Closed
Bug 830049
Opened 11 years ago
Closed 11 years ago
Crash [@ js::Shape::hasSlot]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla21
People
(Reporter: decoder, Assigned: bhackett1024)
References
Details
(Keywords: crash, regression, testcase, Whiteboard: [jsbugmon:update])
Crash Data
Attachments
(1 file)
1007 bytes,
patch
|
dvander
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision 1761f4a9081c (run with --ion-eager): p = Proxy.create({ has: function() function r() s += '' }) Object.prototype.__proto__ = p function TestCase(n) { this.name = n } new TestCase()
Reporter | ||
Comment 1•11 years ago
|
||
Debug trace: ==26136== Invalid read of size 1 ==26136== at 0x407582: js::Shape::hasSlot() const (jsscope.h:702) ==26136== by 0x90AE5F: IsPropertySetterCallInlineable(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSObject*>, jsid, JS::Handle<js::Shape*>) (IonCaches.cpp:1431) ==26136== by 0x90B658: js::ion::SetPropertyCache(JSContext*, unsigned long, JS::Handle<JSObject*>, JS::Handle<JS::Value>, bool) (IonCaches.cpp:1526) ==26136== by 0x4027A1F: ??? ==26136== by 0x8B20E8: EnterIon(JSContext*, js::StackFrame*, void*) (Ion.cpp:1609) ==26136== by 0x8B23FA: js::ion::Cannon(JSContext*, js::StackFrame*) (Ion.cpp:1647) ==26136== by 0x542E76: js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) (jsinterp.cpp:2400) ==26136== by 0x53A19A: js::RunScript(JSContext*, JS::Handle<JSScript*>, js::StackFrame*) (jsinterp.cpp:330) ==26136== by 0x53B288: js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::ExecuteType, js::StackFrame*, JS::Value*) (jsinterp.cpp:537) ==26136== by 0x53B50F: js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) (jsinterp.cpp:577) ==26136== by 0x4585CA: JS_ExecuteScript(JSContext*, JSObject*, JSScript*, JS::Value*) (jsapi.cpp:5608) ==26136== by 0x40AA35: Process(JSContext*, JSObject*, char const*, bool) (js.cpp:580) ==26136== Address 0x15 is not stack'd, malloc'd or (recently) free'd
Blocks: IonFuzz
Whiteboard: [jsbugmon:update,bisect]
Reporter | ||
Updated•11 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
Reporter | ||
Comment 2•11 years ago
|
||
JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: 118493:f4671ccc4502 user: Brian Hackett date: Thu Jan 10 17:53:11 2013 -0700 summary: Bug 827490 - Allow native objects to have both slots and dense elements, rm dense/slow array distinction, r=billm, dvander. This iteration took 0.946 seconds to run.
Updated•11 years ago
|
Crash Signature: [@ js::Shape::hasSlot] → [@ js::Shape::hasSlot()]
Assignee | ||
Comment 4•11 years ago
|
||
Fix. While this testcase is for a proxy rather than an element access, the mechanism for indicating properties that were not found on lookup has changed so trying to use the shape for a proxy/non-native lookup will crash near NULL.
Attachment #701575 -
Flags: review?(dvander)
Updated•11 years ago
|
Attachment #701575 -
Flags: review?(dvander) → review+
Updated•11 years ago
|
Keywords: checkin-needed
Assignee | ||
Comment 5•11 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/7c102b657a17
Updated•11 years ago
|
Keywords: checkin-needed
Updated•11 years ago
|
Assignee: general → bhackett1024
Status: NEW → ASSIGNED
Comment 6•11 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/7c102b657a17
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla21
Reporter | ||
Comment 7•11 years ago
|
||
Automatically extracted testcase for this bug was committed: https://hg.mozilla.org/mozilla-central/rev/2e891e0db397
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•