<html>
<head>
<base href="https://bugs.webkit.org/" />
</head>
<body><table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Bug ID</th>
<td><a class="bz_bug_link
bz_status_NEW "
title="NEW - SIGSEGV in Proxy [[Get]] recursion"
href="https://bugs.webkit.org/show_bug.cgi?id=154854">154854</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>SIGSEGV in Proxy [[Get]] recursion
</td>
</tr>
<tr>
<th>Classification</th>
<td>Unclassified
</td>
</tr>
<tr>
<th>Product</th>
<td>WebKit
</td>
</tr>
<tr>
<th>Version</th>
<td>WebKit Nightly Build
</td>
</tr>
<tr>
<th>Hardware</th>
<td>Unspecified
</td>
</tr>
<tr>
<th>OS</th>
<td>Unspecified
</td>
</tr>
<tr>
<th>Status</th>
<td>NEW
</td>
</tr>
<tr>
<th>Severity</th>
<td>Normal
</td>
</tr>
<tr>
<th>Priority</th>
<td>P2
</td>
</tr>
<tr>
<th>Component</th>
<td>JavaScriptCore
</td>
</tr>
<tr>
<th>Assignee</th>
<td>webkit-unassigned@lists.webkit.org
</td>
</tr>
<tr>
<th>Reporter</th>
<td>andre.bargull@gmail.com
</td>
</tr></table>
<p>
<div>
<pre>Revision: r197396
Test case:
---
var o = {};
var p = new Proxy(o, {});
Object.setPrototypeOf(o, p);
p.x
---
Output:
---
Program received signal SIGSEGV, Segmentation fault.
0x0000000000447b23 in std::_Tuple_impl<0ul, JSC::StructureIDTable::StructureOrOffset*, std::default_delete<JSC::StructureIDTable::StructureOrOffset []> >::_M_head (
__t=<error reading variable: Cannot access memory at address 0x7fffff7feff8>) at /usr/include/c++/5/tuple:193
193 _M_head(const _Tuple_impl& __t) noexcept { return _Base::_M_head(__t); }
(gdb) bt
#0 0x0000000000447b23 in std::_Tuple_impl<0ul, JSC::StructureIDTable::StructureOrOffset*, std::default_delete<JSC::StructureIDTable::StructureOrOffset []> >::_M_head (
__t=<error reading variable: Cannot access memory at address 0x7fffff7feff8>) at /usr/include/c++/5/tuple:193
#1 0x0000000000447b4d in std::__get_helper<0ul, JSC::StructureIDTable::StructureOrOffset*, std::default_delete<JSC::StructureIDTable::StructureOrOffset []> > (__t=...) at /usr/include/c++/5/tuple:827
#2 0x0000000000447b67 in std::get<0ul, JSC::StructureIDTable::StructureOrOffset*, std::default_delete<JSC::StructureIDTable::StructureOrOffset []> > (__t=std::tuple containing = {...})
at /usr/include/c++/5/tuple:839
#3 0x0000000000447b82 in std::unique_ptr<JSC::StructureIDTable::StructureOrOffset [], std::default_delete<JSC::StructureIDTable::StructureOrOffset []> >::get (this=0x7ffff0e010c0)
at /usr/include/c++/5/bits/unique_ptr.h:542
#4 0x000000000043aad2 in JSC::StructureIDTable::table (this=0x7ffff0e010a8) at ../../Source/JavaScriptCore/runtime/StructureIDTable.h:65
#5 0x000000000043ab23 in JSC::StructureIDTable::get (this=0x7ffff0e010a8, structureID=1) at ../../Source/JavaScriptCore/runtime/StructureIDTable.h:86
#6 0x000000000044451d in JSC::JSCell::structure (this=0x7ffff0e58880) at ../../Source/JavaScriptCore/runtime/JSCellInlines.h:102
#7 0x0000000000440a1d in JSC::Structure::materializePropertyMapIfNecessary (this=0x7ffff0e58880, vm=..., table=@0x7fffff7ff160: 0x7fffff7ff180) at ../../Source/JavaScriptCore/runtime/Structure.h:633
#8 0x0000000000445d0e in JSC::Structure::get (this=0x7ffff0e58880, vm=..., propertyName=..., attributes=@0x7fffff7ff218: 4434642, hasInferredType=@0x7fffff7ff1c7: false)
at ../../Source/JavaScriptCore/runtime/StructureInlines.h:98
#9 0x0000000000445c4a in JSC::Structure::get (this=0x7ffff0e58880, vm=..., propertyName=..., attributes=@0x7fffff7ff218: 4434642) at ../../Source/JavaScriptCore/runtime/StructureInlines.h:89
#10 0x0000000000442212 in JSC::JSObject::getOwnNonIndexPropertySlot (this=0x7ffff0e43ec0, vm=..., structure=..., propertyName=..., slot=...) at ../../Source/JavaScriptCore/runtime/JSObject.h:1106
#11 0x000000000044267d in JSC::JSObject::getPropertySlot (this=0x7ffff0e43ec0, exec=0x7fffffffccb0, propertyName=..., slot=...) at ../../Source/JavaScriptCore/runtime/JSObject.h:1177
#12 0x0000000000442a7c in JSC::JSObject::get (this=0x7ffff0e43ec0, exec=0x7fffffffccb0, propertyName=...) at ../../Source/JavaScriptCore/runtime/JSObject.h:1231
#13 0x00007ffff6d34bfc in JSC::JSObject::getMethod (this=0x7ffff0e43ec0, exec=0x7fffffffccb0, callData=..., callType=@0x7fffff7ff3fc: (JSC::CallTypeHost | JSC::CallTypeJS | unknown: 32764), ident=...,
errorMessage=...) at ../../Source/JavaScriptCore/runtime/JSObject.cpp:2977
#14 0x00007ffff6dc1a6a in JSC::performProxyGet (exec=0x7fffffffccb0, thisValue=140737234878208, propertyName=...) at ../../Source/JavaScriptCore/runtime/ProxyObject.cpp:114
#15 0x00007ffff6dbb9b2 in JSC::PropertySlot::customGetter (this=0x7fffff7ff620, exec=0x7fffffffccb0, propertyName=...) at ../../Source/JavaScriptCore/runtime/PropertySlot.cpp:39
#16 0x000000000043f2a8 in JSC::PropertySlot::getValue (this=0x7fffff7ff620, exec=0x7fffffffccb0, propertyName=...) at ../../Source/JavaScriptCore/runtime/PropertySlot.h:290
#17 0x0000000000442a97 in JSC::JSObject::get (this=0x7ffff0e43f00, exec=0x7fffffffccb0, propertyName=...) at ../../Source/JavaScriptCore/runtime/JSObject.h:1232
#18 0x00007ffff6dc173d in JSC::<lambda()>::operator()(void) const (__closure=0x7fffff7ff770) at ../../Source/JavaScriptCore/runtime/ProxyObject.cpp:101
#19 0x00007ffff6dc1aca in JSC::performProxyGet (exec=0x7fffffffccb0, thisValue=140737234878208, propertyName=...) at ../../Source/JavaScriptCore/runtime/ProxyObject.cpp:119
#20 0x00007ffff6dbb9b2 in JSC::PropertySlot::customGetter (this=0x7fffff7ff8e0, exec=0x7fffffffccb0, propertyName=...) at ../../Source/JavaScriptCore/runtime/PropertySlot.cpp:39
#21 0x000000000043f2a8 in JSC::PropertySlot::getValue (this=0x7fffff7ff8e0, exec=0x7fffffffccb0, propertyName=...) at ../../Source/JavaScriptCore/runtime/PropertySlot.h:290
#22 0x0000000000442a97 in JSC::JSObject::get (this=0x7ffff0e43f00, exec=0x7fffffffccb0, propertyName=...) at ../../Source/JavaScriptCore/runtime/JSObject.h:1232
#23 0x00007ffff6dc173d in JSC::<lambda()>::operator()(void) const (__closure=0x7fffff7ffa30) at ../../Source/JavaScriptCore/runtime/ProxyObject.cpp:101
...
---</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are the assignee for the bug.</li>
</ul>
</body>
</html>