Closed
Bug 756779
Opened 13 years ago
Closed 13 years ago
IonMonkey: Crash [@ js::Shape::getObjectClass] with use-after-free
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 756851
People
(Reporter: decoder, Unassigned)
References
Details
(Keywords: crash, testcase, Whiteboard: [jsbugmon:update,ignore])
Crash Data
The following testcase crashes on ionmonkey revision 890dd17b4187 (run with --ion -n):
gczeal(2);
var p = Proxy.create({ getOwnPropertyNames: function() { return ["1","1"]; } }, null);
var ap = Object.getOwnPropertyNames(p);
function ScaleConstraint() {}
function deltaBlue() {
new ScaleConstraint();
}
for (var n = 0; n<100; n-- ) {
deltaBlue()
}
|
Reporter | |
Comment 1•13 years ago
|
||
Backtrace:
Program received signal SIGSEGV, Segmentation fault.
0x0804d287 in js::Shape::getObjectClass (this=0xf770c430) at ../../jsscope.h:609
609 Class *getObjectClass() const { return base()->clasp; }
Missing separate debuginfos, use: debuginfo-install libgcc-4.4.6-3.el6.i686 libstdc++-4.4.6-3.el6.i686
(gdb) bt
#0 0x0804d287 in js::Shape::getObjectClass (this=0xf770c430) at ../../jsscope.h:609
#1 0x0804e4bb in js::ObjectImpl::getClass (this=0xf770c3d0) at ../../vm/ObjectImpl-inl.h:245
#2 0x0804e4cf in js::ObjectImpl::hasClass (this=0xf770c3d0, c=0x875e100) at ../../vm/ObjectImpl-inl.h:257
#3 0x0804eb19 in JSObject::isFunction (this=0xf770c3d0) at ../../jsobjinlines.h:798
#4 0x081229bc in TypeConstraintCall::newType (this=0x87babb8, cx=0x87acf88, source=0x87baae0, type=...) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/jsinfer.cpp:1136
#5 0x0809f0c3 in js::types::TypeCompartment::resolvePending (this=0x87ad96c, cx=0x87acf88) at ../jsinferinlines.h:850
#6 0x08120f3d in js::types::TypeSet::add (this=0x87baae0, cx=0x87acf88, constraint=0x87babb8, callExisting=true) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/jsinfer.cpp:430
#7 0x0812175c in js::types::TypeSet::addCall (this=0x87baae0, cx=0x87acf88, site=0x87bab98) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/jsinfer.cpp:675
#8 0x0812b504 in js::analyze::ScriptAnalysis::analyzeTypesBytecode (this=0x87b9a30, cx=0x87acf88, offset=7, state=...) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/jsinfer.cpp:3846
#9 0x0812c3ae in js::analyze::ScriptAnalysis::analyzeTypes (this=0x87b9a30, cx=0x87acf88) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/jsinfer.cpp:4184
#10 0x0811febf in JSScript::ensureRanInference (this=0xf7706178, cx=0x87acf88) at ../jsinferinlines.h:1492
#11 0x08474dd8 in js::ion::TypeInferenceOracle::init (this=0xffffc0f8, cx=0x87acf88, script=0xf7706178) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/ion/TypeOracle.cpp:59
#12 0x083f2053 in IonCompile (cx=0x87acf88, script=0xf7706178, fp=0xf79ce070, osrPc=0x0) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/ion/Ion.cpp:769
#13 0x083f257b in Compile (cx=0x87acf88, script=0xf7706178, fp=0xf79ce070, osrPc=0x0) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/ion/Ion.cpp:860
#14 0x083f2912 in js::ion::CanEnter (cx=0x87acf88, script=0xf7706178, fp=0xf79ce070, newType=false) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/ion/Ion.cpp:929
#15 0x081569ec in js::Interpret (cx=0x87acf88, entryFrame=0xf79ce020, interpMode=js::JSINTERP_NORMAL) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/jsinterp.cpp:2852
[...]
(gdb) x /i $pc
=> 0x804d287 <js::Shape::getObjectClass() const+17>: mov (%eax),%eax
(gdb) info reg eax
eax 0xdadadada -623191334
|
|
Reporter | |
Comment 2•13 years ago
|
||
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 80e4ab0d24bc).
|
|
Reporter | |
Updated•13 years ago
|
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
|
||
Updated•13 years ago
|
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → DUPLICATE
|
|
Reporter | |
Updated•13 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•