You need to log in before you can comment on or make changes to this bug.