Closed Bug 851106 Opened 11 years ago Closed 11 years ago

Rooting Analysis: Crash [@ js::ObjectImpl::setSlot]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: decoder, Unassigned)

References

Details

(Keywords: crash, testcase, Whiteboard: [jsbugmon:ignore])

Crash Data

The following testcase crashes on mozilla-central built with --enable-root-analysis, revision 8e68f4d73ec4 (run with ):


gczeal(6);
var methods = [];
for (var i = 0; i > -100; i-- ) {
    obj = { m: function () {} };
    obj.watch("m", function (id, oldval, newval) { 
	methods[i] = oldval; 
    });
    obj.m = 0;
}
Crash trace:

Program received signal SIGSEGV, Segmentation fault.
js::ObjectImpl::setSlot (this=0xf742f060, slot=60, value=...) at js/src/vm/ObjectImpl-inl.h:208
208         MOZ_ASSERT(IsObjectValueInCompartment(value, compartment()));
(gdb) bt
#0  js::ObjectImpl::setSlot (this=0xf742f060, slot=60, value=...) at js/src/vm/ObjectImpl-inl.h:208
#1  0x081dd8e0 in nativeSetSlot (value=..., slot=<optimized out>, this=<optimized out>) at js/src/jsobjinlines.h:1052
#2  DefinePropertyOrElement (cx=<optimized out>, obj=(JSObject * const) 0xf742f060 [object Array], id=$jsid("-61"), getter=
    0x806e1a0 <JS_PropertyStub(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>)>, setter=
    0x806e1b0 <JS_StrictPropertyStub(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, int, JS::MutableHandle<JS::Value>)>, attrs=1, flags=0, shortid=0, value=$jsval(-nan(0xfff87da41d480)), callSetterAfterwards=
    true, setterIsStrict=false) at js/src/jsobj.cpp:3226
#3  0x081de7ed in js::baseops::SetPropertyHelper (cx=0x8948a78, obj=..., receiver=(JSObject * const) 0xf742f060 [object Array], id=$jsid("-61"), defineHow=0, vp=$jsval(-nan(0xfff87da41d480)), strict=0)
    at js/src/jsobj.cpp:4176
#4  0x08727c51 in setGeneric (strict=0, vp=..., id=..., receiver=..., obj=..., cx=0x8948a78) at ../jsobjinlines.h:89
#5  js::mjit::stubs::SetElem<0> (f=...) at js/src/methodjit/StubCalls.cpp:160
#6  0xf7fc79bc in ?? ()
#7  0x0890aff4 in ?? ()
Sorry, I totally missed this when you filed it. I was not able to reproduce on the given revision with:

CC="gcc -m32" CXX="g++ -m32" ./configure --enable-optimize --enable-debug --target=i686-linux-gnu --disable-threadsafe --enable-root-analysis --enable-gczeal --enable-valgrind --enable-more-deterministic --with-system-nspr

gcc (Gentoo 4.6.3 p1.13, pie-0.5.2) 4.6.3

I also tried a 64 bit build without success.
Because of the high false postive rate and difficulty of reproducing these bugs, we have switched our efforts to static analysis and zeal 7.
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.