Closed Bug 705895 Opened 13 years ago Closed 13 years ago

[ObjShrink] Crash with testcase at weird location (likely null deref)

Categories

(Core :: JavaScript Engine, defect)

x86
Linux
defect
Not set
critical

Tracking

()

RESOLVED FIXED

People

(Reporter: gkw, Assigned: bhackett1024)

References

Details

(Keywords: crash, regression, testcase)

Attachments

(2 files)

Attached file stack
c = (0).__proto__ function f(o) { o.__proto__ = null for (x in o) {} } for (i = 0; i < 9; i++) { f(c) Function.prototype.__proto__.__proto__ = c for (x in Function.prototype.__proto__) {} f(Math.__proto__) } crashes js debug shell on JM changeset 5546f57c9567 with -m at an unknown location, but likely a null deref (see the weird stack). function f(o) { for (j = 0; j < 9; j++) { if (j) { o.__proto__ = null } for (v in o) {} } } for (i = 0; i < 9; i++) { (new Boolean).__proto__.__defineGetter__("toString", function() {}) f(Boolean.prototype) } is another testcase which crashes weirdly, but with -m and -a. autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: 80261:fedf9dae8db5 user: Brian Hackett date: Fri Nov 18 13:28:07 2011 -0800 summary: Mark uncacheable prototypes on objects whose prototype has dynamically changed, bug 703047.
Attached patch patchSplinter Review
Two related problems. First, marking an object as having an uncacheable proto did not guarantee a shape change for dictionaries. Second, entries in the native iterator cache could be generated for objects with uncacheable protos. I also noticed a third problem, which is that shape accesses when checking for a match on the last native iterator were doing 32 bit rather than pointer-size loads and compares.
Assignee: general → bhackett1024
Attachment #577441 - Flags: review?(luke)
Attachment #577441 - Flags: review?(luke) → review+
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/bug705895-1.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: