Closed Bug 851106 Opened 12 years ago Closed 12 years ago

Rooting Analysis: Crash [@ js::ObjectImpl::setSlot]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: decoder, Unassigned)

References

Details

(Keywords: crash, testcase, Whiteboard: [jsbugmon:ignore])

Crash Data

The following testcase crashes on mozilla-central built with --enable-root-analysis, revision 8e68f4d73ec4 (run with ): gczeal(6); var methods = []; for (var i = 0; i > -100; i-- ) { obj = { m: function () {} }; obj.watch("m", function (id, oldval, newval) { methods[i] = oldval; }); obj.m = 0; }
Crash trace: Program received signal SIGSEGV, Segmentation fault. js::ObjectImpl::setSlot (this=0xf742f060, slot=60, value=...) at js/src/vm/ObjectImpl-inl.h:208 208 MOZ_ASSERT(IsObjectValueInCompartment(value, compartment())); (gdb) bt #0 js::ObjectImpl::setSlot (this=0xf742f060, slot=60, value=...) at js/src/vm/ObjectImpl-inl.h:208 #1 0x081dd8e0 in nativeSetSlot (value=..., slot=<optimized out>, this=<optimized out>) at js/src/jsobjinlines.h:1052 #2 DefinePropertyOrElement (cx=<optimized out>, obj=(JSObject * const) 0xf742f060 [object Array], id=$jsid("-61"), getter= 0x806e1a0 <JS_PropertyStub(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>)>, setter= 0x806e1b0 <JS_StrictPropertyStub(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, int, JS::MutableHandle<JS::Value>)>, attrs=1, flags=0, shortid=0, value=$jsval(-nan(0xfff87da41d480)), callSetterAfterwards= true, setterIsStrict=false) at js/src/jsobj.cpp:3226 #3 0x081de7ed in js::baseops::SetPropertyHelper (cx=0x8948a78, obj=..., receiver=(JSObject * const) 0xf742f060 [object Array], id=$jsid("-61"), defineHow=0, vp=$jsval(-nan(0xfff87da41d480)), strict=0) at js/src/jsobj.cpp:4176 #4 0x08727c51 in setGeneric (strict=0, vp=..., id=..., receiver=..., obj=..., cx=0x8948a78) at ../jsobjinlines.h:89 #5 js::mjit::stubs::SetElem<0> (f=...) at js/src/methodjit/StubCalls.cpp:160 #6 0xf7fc79bc in ?? () #7 0x0890aff4 in ?? ()
Sorry, I totally missed this when you filed it. I was not able to reproduce on the given revision with: CC="gcc -m32" CXX="g++ -m32" ./configure --enable-optimize --enable-debug --target=i686-linux-gnu --disable-threadsafe --enable-root-analysis --enable-gczeal --enable-valgrind --enable-more-deterministic --with-system-nspr gcc (Gentoo 4.6.3 p1.13, pie-0.5.2) 4.6.3 I also tried a 64 bit build without success.
Because of the high false postive rate and difficulty of reproducing these bugs, we have switched our efforts to static analysis and zeal 7.
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.