Closed Bug 714645 Opened 8 years ago Closed 8 years ago

Crash [@ js::HeapPtr<js::Shape, unsigned long>::operator]

Categories

(Core :: JavaScript Engine, defect, critical)

x86_64
Linux
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla12
Tracking Status
firefox9 --- unaffected
firefox10 --- unaffected
firefox11 --- unaffected

People

(Reporter: decoder, Assigned: bhackett)

References

(Blocks 1 open bug)

Details

(Keywords: crash, regression, testcase, Whiteboard: js-triage-needed)

Crash Data

Attachments

(1 file)

The following test crashes on mozilla-central revision d98fbf3cbd71 (options -m -n):


function testAddInconvertibleObjectAny() {
  var count = 0;
  function toString() {  }
  try {
    for (var i = 0; i < 100; i++)
        var q = count[count] && this ? testAddInconvertibleObjectAny : ++toString;
  }  catch (e)  {
    var dbg = count(toString);
  }
}
testAddInconvertibleObjectAny();


Backtrace:

Program received signal SIGSEGV, Segmentation fault.
0x0000000000415d04 in js::HeapPtr<js::Shape, unsigned long>::operator js::Shape* (this=0x0) at ../../gc/Barrier.h:231
231         operator T*() const { return value; }
(gdb) bt
#0  0x0000000000415d04 in js::HeapPtr<js::Shape, unsigned long>::operator js::Shape* (this=0x0) at ../../gc/Barrier.h:231
#1  0x0000000000412cc0 in JSObject::lastProperty (this=0x0) at ../../jsobj.h:485
#2  0x0000000000413a02 in JSObject::getClass (this=0x0) at ../../jsscope.h:1188
#3  0x00000000004445d1 in JSObject::defaultValue (this=0x0, cx=0xb475c0, hint=JSTYPE_NUMBER, vp=0x7fffffffc790) at ../jsobjinlines.h:128
#4  0x0000000000514a1f in js::ToPrimitive (cx=0xb475c0, preferredType=JSTYPE_NUMBER, vp=0x7fffffffc790) at ../jsobjinlines.h:1507
#5  0x0000000000517ac4 in js::ToNumberSlow (cx=0xb475c0, v=..., out=0x7fffffffc810) at /srv/repos/mozilla-central/js/src/jsnum.cpp:1259
#6  0x0000000000442d34 in js::ToNumber (cx=0xb475c0, v=..., out=0x7fffffffc810) at ../jsnum.h:258
#7  0x0000000000768c85 in js::mjit::stubs::Sub (f=...) at /srv/repos/mozilla-central/js/src/methodjit/StubCalls.cpp:1027
#8  0x00007ffff7f403c9 in ?? ()
#9  0x00007ffff7f40a4f in ?? ()
#10 0x0000000000000001 in ?? ()
#11 0x0000000000000000 in ?? ()
Blocks: 714648
Duplicate of this bug: 714651
Duplicate of this bug: 714648
Attached patch patchSplinter Review
Regression from bug 704387.  Writes to variables within try blocks were not being properly marked, which broke the SSA analysis now done for such variables.
Assignee: general → bhackett1024
Attachment #585339 - Flags: review?(dvander)
Attachment #585339 - Flags: review?(dvander) → review+
https://hg.mozilla.org/mozilla-central/rev/d9011e124a95
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla12
Blocks: 704387
Keywords: regression
Depends on: 723773
Duplicate of this bug: 771837
A testcase for this bug was automatically identified at js/src/jit-test/tests/jaeger/bug714645.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.