Closed Bug 830049 Opened 13 years ago Closed 13 years ago

Crash [@ js::Shape::hasSlot]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla21

People

(Reporter: decoder, Assigned: bhackett1024)

References

Details

(Keywords: crash, regression, testcase, Whiteboard: [jsbugmon:update])

Crash Data

Attachments

(1 file)

patch
1007 bytes, patch
dvander
: review+
Details | Diff | Splinter Review
The following testcase crashes on mozilla-central revision 1761f4a9081c (run with --ion-eager): p = Proxy.create({ has: function() function r() s += '' }) Object.prototype.__proto__ = p function TestCase(n) { this.name = n } new TestCase()
Debug trace: ==26136== Invalid read of size 1 ==26136== at 0x407582: js::Shape::hasSlot() const (jsscope.h:702) ==26136== by 0x90AE5F: IsPropertySetterCallInlineable(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSObject*>, jsid, JS::Handle<js::Shape*>) (IonCaches.cpp:1431) ==26136== by 0x90B658: js::ion::SetPropertyCache(JSContext*, unsigned long, JS::Handle<JSObject*>, JS::Handle<JS::Value>, bool) (IonCaches.cpp:1526) ==26136== by 0x4027A1F: ??? ==26136== by 0x8B20E8: EnterIon(JSContext*, js::StackFrame*, void*) (Ion.cpp:1609) ==26136== by 0x8B23FA: js::ion::Cannon(JSContext*, js::StackFrame*) (Ion.cpp:1647) ==26136== by 0x542E76: js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) (jsinterp.cpp:2400) ==26136== by 0x53A19A: js::RunScript(JSContext*, JS::Handle<JSScript*>, js::StackFrame*) (jsinterp.cpp:330) ==26136== by 0x53B288: js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::ExecuteType, js::StackFrame*, JS::Value*) (jsinterp.cpp:537) ==26136== by 0x53B50F: js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) (jsinterp.cpp:577) ==26136== by 0x4585CA: JS_ExecuteScript(JSContext*, JSObject*, JSScript*, JS::Value*) (jsapi.cpp:5608) ==26136== by 0x40AA35: Process(JSContext*, JSObject*, char const*, bool) (js.cpp:580) ==26136== Address 0x15 is not stack'd, malloc'd or (recently) free'd
Blocks: IonFuzz
Whiteboard: [jsbugmon:update,bisect]
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: 118493:f4671ccc4502 user: Brian Hackett date: Thu Jan 10 17:53:11 2013 -0700 summary: Bug 827490 - Allow native objects to have both slots and dense elements, rm dense/slow array distinction, r=billm, dvander. This iteration took 0.946 seconds to run.
jsfunfuzz hits this too.
Blocks: 827490
Keywords: regression
Crash Signature: [@ js::Shape::hasSlot] → [@ js::Shape::hasSlot()]
Attached patch patchSplinter Review
Fix. While this testcase is for a proxy rather than an element access, the mechanism for indicating properties that were not found on lookup has changed so trying to use the shape for a proxy/non-native lookup will crash near NULL.
Attachment #701575 - Flags: review?(dvander)
Attachment #701575 - Flags: review?(dvander) → review+
Assignee: general → bhackett1024
Status: NEW → ASSIGNED
https://hg.mozilla.org/mozilla-central/rev/7c102b657a17
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla21
Automatically extracted testcase for this bug was committed: https://hg.mozilla.org/mozilla-central/rev/2e891e0db397
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: