[Webkit-unassigned] [Bug 154854] New: SIGSEGV in Proxy [[Get]] recursion
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Tue Mar 1 04:06:23 PST 2016
https://bugs.webkit.org/show_bug.cgi?id=154854
Bug ID: 154854
Summary: SIGSEGV in Proxy [[Get]] recursion
Classification: Unclassified
Product: WebKit
Version: WebKit Nightly Build
Hardware: Unspecified
OS: Unspecified
Status: NEW
Severity: Normal
Priority: P2
Component: JavaScriptCore
Assignee: webkit-unassigned at lists.webkit.org
Reporter: andre.bargull at gmail.com
Revision: r197396
Test case:
---
var o = {};
var p = new Proxy(o, {});
Object.setPrototypeOf(o, p);
p.x
---
Output:
---
Program received signal SIGSEGV, Segmentation fault.
0x0000000000447b23 in std::_Tuple_impl<0ul, JSC::StructureIDTable::StructureOrOffset*, std::default_delete<JSC::StructureIDTable::StructureOrOffset []> >::_M_head (
__t=<error reading variable: Cannot access memory at address 0x7fffff7feff8>) at /usr/include/c++/5/tuple:193
193 _M_head(const _Tuple_impl& __t) noexcept { return _Base::_M_head(__t); }
(gdb) bt
#0 0x0000000000447b23 in std::_Tuple_impl<0ul, JSC::StructureIDTable::StructureOrOffset*, std::default_delete<JSC::StructureIDTable::StructureOrOffset []> >::_M_head (
__t=<error reading variable: Cannot access memory at address 0x7fffff7feff8>) at /usr/include/c++/5/tuple:193
#1 0x0000000000447b4d in std::__get_helper<0ul, JSC::StructureIDTable::StructureOrOffset*, std::default_delete<JSC::StructureIDTable::StructureOrOffset []> > (__t=...) at /usr/include/c++/5/tuple:827
#2 0x0000000000447b67 in std::get<0ul, JSC::StructureIDTable::StructureOrOffset*, std::default_delete<JSC::StructureIDTable::StructureOrOffset []> > (__t=std::tuple containing = {...})
at /usr/include/c++/5/tuple:839
#3 0x0000000000447b82 in std::unique_ptr<JSC::StructureIDTable::StructureOrOffset [], std::default_delete<JSC::StructureIDTable::StructureOrOffset []> >::get (this=0x7ffff0e010c0)
at /usr/include/c++/5/bits/unique_ptr.h:542
#4 0x000000000043aad2 in JSC::StructureIDTable::table (this=0x7ffff0e010a8) at ../../Source/JavaScriptCore/runtime/StructureIDTable.h:65
#5 0x000000000043ab23 in JSC::StructureIDTable::get (this=0x7ffff0e010a8, structureID=1) at ../../Source/JavaScriptCore/runtime/StructureIDTable.h:86
#6 0x000000000044451d in JSC::JSCell::structure (this=0x7ffff0e58880) at ../../Source/JavaScriptCore/runtime/JSCellInlines.h:102
#7 0x0000000000440a1d in JSC::Structure::materializePropertyMapIfNecessary (this=0x7ffff0e58880, vm=..., table=@0x7fffff7ff160: 0x7fffff7ff180) at ../../Source/JavaScriptCore/runtime/Structure.h:633
#8 0x0000000000445d0e in JSC::Structure::get (this=0x7ffff0e58880, vm=..., propertyName=..., attributes=@0x7fffff7ff218: 4434642, hasInferredType=@0x7fffff7ff1c7: false)
at ../../Source/JavaScriptCore/runtime/StructureInlines.h:98
#9 0x0000000000445c4a in JSC::Structure::get (this=0x7ffff0e58880, vm=..., propertyName=..., attributes=@0x7fffff7ff218: 4434642) at ../../Source/JavaScriptCore/runtime/StructureInlines.h:89
#10 0x0000000000442212 in JSC::JSObject::getOwnNonIndexPropertySlot (this=0x7ffff0e43ec0, vm=..., structure=..., propertyName=..., slot=...) at ../../Source/JavaScriptCore/runtime/JSObject.h:1106
#11 0x000000000044267d in JSC::JSObject::getPropertySlot (this=0x7ffff0e43ec0, exec=0x7fffffffccb0, propertyName=..., slot=...) at ../../Source/JavaScriptCore/runtime/JSObject.h:1177
#12 0x0000000000442a7c in JSC::JSObject::get (this=0x7ffff0e43ec0, exec=0x7fffffffccb0, propertyName=...) at ../../Source/JavaScriptCore/runtime/JSObject.h:1231
#13 0x00007ffff6d34bfc in JSC::JSObject::getMethod (this=0x7ffff0e43ec0, exec=0x7fffffffccb0, callData=..., callType=@0x7fffff7ff3fc: (JSC::CallTypeHost | JSC::CallTypeJS | unknown: 32764), ident=...,
errorMessage=...) at ../../Source/JavaScriptCore/runtime/JSObject.cpp:2977
#14 0x00007ffff6dc1a6a in JSC::performProxyGet (exec=0x7fffffffccb0, thisValue=140737234878208, propertyName=...) at ../../Source/JavaScriptCore/runtime/ProxyObject.cpp:114
#15 0x00007ffff6dbb9b2 in JSC::PropertySlot::customGetter (this=0x7fffff7ff620, exec=0x7fffffffccb0, propertyName=...) at ../../Source/JavaScriptCore/runtime/PropertySlot.cpp:39
#16 0x000000000043f2a8 in JSC::PropertySlot::getValue (this=0x7fffff7ff620, exec=0x7fffffffccb0, propertyName=...) at ../../Source/JavaScriptCore/runtime/PropertySlot.h:290
#17 0x0000000000442a97 in JSC::JSObject::get (this=0x7ffff0e43f00, exec=0x7fffffffccb0, propertyName=...) at ../../Source/JavaScriptCore/runtime/JSObject.h:1232
#18 0x00007ffff6dc173d in JSC::<lambda()>::operator()(void) const (__closure=0x7fffff7ff770) at ../../Source/JavaScriptCore/runtime/ProxyObject.cpp:101
#19 0x00007ffff6dc1aca in JSC::performProxyGet (exec=0x7fffffffccb0, thisValue=140737234878208, propertyName=...) at ../../Source/JavaScriptCore/runtime/ProxyObject.cpp:119
#20 0x00007ffff6dbb9b2 in JSC::PropertySlot::customGetter (this=0x7fffff7ff8e0, exec=0x7fffffffccb0, propertyName=...) at ../../Source/JavaScriptCore/runtime/PropertySlot.cpp:39
#21 0x000000000043f2a8 in JSC::PropertySlot::getValue (this=0x7fffff7ff8e0, exec=0x7fffffffccb0, propertyName=...) at ../../Source/JavaScriptCore/runtime/PropertySlot.h:290
#22 0x0000000000442a97 in JSC::JSObject::get (this=0x7ffff0e43f00, exec=0x7fffffffccb0, propertyName=...) at ../../Source/JavaScriptCore/runtime/JSObject.h:1232
#23 0x00007ffff6dc173d in JSC::<lambda()>::operator()(void) const (__closure=0x7fffff7ffa30) at ../../Source/JavaScriptCore/runtime/ProxyObject.cpp:101
...
---
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20160301/7779adf2/attachment.html>
More information about the webkit-unassigned
mailing list