The testcase involves the same function as the one that found bug 453747. I'm using a build from the tracemonkey branch that's new enough to have the patch from that bug.

Blocking1.9.1+, P2, Assigning to Andreas.

The property cache is filled incorrectly here. We should not generate code that walks up the prototype chain since we fall of the end of the world. *** loading ISO8601DateUtils WARNING: NS_ENSURE_SUCCESS(rv, rv) failed with result 0x8000FFFF: file /Users/gal/workspace/tracemonkey-repository/netwerk/base/src/nsIOService.cpp, line 1028 WARNING: NS_ENSURE_SUCCESS(rv, 0) failed with result 0x8000FFFF: file ../../dist/include/necko/nsNetUtil.h, line 1464 ++DOMWINDOW == 14 (0x1e7a83ec) [serial = 14] [outer = 0x1d075b00] Breakpoint 2, TraceRecorder::getProp (this=0x16878580, obj=0x162749c0, obj_ins=0x128d5798) at /Users/gal/workspace/tracemonkey-repository/js/src/jstracer.cpp:5339 5339 if (!prop(obj, obj_ins, slot, v_ins)) (gdb) s TraceRecorder::prop (this=0x16878580, obj=0x162749c0, obj_ins=0x128d5798, slot=@0xbfffbab8, v_ins=@0xbfffbab4) at /Users/gal/workspace/tracemonkey-repository/js/src/jstracer.cpp:5214 5214 if (obj == globalObj) (gdb) n 5216 guard(false, lir->ins2(LIR_eq, obj_ins, INS_CONSTPTR(globalObj)), MISMATCH_EXIT); (gdb) 5224 if (!test_property_cache(obj, obj_ins, obj2, pcval)) (gdb) s TraceRecorder::test_property_cache (this=0x16878580, obj=0x162749c0, obj_ins=0x128d5798, obj2=@0xbfffba60, pcval=@0xbfffba5c) at /Users/gal/workspace/tracemonkey-repository/js/src/jstracer.cpp:3427 3427 jsbytecode* pc = cx->fp->regs->pc; (gdb) n 3428 JS_ASSERT(*pc != JSOP_INITPROP && *pc != JSOP_SETNAME && *pc != JSOP_SETPROP); (gdb) 3433 JSObject* aobj = obj; (gdb) 3434 if (OBJ_IS_DENSE_ARRAY(cx, obj)) { (gdb) 3439 LIns* map_ins = lir->insLoad(LIR_ldp, obj_ins, (int)offsetof(JSObject, map)); (gdb) 3451 uint32 format = js_CodeSpec[*pc].format; (gdb) 3452 uint32 mode = JOF_MODE(format); (gdb) 3455 JS_ASSERT(OBJ_IS_NATIVE(globalObj)); (gdb) 3456 if (aobj != globalObj) { (gdb) 3457 size_t op_offset = 0; (gdb) 3458 if (mode == JOF_PROP || mode == JOF_VARPROP) { (gdb) 3459 JS_ASSERT(!(format & JOF_SET)); (gdb) 3460 op_offset = offsetof(JSObjectOps, getProperty); (gdb) 3458 if (mode == JOF_PROP || mode == JOF_VARPROP) { (gdb) 3465 if (!map_is_native(aobj->map, map_ins, ops_ins, op_offset)) (gdb) 3471 PROPERTY_CACHE_TEST(cx, pc, aobj, obj2, entry, atom); (gdb) 3472 if (atom) { (gdb) 3476 jsid id = ATOM_TO_JSID(atom); (gdb) 3478 if (JOF_OPMODE(*pc) == JOF_NAME) { (gdb) 3483 int protoIndex = js_LookupPropertyWithFlags(cx, aobj, id, 0, &obj2, &prop); (gdb) s js_LookupPropertyWithFlags (cx=0xb92800, obj=0x162749c0, id=307380468, flags=0, objp=0xbfffba60, propp=0xbfffb994) at /Users/gal/workspace/tracemonkey-repository/js/src/jsobj.cpp:3322 3322 CHECK_FOR_STRING_INDEX(id); (gdb) n 3323 JS_COUNT_OPERATION(cx, JSOW_LOOKUP_PROPERTY); (gdb) 3326 start = obj; (gdb) 3327 for (protoIndex = 0; ; protoIndex++) { (gdb) 3328 JS_LOCK_OBJ(cx, obj); (gdb) 3329 scope = OBJ_SCOPE(obj); (gdb) 3330 if (scope->object == obj) { (gdb) 3334 sprop = NULL; (gdb) 3338 if (!sprop) { (gdb) 3339 clasp = LOCKED_OBJ_GET_CLASS(obj); (gdb) 3340 resolve = clasp->resolve; (gdb) 3341 if (resolve != JS_ResolveStub) { (gdb) 3343 key.obj = obj; (gdb) 3344 key.id = id; (gdb) 3352 if (!js_StartResolving(cx, &key, JSRESFLAG_LOOKUP, &entry)) { (gdb) 3356 if (!entry) { (gdb) 3361 generation = cx->resolvingTable->generation; (gdb) 3364 *propp = NULL; (gdb) 3366 if (clasp->flags & JSCLASS_NEW_RESOLVE) { (gdb) p resolve $38 = (JSResolveOp) 0x111e5584 <XPC_WN_Helper_NewResolve> (gdb) n 3367 newresolve = (JSNewResolveOp)resolve; (gdb) 3368 if (!(flags & JSRESOLVE_CLASSNAME) && (gdb) 3370 pc = cx->fp->regs->pc; (gdb) 3371 cs = &js_CodeSpec[*pc]; (gdb) 3372 format = cs->format; (gdb) 3373 if (JOF_MODE(format) != JOF_NAME) (gdb) 3374 flags |= JSRESOLVE_QUALIFIED; (gdb) 3375 if ((format & JOF_ASSIGNING) || (gdb) 3379 pc += cs->length; (gdb) 3380 if (Detecting(cx, pc)) (gdb) n 3383 if (format & JOF_DECLARING) (gdb) 3388 : NULL; (gdb) 3389 JS_UNLOCK_OBJ(cx, obj); (gdb) 3392 JS_KEEP_ATOMS(cx->runtime); (gdb) p obj2 $39 = (JSObject *) 0x0 (gdb) n 3393 ok = newresolve(cx, obj, ID_TO_VALUE(id), flags, &obj2); (gdb) 3394 JS_UNKEEP_ATOMS(cx->runtime); (gdb) p obj2 $40 = (JSObject *) 0x0 (gdb) n 3395 if (!ok) (gdb) 3398 JS_LOCK_OBJ(cx, obj); (gdb) 3399 if (obj2) { (gdb) 3457 js_StopResolving(cx, &key, JSRESFLAG_LOOKUP, entry, generation); (gdb) 3458 if (!ok) (gdb) 3460 if (*propp) (gdb) 3465 if (sprop) { (gdb) 3474 proto = LOCKED_OBJ_GET_PROTO(obj); (gdb) 3475 JS_UNLOCK_OBJ(cx, obj); (gdb) 3476 if (!proto) (gdb) 3478 if (!OBJ_IS_NATIVE(proto)) { (gdb) 3483 obj = proto; (gdb) 3327 for (protoIndex = 0; ; protoIndex++) { (gdb) 3328 JS_LOCK_OBJ(cx, obj); (gdb) 3329 scope = OBJ_SCOPE(obj); (gdb) 3330 if (scope->object == obj) { (gdb) 3331 sprop = SCOPE_GET_PROPERTY(scope, id); (gdb) 3338 if (!sprop) { (gdb) p sprop $41 = (JSScopeProperty *) 0xfd8950 (gdb) p *sprop $42 = { id = 307380468, getter = 0, setter = 0, slot = 5, attrs = 1 '\001', flags = 0 '\0', shortid = 0, parent = 0xfd8930, kids = 0x0, shape = 40906 } (gdb) p obj.dslots $43 = (jsval *) 0x168782b4 (gdb) p obj.dslots[-1] $44 = 8 (gdb) p obj.dslots[0] $45 = 201 (gdb) p obj.dslots[0]/2 $46 = 100 (gdb) c Continuing. Program received signal EXC_BAD_ACCESS, Could not access memory. Reason: KERN_PROTECTION_FAILURE at address: 0x00000000 0x128d4f54 in ?? () (gdb) !dis Undefined command: "". Try "help". (gdb) disasm $pc-136, $pc+32 Undefined command: "disasm". Try "help". (gdb) disas $pc-136 $pc+32 Dump of assembler code from 0x128d4ecc to 0x128d4f74: 0x128d4ecc: inc %eax 0x128d4ecd: push %edx 0x128d4ece: adc %al,%ch 0x128d4ed0: xor $0x38,%al 0x128d4ed2: movsl %ds:(%esi),%es:(%edi) 0x128d4ed3: in (%dx),%eax 0x128d4ed4: add $0xc,%esp 0x128d4ed7: mov %eax,%ecx 0x128d4ed9: mov -0xc(%ebp),%eax 0x128d4edc: cmp $0x2,%ecx 0x128d4edf: je 0x6fdd40 0x128d4ee5: cmp $0x1,%ecx 0x128d4ee8: sete %cl 0x128d4eeb: movzbl %cl,%ecx 0x128d4eee: mov %ecx,(%esi) 0x128d4ef0: cmp $0x1,%ecx 0x128d4ef3: jne 0x6fdd80 0x128d4ef9: cmp $0x163fa8c0,%eax 0x128d4efe: je 0x6fddc0 0x128d4f04: mov (%eax),%ecx 0x128d4f06: mov 0x4(%ecx),%edx 0x128d4f09: mov 0x10(%edx),%edx 0x128d4f0c: cmp $0x25cfc4,%edx 0x128d4f12: jne 0x6fde00 0x128d4f18: mov 0x20(%ecx),%ecx 0x128d4f1b: cmp $0x9fca,%ecx 0x128d4f21: jne 0x6fde40 0x128d4f27: mov $0x16274980,%ecx 0x128d4f2c: mov (%ecx),%ecx 0x128d4f2e: mov 0x4(%ecx),%edx 0x128d4f31: mov (%edx),%edx 0x128d4f33: cmp $0x25653c,%edx 0x128d4f39: jne 0x6fde80 0x128d4f3f: mov 0x20(%ecx),%ecx 0x128d4f42: cmp $0x9fca,%ecx 0x128d4f48: jne 0x6fdec0 0x128d4f4e: mov 0x8(%eax),%eax 0x128d4f51: mov 0x1c(%eax),%eax 0x128d4f54: mov (%eax),%ecx 0x128d4f56: mov %ecx,%eax 0x128d4f58: and $0x7,%eax 0x128d4f5b: cmp $0x2,%eax 0x128d4f5e: sete %dl 0x128d4f61: movzbl %dl,%edx 0x128d4f64: mov %ecx,%eax 0x128d4f66: and $0x1,%eax 0x128d4f69: or %edx,%eax 0x128d4f6b: test %eax,%eax 0x128d4f6d: je 0x6fdf00 0x128d4f73: call 0x32604a <_Z14js_UnboxDoublel> End of assembler dump. (gdb) p $px $47 = void (gdb) p $pc $48 = (void (*)(void)) 0x128d4f54 (gdb) i reg eax eax 0x0 0 (gdb) p *(JSObject*)0x16274980 $49 = { map = 0x16877c30, classword = 287583713, fslots = {371673632, 373270720, 377978001, 371669352, 371669408}, dslots = 0x168782b4 } (gdb) p *(JSClass*)($.classword&~3) $50 = { name = 0x1123df9c "XPC_WN_ModsAllowed_NoCall_Proto_JSClass", flags = 524289, addProperty = 0x1be9e4 <JS_PropertyStub>, delProperty = 0x1be9e4 <JS_PropertyStub>, getProperty = 0x1be9e4 <JS_PropertyStub>, setProperty = 0x1be9e4 <JS_PropertyStub>, enumerate = 0x111e1fe2 <XPC_WN_Shared_Proto_Enumerate>, resolve = 0x111e4caa <XPC_WN_ModsAllowed_Proto_Resolve>, convert = 0x111e22d4 <XPC_WN_Shared_Proto_Convert>, finalize = 0x111e22e2 <XPC_WN_Shared_Proto_Finalize>, getObjectOps = 0x111e234a <XPC_WN_Proto_GetObjectOps(JSContext*, JSClass*)>, checkAccess = 0, call = 0, construct = 0, xdrObject = 0, hasInstance = 0, mark = 0x111e2318 <XPC_WN_Shared_Proto_Trace>, reserveSlots = 0 } (gdb) p $49.dslots[-1] $51 = 8 (gdb) p $49.dslots[0] $52 = 201 (gdb) disas $pc-138 $pc+32 Dump of assembler code from 0x128d4eca to 0x128d4f74: 0x128d4eca: push $0x125240f0 0x128d4ecf: call 0x328708 <_Z19js_HasNamedPropertyP9JSContextP8JSObjectP8JSString> 0x128d4ed4: add $0xc,%esp 0x128d4ed7: mov %eax,%ecx 0x128d4ed9: mov -0xc(%ebp),%eax 0x128d4edc: cmp $0x2,%ecx 0x128d4edf: je 0x6fdd40 0x128d4ee5: cmp $0x1,%ecx 0x128d4ee8: sete %cl 0x128d4eeb: movzbl %cl,%ecx 0x128d4eee: mov %ecx,(%esi) 0x128d4ef0: cmp $0x1,%ecx 0x128d4ef3: jne 0x6fdd80 0x128d4ef9: cmp $0x163fa8c0,%eax 0x128d4efe: je 0x6fddc0 0x128d4f04: mov (%eax),%ecx 0x128d4f06: mov 0x4(%ecx),%edx 0x128d4f09: mov 0x10(%edx),%edx 0x128d4f0c: cmp $0x25cfc4,%edx 0x128d4f12: jne 0x6fde00 0x128d4f18: mov 0x20(%ecx),%ecx 0x128d4f1b: cmp $0x9fca,%ecx 0x128d4f21: jne 0x6fde40 0x128d4f27: mov $0x16274980,%ecx 0x128d4f2c: mov (%ecx),%ecx 0x128d4f2e: mov 0x4(%ecx),%edx 0x128d4f31: mov (%edx),%edx 0x128d4f33: cmp $0x25653c,%edx 0x128d4f39: jne 0x6fde80 0x128d4f3f: mov 0x20(%ecx),%ecx 0x128d4f42: cmp $0x9fca,%ecx 0x128d4f48: jne 0x6fdec0 0x128d4f4e: mov 0x8(%eax),%eax 0x128d4f51: mov 0x1c(%eax),%eax 0x128d4f54: mov (%eax),%ecx 0x128d4f56: mov %ecx,%eax 0x128d4f58: and $0x7,%eax 0x128d4f5b: cmp $0x2,%eax 0x128d4f5e: sete %dl 0x128d4f61: movzbl %dl,%edx 0x128d4f64: mov %ecx,%eax 0x128d4f66: and $0x1,%eax 0x128d4f69: or %edx,%eax 0x128d4f6b: test %eax,%eax 0x128d4f6d: je 0x6fdf00 0x128d4f73: call 0x32604a <_Z14js_UnboxDoublel> End of assembler dump. (gdb) x/x $ebp-12 0xbfff9304: 0x16274980 (gdb) p *(JSObject*)0x16274980 $53 = { map = 0x16877c30, classword = 287583713, fslots = {371673632, 373270720, 377978001, 371669352, 371669408}, dslots = 0x168782b4 } (gdb) p *(JSClass*)($.classword&~3) $54 = { name = 0x1123df9c "XPC_WN_ModsAllowed_NoCall_Proto_JSClass", flags = 524289, addProperty = 0x1be9e4 <JS_PropertyStub>, delProperty = 0x1be9e4 <JS_PropertyStub>, getProperty = 0x1be9e4 <JS_PropertyStub>, setProperty = 0x1be9e4 <JS_PropertyStub>, enumerate = 0x111e1fe2 <XPC_WN_Shared_Proto_Enumerate>, resolve = 0x111e4caa <XPC_WN_ModsAllowed_Proto_Resolve>, convert = 0x111e22d4 <XPC_WN_Shared_Proto_Convert>, finalize = 0x111e22e2 <XPC_WN_Shared_Proto_Finalize>, getObjectOps = 0x111e234a <XPC_WN_Proto_GetObjectOps(JSContext*, JSClass*)>, checkAccess = 0, call = 0, construct = 0, xdrObject = 0, hasInstance = 0, mark = 0x111e2318 <XPC_WN_Shared_Proto_Trace>, reserveSlots = 0 } (gdb) p $53.dslots[0] $55 = 201 (gdb)

Downgrading. Weird fuzzer bug, unlikely to appear in content. Suggest not blocking beta1.

Doesn't crash Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1b1pre) Gecko/20081006 Minefield/3.1b1pre 20081006034237 Did anything change?