Closed
Bug 807943
Opened 12 years ago
Closed 12 years ago
IonMonkey: Crash [@ js::GetObjectClass] or Opt-Crash [@ js::ion::GetPropertyCache]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 807047
People
(Reporter: decoder, Unassigned)
References
Details
(Keywords: crash, testcase, Whiteboard: [jsbugmon:])
Crash Data
The following testcase crashes on mozilla-central revision 556b9cfb269f (run with --ion-eager):
var lfcode = new Array();
lfcode.push("var actual = '';\
function f() {\
var ss = [new String(\"abc\"), new String(\"foobar\"), ({}).abstract];\
for (var i = 0; i < 12; ++i) {\
actual += ss[i%3].length + ',';\
}\
}\
f();\
");
var lfRunTypeId = -1;
loadFile(lfcode.shift());
function loadFile(lfVarx) {
if (lfVarx.substr(-3) != ".js") {
switch (lfRunTypeId) {
default: evaluate(lfVarx); break;
}
}
}
|
Reporter | |
Comment 1•12 years ago
|
||
Crash trace: ==6367== Invalid read of size 4 ==6367== at 0x804D004: js::GetObjectClass(JSObject*) (jsfriendapi.h:359) ==6367== by 0x804D1C6: js::IsProxy(JSObject*) (jsproxy.h:247) ==6367== by 0x804F988: JSObject::isProxy() const (jsobjinlines.h:1184) ==6367== by 0x84EB220: IsCacheableListBase(JSObject*) (IonCaches.cpp:86) ==6367== by 0x84EDD05: TryAttachNativeGetPropStub(JSContext*, js::ion::IonScript*, js::ion::IonCacheGetProperty&, JS::Handle<JSObject*>, JS::Handle<js::PropertyName*>, js::ion::SafepointIndex const*, void*, bool*) (IonCaches.cpp:710) ==6367== by 0x84EE4C2: js::ion::GetPropertyCache(JSContext*, unsigned int, JS::Handle<JSObject*>, JS::MutableHandle<JS::Value>) (IonCaches.cpp:814) ==6367== by 0x9A762A1: ??? ==6367== Address 0x0 is not stack'd, malloc'd or (recently) free'd
Blocks: IonFuzz
Whiteboard: [jsbugmon:update,bisect]
|
|
Reporter | |
Updated•12 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
|
|
Reporter | |
Comment 2•12 years ago
|
||
JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: 111708:4a2c17905a17 user: Nicolas B. Pierron date: Mon Oct 29 14:48:45 2012 -0700 summary: Bug 792631 - Add IC for missing properties. r=dvander This iteration took 4.864 seconds to run.
|
|
Reporter | |
Updated•12 years ago
|
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
|
|
Reporter | |
Comment 3•12 years ago
|
||
JSBugMon: The testcase found in this bug no longer reproduces (tried revision f4aeed115e54).
|
|
Reporter | |
Updated•12 years ago
|
Whiteboard: [jsbugmon:update,ignore] → [jsbugmon:bisectfix]
|
|
Reporter | |
Updated•12 years ago
|
Whiteboard: [jsbugmon:bisectfix] → [jsbugmon:]
|
|
Reporter | |
Comment 4•12 years ago
|
||
JSBugMon: Fix Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first good revision is: changeset: 112365:197b182baf4f user: Nicolas B. Pierron date: Mon Nov 05 16:40:41 2012 -0800 summary: Bug 807047 - Only use missing property cache on non-idempotent IC. r=jandem This iteration took 103.754 seconds to run.
|
|
Reporter | |
Comment 5•12 years ago
|
||
Resolving as duplicate based on previous comment and marking s-s because the duplicated bug is sec-critical.
Group: core-security
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → DUPLICATE
|
||
Updated•9 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•