Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now) Reporter
	Description • 14 years ago

__defineSetter__("x", function () {})
try {
    __defineGetter__("d", (Function("x")))
} catch (e) {}
d
print(delete x)
throw d

crashes js debug shell on JM changeset 2ee92d697741 with -m at JSObject::isNative and crashes js opt shell with -m at js::mjit::ic::Name


Program received signal SIGSEGV, Segmentation fault.
0x0805593f in JSObject::isNative (this=0x0) at ../../jsobj.h:287
287	        return map->isNative();
(gdb) bt
#0  0x0805593f in JSObject::isNative (this=0x0) at ../../jsobj.h:287
#1  0x08253270 in ScopeNameCompiler::update (this=0xffffcb54) at ../methodjit/PolyIC.cpp:1470
#2  0x0824b012 in js::mjit::ic::Name (f=..., index=0) at ../methodjit/PolyIC.cpp:1936
#3  0xf76a86ca in ?? ()
#4  0x08212004 in js::mjit::JaegerShot (cx=0x833ecf0) at ../methodjit/MethodJIT.cpp:696
#5  0x080d803c in js::RunScript (cx=0x833ecf0, script=0x8343a00, fun=0xf7506558, scopeChain=0xf7502000) at ../jsinterp.cpp:461
#6  0x080daf06 in InvokeCommon<JSBool (*)(JSContext*, JSObject*, uintN, js::Value*, js::Value*)> (cx=0x833ecf0, fun=0xf7506558, script=0x8343a00, native=0, args=..., flags=0) at ../jsinterp.cpp:631
#7  0x080d8644 in js::Invoke (cx=0x833ecf0, args=..., flags=0) at ../jsinterp.cpp:756
#8  0x080d884c in js::InternalInvoke (cx=0x833ecf0, thisv=..., fval=..., flags=0, argc=0, argv=0x0, rval=0xffffcf48) at ../jsinterp.cpp:796
#9  0x080d6e7a in InternalCall (cx=0x833ecf0, obj=0xf7502000, fval=..., argc=0, argv=0x0, rval=0xffffcf48) at ../jsinterp.h:371
#10 0x080d890c in js::InternalGetOrSet (cx=0x833ecf0, obj=0xf7502000, id=..., fval=..., mode=JSACC_READ, argc=0, argv=0x0, rval=0xffffcf48) at ../jsinterp.cpp:824
#11 0x080fd24e in JSScopeProperty::get (this=0x8340f38, cx=0x833ecf0, obj=0xf7502000, pobj=0xf7502000, vp=0xffffcf48) at ../jsscopeinlines.h:306
#12 0x080f6d63 in js_NativeGet (cx=0x833ecf0, obj=0xf7502000, pobj=0xf7502000, sprop=0x8340f38, getHow=0, vp=0xffffcf48) at ../jsobj.cpp:4661
#13 0x082870eb in NameOp (f=..., obj=0xf7502000, callname=false) at ../methodjit/StubCalls.cpp:389
#14 0x0828729a in js::mjit::stubs::GetGlobalName (f=...) at ../methodjit/StubCalls.cpp:425
#15 0x082491cc in js::mjit::ic::GetGlobalName (f=..., index=0) at ../methodjit/MonoIC.cpp:83
#16 0xf76a8772 in ?? ()
#17 0x08212004 in js::mjit::JaegerShot (cx=0x833ecf0) at ../methodjit/MethodJIT.cpp:696
#18 0x080d803c in js::RunScript (cx=0x833ecf0, script=0x8342ee0, fun=0x0, scopeChain=0xf7502000) at ../jsinterp.cpp:461
#19 0x080d8e35 in js::Execute (cx=0x833ecf0, chain=0xf7502000, script=0x8342ee0, down=0x0, flags=0, result=0xffffd200) at ../jsinterp.cpp:949
#20 0x0806f778 in JS_ExecuteScript (cx=0x833ecf0, obj=0xf7502000, script=0x8342ee0, rval=0xffffd200) at ../jsapi.cpp:4736
#21 0x0804c167 in Process (cx=0x833ecf0, obj=0xf7502000, filename=0x0, forceTTY=0) at ../../shell/js.cpp:533
#22 0x0804ccf9 in ProcessArgs (cx=0x833ecf0, obj=0xf7502000, argv=0xffffd408, argc=1) at ../../shell/js.cpp:860
#23 0x08055314 in shell (cx=0x833ecf0, argc=1, argv=0xffffd408, envp=0xffffd410) at ../../shell/js.cpp:4981
#24 0x08055430 in main (argc=1, argv=0xffffd408, envp=0xffffd410) at ../../shell/js.cpp:5077
(gdb) x/i $eip
=> 0x805593f <_ZNK8JSObject8isNativeEv+9>:	mov    (%eax),%eax
(gdb) x/b $eax
0x0:	Cannot access memory at address 0x0

	Andrew Drake [:adrake]
	Comment 1 • 14 years ago

Only crashes on 32-bit with ICs enabled.

	Andrew Drake [:adrake]
	Comment 2 • 14 years ago

Bisection results:

Changeset 43819:18b8df733e33: bad
The first bad revision is:
changeset:   43819:18b8df733e33
user:        David Anderson <danderson@mozilla.com>
date:        Sun Jul 04 13:18:55 2010 -0700
summary:     [JAEGER] PIC for not-escaped call objects (bug 576733).

	David Anderson [:dvander] - inactive, e-mail if emergency
	Comment 3 • 14 years ago

http://hg.mozilla.org/users/danderson_mozilla.com/moo/rev/52d4858323d0

	Christian Holler (:decoder)
	Comment 4 • 12 years ago

A testcase for this bug was automatically identified at js/src/jit-test/tests/jaeger/bug583688.js.