Closed Bug 830049 Opened 11 years ago Closed 11 years ago

Crash [@ js::Shape::hasSlot]

Categories

(Core :: JavaScript Engine, defect)

x86_64
Linux
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla21

People

(Reporter: decoder, Assigned: bhackett1024)

References

Details

(Keywords: crash, regression, testcase, Whiteboard: [jsbugmon:update])

Crash Data

Attachments

(1 file)

The following testcase crashes on mozilla-central revision 1761f4a9081c (run with --ion-eager):


p = Proxy.create({
  has: function() function r() s += ''
})
Object.prototype.__proto__ = p
function TestCase(n) {
    this.name = n
}
new TestCase()
Debug trace:

==26136== Invalid read of size 1
==26136==    at 0x407582: js::Shape::hasSlot() const (jsscope.h:702)
==26136==    by 0x90AE5F: IsPropertySetterCallInlineable(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSObject*>, jsid, JS::Handle<js::Shape*>) (IonCaches.cpp:1431)
==26136==    by 0x90B658: js::ion::SetPropertyCache(JSContext*, unsigned long, JS::Handle<JSObject*>, JS::Handle<JS::Value>, bool) (IonCaches.cpp:1526)
==26136==    by 0x4027A1F: ???
==26136==    by 0x8B20E8: EnterIon(JSContext*, js::StackFrame*, void*) (Ion.cpp:1609)
==26136==    by 0x8B23FA: js::ion::Cannon(JSContext*, js::StackFrame*) (Ion.cpp:1647)
==26136==    by 0x542E76: js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) (jsinterp.cpp:2400)
==26136==    by 0x53A19A: js::RunScript(JSContext*, JS::Handle<JSScript*>, js::StackFrame*) (jsinterp.cpp:330)
==26136==    by 0x53B288: js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::ExecuteType, js::StackFrame*, JS::Value*) (jsinterp.cpp:537)
==26136==    by 0x53B50F: js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) (jsinterp.cpp:577)
==26136==    by 0x4585CA: JS_ExecuteScript(JSContext*, JSObject*, JSScript*, JS::Value*) (jsapi.cpp:5608)
==26136==    by 0x40AA35: Process(JSContext*, JSObject*, char const*, bool) (js.cpp:580)
==26136==  Address 0x15 is not stack'd, malloc'd or (recently) free'd
Blocks: IonFuzz
Whiteboard: [jsbugmon:update,bisect]
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   118493:f4671ccc4502
user:        Brian Hackett
date:        Thu Jan 10 17:53:11 2013 -0700
summary:     Bug 827490 - Allow native objects to have both slots and dense elements, rm dense/slow array distinction, r=billm, dvander.

This iteration took 0.946 seconds to run.
jsfunfuzz hits this too.
Blocks: 827490
Keywords: regression
Crash Signature: [@ js::Shape::hasSlot] → [@ js::Shape::hasSlot()]
Attached patch patchSplinter Review
Fix.  While this testcase is for a proxy rather than an element access, the mechanism for indicating properties that were not found on lookup has changed so trying to use the shape for a proxy/non-native lookup will crash near NULL.
Attachment #701575 - Flags: review?(dvander)
Attachment #701575 - Flags: review?(dvander) → review+
Assignee: general → bhackett1024
Status: NEW → ASSIGNED
https://hg.mozilla.org/mozilla-central/rev/7c102b657a17
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla21
Automatically extracted testcase for this bug was committed:

https://hg.mozilla.org/mozilla-central/rev/2e891e0db397
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: