Closed Bug 807943 Opened 13 years ago Closed 13 years ago

IonMonkey: Crash [@ js::GetObjectClass] or Opt-Crash [@ js::ion::GetPropertyCache]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 807047

People

(Reporter: decoder, Unassigned)

References

Details

(Keywords: crash, testcase, Whiteboard: [jsbugmon:])

Crash Data

The following testcase crashes on mozilla-central revision 556b9cfb269f (run with --ion-eager): var lfcode = new Array(); lfcode.push("var actual = '';\ function f() {\ var ss = [new String(\"abc\"), new String(\"foobar\"), ({}).abstract];\ for (var i = 0; i < 12; ++i) {\ actual += ss[i%3].length + ',';\ }\ }\ f();\ "); var lfRunTypeId = -1; loadFile(lfcode.shift()); function loadFile(lfVarx) { if (lfVarx.substr(-3) != ".js") { switch (lfRunTypeId) { default: evaluate(lfVarx); break; } } }
Crash trace: ==6367== Invalid read of size 4 ==6367== at 0x804D004: js::GetObjectClass(JSObject*) (jsfriendapi.h:359) ==6367== by 0x804D1C6: js::IsProxy(JSObject*) (jsproxy.h:247) ==6367== by 0x804F988: JSObject::isProxy() const (jsobjinlines.h:1184) ==6367== by 0x84EB220: IsCacheableListBase(JSObject*) (IonCaches.cpp:86) ==6367== by 0x84EDD05: TryAttachNativeGetPropStub(JSContext*, js::ion::IonScript*, js::ion::IonCacheGetProperty&, JS::Handle<JSObject*>, JS::Handle<js::PropertyName*>, js::ion::SafepointIndex const*, void*, bool*) (IonCaches.cpp:710) ==6367== by 0x84EE4C2: js::ion::GetPropertyCache(JSContext*, unsigned int, JS::Handle<JSObject*>, JS::MutableHandle<JS::Value>) (IonCaches.cpp:814) ==6367== by 0x9A762A1: ??? ==6367== Address 0x0 is not stack'd, malloc'd or (recently) free'd
Blocks: IonFuzz
Whiteboard: [jsbugmon:update,bisect]
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: 111708:4a2c17905a17 user: Nicolas B. Pierron date: Mon Oct 29 14:48:45 2012 -0700 summary: Bug 792631 - Add IC for missing properties. r=dvander This iteration took 4.864 seconds to run.
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
JSBugMon: The testcase found in this bug no longer reproduces (tried revision f4aeed115e54).
Whiteboard: [jsbugmon:update,ignore] → [jsbugmon:bisectfix]
Whiteboard: [jsbugmon:bisectfix] → [jsbugmon:]
JSBugMon: Fix Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first good revision is: changeset: 112365:197b182baf4f user: Nicolas B. Pierron date: Mon Nov 05 16:40:41 2012 -0800 summary: Bug 807047 - Only use missing property cache on non-idempotent IC. r=jandem This iteration took 103.754 seconds to run.
Resolving as duplicate based on previous comment and marking s-s because the duplicated bug is sec-critical.
Group: core-security
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → DUPLICATE
Group: core-security
You need to log in before you can comment on or make changes to this bug.