for (b = 0; b < 1; ++b) { var d = b } (function () { x = Proxy.create(function () { return { getPropertyDescriptor: function () { +"" } } }(), 5) }()) for (a = 0; a < 3; ++a) { if (a == 1) { d in x } } crashes js opt shell with -j on TM tip at JSObject::dropProperty and asserts js debug shell with -j on TM tip at Assertion failure: status == ARECORD_ERROR, at ../jsops.cpp:7 s-s because this seems like a scary address (prior to reduction the edx instruction was at a weird 0x128 location). Assuming [sg:critical?] unless otherwise noted. Program received signal SIGSEGV, Segmentation fault. 0x080bfef7 in JSObject::dropProperty(JSContext*, JSProperty*) () (gdb) bt #0 0x080bfef7 in JSObject::dropProperty(JSContext*, JSProperty*) () #1 0x08216644 in ?? () Backtrace stopped: previous frame inner to this frame (corrupt stack?) (gdb) x/i $eip => 0x80bfef7 <_ZN8JSObject12dropPropertyEP9JSContextP10JSProperty+7>: mov (%edx),%eax (gdb) x/b $edx 0x1: Cannot access memory at address 0x1

(Also assuming related to harmony:proxies, setting dependency)

#0 0x00000000014021c0 in ?? () Cannot access memory at address 0x14021c0 #1 0x00000001001a3007 in js::TraceRecorder::record_JSOP_IN (this=0x100415410) at ../jstracer.cpp:14019 #2 0x00000001001a73e7 in js::TraceRecorder::monitorRecording (this=0x100415410, op=JSOP_IN) at jsopcode.tbl:281 #3 0x000000010008557d in js_Interpret (cx=0x10083c800) at jsops.cpp:78 #4 0x00000001000ae19a in js_Execute (cx=0x10083c800, chain=0x101402000, script=0x100414f90, down=0x0, flags=0, result=0x0) at jsinterp.cpp:837 #5 0x00000001000123af in JS_ExecuteScript (cx=0x10083c800, obj=0x101402000, script=0x100414f90, rval=0x0) at ../jsapi.cpp:4831 #6 0x000000010000a168 in Process (cx=0x10083c800, obj=0x101402000, filename=0x7fff5fbffa90 "x2.js", forceTTY=0) at ../../shell/js.cpp:422 #7 0x000000010000adad in ProcessArgs (cx=0x10083c800, obj=0x101402000, argv=0x7fff5fbff938, argc=2) at ../../shell/js.cpp:836 #8 0x000000010000af28 in main (argc=2, argv=0x7fff5fbff938, envp=0x7fff5fbff950) at ../../shell/js.cpp:5082

not proxy related, just proxy triggered, probably needs branch fixing too, patch soon

Comment on attachment 448619 [details] [diff] [review] patch Ew, lame; thanks for finding and fixing that.

for (let n = 0; n < 7; ++n) { x = Proxy.create(function() { return { getPropertyDescriptor: function() { + "" } } } (), /x/) } for (z = 0; z < 5; ++z) { var a = z } for (var m = 0; m < 9; ++m) { if (m % 5 == 0) {} else { print(let(y = a in x) 7) } } is a 64-bit crash testcase (both in debug and opt shells) that got fixed by this patch, and it also crashes at js::TraceRecorder::record_JSOP_IN

a non-proxy testcase that could be used to verify the branches would be great. The patch itself needs only minor merging for the branches (Macro/#define name changes).

The bug doesn't exist in 1.9.1 (I tried the test case on 1.9.1, no crash). Landed on 1.9.2. http://hg.mozilla.org/releases/mozilla-1.9.2/rev/98467bef1347

(In reply to comment #0) > for (b = 0; b < 1; ++b) { > var d = b > } > (function () { > x = Proxy.create(function () { > return { > getPropertyDescriptor: function () { > +"" > } > } > }(), 5) > }()) > for (a = 0; a < 3; ++a) { > if (a == 1) { > d in x > } > } When I run this in my own 1.9.2 debug build (pre-fix) or 1.9.2.13, I get "ReferenceError on line 5: Proxy is not defined". I'm not a JS shell expert but I expect I'm doing something wrong here.

1.9.2 doesn't have proxies. You would need some other non-native object to make this happen (i.e. liveconnect).

Marking this at NTD (nothing to do) for QA for branch since there are no steps to reproduce or testcases.

Tracer has been long gone on trunk, marking verified.

Bug in removed tracer code, setting in-testsuite- flag.