791217 - Crash on Heap

Status: RESOLVED DUPLICATE of bug 792944

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

Attachment: Testcase for shell

The attached testcase crashes on mozilla-central revision fdfaef738a00 (run with --ion-eager).

Comment 1

[Christian Holler (:decoder)]

Crash trace:

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7f20097 in ?? ()
(gdb) bt
#0  0x00007ffff7f20097 in ?? ()
#1  0xfffbfffff5f1e200 in ?? ()
#2  0x00007ffff5f1e140 in ?? ()
#3  0x00007ffff5f1e200 in ?? ()
#4  0x0000000000000000 in ?? ()
(gdb) x /i $pc
=> 0x7ffff7f20097:      mov    (%rax),%r8
(gdb) info reg rax r8
rax            0x0      0
r8             0x7ffff5f19948   140737319639368

Looks like a null-deref but since this is in generated code, locking s-s until investigated.

Comment 2

[Christian Holler (:decoder)]

JSBugMon: The testcase found in this bug no longer reproduces (tried revision 85df971e0db1).

Comment 3

[Christian Holler (:decoder)]

JSBugMon: Fix Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first good revision is:
changeset:   108016:640ffc5bc79c
user:        Jan de Mooij
date:        Tue Sep 25 16:16:46 2012 +0200
summary:     Bug 792944 - Idempotent caches should reject singleton properties that require monitoring. r=dvander

This iteration took 94.785 seconds to run.

Comment 4

[Christian Holler (:decoder)]

dvander, jandem, is the fix in comment 3 plausible? Can we close as dup or wfm?

Comment 5

[David Anderson [:dvander] - inactive, e-mail if emergency]

Thanks for bisecting. Yup, that looks very similar, the bug is that undefined (which looks like a NULL in generated assembly) flows through as an object pointer.