The following testcase crashes on mozilla-central revision 940118b1adcd (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --enable-debug, run with --fuzzing-safe --thread-count=2): var p = Proxy.create({ get : function(id) { return 10; } }); Object.prototype.__proto__ = p; var obj = {}; findReferences(obj); Backtrace: Program received signal SIGSEGV, Segmentation fault. 0x00000000004180e4 in JS::Value::toObject (this=<optimized out>) at ../../../dist/include/js/Value.h:1240 1240 MOZ_ASSERT(isObject()); #0 0x00000000004180e4 in JS::Value::toObject (this=<optimized out>) at ../../../dist/include/js/Value.h:1240 #1 0x0000000000419a9b in JSVAL_IS_OBJECT_IMPL (l=...) at ../../../dist/include/js/Value.h:804 #2 isObject (this=<optimized out>) at ../../../dist/include/js/Value.h:1145 #3 JS::Value::toObject (this=<optimized out>) at ../../../dist/include/js/Value.h:1240 #4 0x00000000004161ab in toObject (this=0x7fffffffc1a0) at ../../../dist/include/js/Value.h:1707 #5 ReferenceFinder::addReferrer (this=this@entry=0x7fffffffc3c0, referrerArg=..., path=path@entry=0x7fffffffc2d0) at js/src/shell/jsheaptools.cpp:522 #6 0x00000000004165f5 in ReferenceFinder::visit (this=this@entry=0x7fffffffc3c0, cell=0x0, path=path@entry=0x7fffffffc2d0) at js/src/shell/jsheaptools.cpp:428 #7 0x000000000041655c in ReferenceFinder::visit (this=this@entry=0x7fffffffc3c0, cell=0x7ffff5670cc0, path=path@entry=0x0) at js/src/shell/jsheaptools.cpp:454 #8 0x0000000000416665 in ReferenceFinder::findReferences (this=this@entry=0x7fffffffc3c0, target=target@entry=(JSObject * const) 0x7ffff5670cc0 [object Object]) at js/src/shell/jsheaptools.cpp:537 #9 0x00000000004168df in FindReferences (cx=cx@entry=0x1a1cb70, argc=<optimized out>, vp=0x1a90840) at js/src/shell/jsheaptools.cpp:569 #10 0x0000000000619b99 in js::CallJSNative (cx=0x1a1cb70, native=0x416690 <FindReferences(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:226 #11 0x00000000005fa670 in js::Invoke (cx=0x1a1cb70, args=..., construct=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:498 #12 0x00000000005f5c7c in Interpret (cx=0x1a1cb70, state=...) at js/src/vm/Interpreter.cpp:2558 #13 0x00000000005f9ce8 in js::RunScript (cx=cx@entry=0x1a1cb70, state=...) at js/src/vm/Interpreter.cpp:448 #14 0x00000000005f9e99 in js::ExecuteKernel (cx=cx@entry=0x1a1cb70, script=script@entry=0x7ffff565e160, scopeChainArg=(JSObject &) @0x7ffff565a060 [object global] delegate, thisv=..., type=type@entry=js::EXECUTE_GLOBAL, evalInFrame=evalInFrame@entry=..., result=result@entry=0x0) at js/src/vm/Interpreter.cpp:657 #15 0x00000000005fa3e6 in js::Execute (cx=0x1a1cb70, script=0x7ffff565e160, scopeChainArg=..., rval=0x0) at js/src/vm/Interpreter.cpp:694 #16 0x00000000009f540b in ExecuteScript (cx=0x1a1cb70, obj=(JSObject * const) 0x7ffff565a060 [object global] delegate, scriptArg=0x7ffff565e160, rval=0x0) at js/src/jsapi.cpp:4224 #17 0x000000000041977d in RunFile (compileOnly=false, file=0x1afbd80, filename=0x7fffffffe0ca "min.js", obj=..., cx=0x1a1cb70) at js/src/shell/js.cpp:453 #18 Process (cx=cx@entry=0x1a1cb70, obj_=<optimized out>, filename=0x7fffffffe0ca "min.js", forceTTY=forceTTY@entry=false) at js/src/shell/js.cpp:586 #19 0x0000000000425293 in ProcessArgs (op=0x7fffffffdb70, obj_=<optimized out>, cx=0x1a1cb70) at js/src/shell/js.cpp:5514 #20 Shell (op=0x7fffffffdb70, cx=0x1a1cb70, envp=<optimized out>) at js/src/shell/js.cpp:5755 #21 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:6102 rax 0x0 0 rbx 0x7fffffffc180 140737488339328 rcx 0x7ffff6cb2f4d 140737333899085 rdx 0x0 0 rsi 0x7ffff6f86a80 140737336863360 rdi 0x7ffff6f85180 140737336856960 rbp 0x7fffffffc120 140737488339232 rsp 0x7fffffffc120 140737488339232 r8 0x7ffff7fe8740 140737354041152 r9 0x736a2f6564756c63 8316511774416661603 r10 0x7fffffffbeb0 140737488338608 r11 0x7ffff6c3a940 140737333406016 r12 0x1c44150 29638992 r13 0x7fffffffc3c0 140737488339904 r14 0x7fffffffc1c0 140737488339392 r15 0xfff9000000000000 -1970324836974592 rip 0x4180e4 <JS::Value::toObject() const+28> => 0x4180e4 <JS::Value::toObject() const+28>: movl $0x4d8,0x0 0x4180ef <JS::Value::toObject() const+39>: callq 0x404ac0 <abort@plt>

JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/615f118f2787 user: Jason Orendorff date: Tue Dec 16 18:06:43 2014 -0600 summary: Bug 914314, part 3 - Reimplement GetPropertyInline to match ES6 9.1.8. r=efaust. This iteration took 366.687 seconds to run.

(see comment 1)

Probably the same underlying issue but a different assertion: var p = Proxy.create({ get: function(id) function w(value) uint8("0x1ff") }); Object.prototype.__proto__ = p; var k = {}; findReferences(k); Assertion failure: JS_IsArrayObject(context, array), at shell/jsheaptools.cpp:523

This appears to be a bug in how HeapReverser handles some new edges in ES6. Jim, is it finally time to remove jsheaptools?

Out it goes.

Comment on attachment 8576911 [details] [diff] [review] Remove findReferences and the tests that use it. Review of attachment 8576911 [details] [diff] [review]: ----------------------------------------------------------------- \o/ Do you have a bug open against debugger to provide a similar interface against ubi::Node?

(In reply to Terrence Cole [:terrence] from comment #6) > Do you have a bug open against debugger to provide a similar interface > against ubi::Node? Not yet. We don't have a specific tool we want to build around it yet.