763440 - IonMonkey: Crash [@ js::Proxy::set] with use-after-free and gcPreserveCode

Status: RESOLVED DUPLICATE of bug 762936

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

The following testcase crashes on ionmonkey revision 5cfb73435e06 (run with --ion -n -m --ion-eager):


var summary = '';
var actual = '';
gcPreserveCode()
function TestCase(n, d, e, a) {
  this.name=n;
}
function reportCompare (expected, actual, description) {
  new TestCase
}
reportCompare(true, eval++, "Function.prototype.isGenerator present");
var p = Proxy.create({
    has : function(id) {}
});
Object.prototype.__proto__ = p;
new TestCase;
var expect = '';
reportCompare(expect, actual, summary);
gczeal(4);
try {
  evalcx(".");
} catch (e) {}
reportCompare(expect, actual, summary);

Comment 1

[Christian Holler (:decoder)]

Crash trace:

==24613== Invalid read of size 4
==24613==    at 0x81DBB98: js::Proxy::set(JSContext*, JSObject*, JSObject*, jsid, bool, JS::Value*) (jsproxy.cpp:1108)
==24613==    by 0x81DCF59: proxy_SetGeneric(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::Value*, int) (jsproxy.cpp:1338)
==24613==    by 0x8198201: JSObject::nonNativeSetProperty(JSContext*, JS::Handle<jsid>, JS::Value*, int) (jsobj.cpp:3083)
==24613==    by 0x807284F: JSObject::setGeneric(JSContext*, JS::Handle<jsid>, JS::Value*, int) (jsobjinlines.h:93)
==24613==    by 0x84CFCB7: js::ion::SetProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<js::PropertyName*>, JS::Handle<JS::Value>, bool, bool) (VMFunctions.cpp:316)
==24613==    by 0x847074A: js::ion::SetPropertyCache(JSContext*, unsigned int, JS::Handle<JSObject*>, JS::Handle<JS::Value>, bool) (IonCaches.cpp:612)
==24613==    by 0x9CCBA95: ???
==24613==  Address 0xdadadada is not stack'd, malloc'd or (recently) free'd

Comment 3

[Christian Holler (:decoder)]

Test added:

https://hg.mozilla.org/integration/mozilla-inbound/rev/b52d521ba824

Comment 4

[Ed Morley [:emorley]]

https://hg.mozilla.org/mozilla-central/rev/b52d521ba824