IonMonkey: Crash [@ js::Shape::attributes] or Opt-crash [@ SuppressDeletedPropertyHelper<SingleStringPredicate>]

RESOLVED DUPLICATE of bug 829813

Status

()

Core
JavaScript Engine
--
critical
RESOLVED DUPLICATE of bug 829813
6 years ago
5 years ago

People

(Reporter: decoder, Unassigned)

Tracking

(Blocks: 1 bug, {crash, testcase})

Trunk
x86
Linux
crash, testcase
Points:
---
Bug Flags:
in-testsuite -

Firefox Tracking Flags

(Not tracked)

Details

(crash signature)

(Reporter)

Description

6 years ago
The following testcase crashes on mozilla-central revision 1761f4a9081c (run with --ion-eager):


Array.prototype[1] = 'y';
var a = [0, (8)];
for (var i in a) {
    delete a[1];
}
(Reporter)

Comment 1

6 years ago
Debug trace:

==2524== Invalid read of size 1
==2524==    at 0x804E9EE: js::Shape::attributes() const (jsscope.h:760)
==2524==    by 0x8192A9E: bool SuppressDeletedPropertyHelper<SingleStringPredicate>(JSContext*, JS::Handle<JSObject*>, SingleStringPredicate) (jsiter.cpp:1106)
==2524==    by 0x818F393: js_SuppressDeletedProperty(JSContext*, JS::Handle<JSObject*>, jsid) (jsiter.cpp:1170)
==2524==    by 0x81B72D9: js::baseops::DeleteGeneric(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>, int) (jsobj.cpp:4053)
==2524==    by 0x81B7670: js::baseops::DeleteElement(JSContext*, JS::Handle<JSObject*>, unsigned int, JS::MutableHandle<JS::Value>, int) (jsobj.cpp:4090)
==2524==    by 0x8077941: JSObject::deleteElement(JSContext*, JS::Handle<JSObject*>, unsigned int, JS::MutableHandle<JS::Value>, bool) (jsobjinlines.h:209)
==2524==    by 0x81ABF56: JSObject::deleteByValue(JSContext*, JS::Handle<JSObject*>, JS::Value const&, JS::MutableHandle<JS::Value>, bool) (jsobj.cpp:1574)
==2524==    by 0x817F1F0: js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) (jsinterp.cpp:2136)
==2524==    by 0x817785A: js::RunScript(JSContext*, JS::Handle<JSScript*>, js::StackFrame*) (jsinterp.cpp:348)
==2524==    by 0x817883C: js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::ExecuteType, js::StackFrame*, JS::Value*) (jsinterp.cpp:537)
==2524==    by 0x8178AB8: js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) (jsinterp.cpp:577)
==2524==    by 0x809DCE3: JS_ExecuteScript(JSContext*, JSObject*, JSScript*, JS::Value*) (jsapi.cpp:5608)
==2524==  Address 0xd is not stack'd, malloc'd or (recently) free'd
Crash Signature: [@ js::Shape::attributes] or Opt-crash [@ SuppressDeletedPropertyHelper<SingleStringPredicate>] → [@ js::Shape::attributes] [@ SuppressDeletedPropertyHelper<SingleStringPredicate>]
Whiteboard: [jsbugmon:update,bisect]
(Reporter)

Updated

6 years ago
Crash Signature: [@ js::Shape::attributes] [@ SuppressDeletedPropertyHelper<SingleStringPredicate>] → [@ js::Shape::attributes] [@ SuppressDeletedPropertyHelper<SingleStringPredicate>]
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
(Reporter)

Comment 2

6 years ago
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   118493:f4671ccc4502
user:        Brian Hackett
date:        Thu Jan 10 17:53:11 2013 -0700
summary:     Bug 827490 - Allow native objects to have both slots and dense elements, rm dense/slow array distinction, r=billm, dvander.

This iteration took 121.600 seconds to run.
(Reporter)

Comment 3

6 years ago
Needinfo from bhackett regarding comment 2 :)
Crash Signature: [@ js::Shape::attributes] [@ SuppressDeletedPropertyHelper<SingleStringPredicate>] → [@ js::Shape::attributes] [@ SuppressDeletedPropertyHelper<SingleStringPredicate>]
Flags: needinfo?(bhackett1024)
Fix for this in bug 829813 (issue is not exactly the same, but very similar).
No longer blocks: 827490
Status: NEW → RESOLVED
Crash Signature: [@ js::Shape::attributes] [@ SuppressDeletedPropertyHelper<SingleStringPredicate>] → [@ js::Shape::attributes] or Opt-crash [@ SuppressDeletedPropertyHelper<SingleStringPredicate>]
Last Resolved: 6 years ago
tracking-firefox21: ? → ---
Flags: needinfo?(bhackett1024)
Resolution: --- → DUPLICATE
Whiteboard: [jsbugmon:update]
Duplicate of bug: 829813
(Reporter)

Comment 5

5 years ago
A testcase for this bug was already added in the original bug (bug 829813).
Flags: in-testsuite-
You need to log in before you can comment on or make changes to this bug.