Status: New
Owner: ----
New issue 346 by nth10sd: Crash [@ v8::internal::JSObject::LocalLookup] and
CHECK(holder != __null) failed
http://code.google.com/p/v8/issues/detail?id=346
x = this.__proto__ = [[]];
(this.push)( /x/)
__defineGetter__("0", function(){});
__defineSetter__("x", [].sort);
x = undefined;
This crashes opt compiled with "scons mode=release library=static
snapshot=on sample=shell" at 0xffffffff at
v8::internal::JSObject::LocalLookup.
This asserts debug compiled with "scons mode=debug library=shared
snapshot=on sample=shell" at CHECK(holder != __null) failed
(Please acknowledge and attribute reporter's discovery of testcase)
=====
$ ./shell_g
V8 version 1.2.4 (candidate)
> x = this.__proto__ = [[]];
(this.push)( /x/)
__defineGetter__("0", function(){});
__defineSetter__("x", [].sort);
x = undefined;
> 2
> <string conversion failed>
> <string conversion failed>
#
# Fatal error in src/objects.cc, line 140
# CHECK(holder != __null) failed
#
==== Stack trace ============================================
Security context: 0x1c10f61 <JS Object>#0#
1: DefaultString(this=0x1c11101 <JS Object>#1#,x=0x1c13fb5
<FixedArray[2]>#2#)
2: ToString(this=0x1c11101 <JS Object>#1#,x=0x1c13fb5
<FixedArray[2]>#2#)
3: Compare(this=0x1c11101 <JS Object>#1#,x=0x1c13fb5
<FixedArray[2]>#2#,y=0x18250ad <String[3]: /x/>)
4: InsertionSort(this=0x1c11101 <JS Object>#1#,a=0x1c10f61 <JS
Object>#0#,from=0,to=2)
5: QuickSort(this=0x1c11101 <JS Object>#1#,a=0x1c10f61 <JS
Object>#0#,from=0,to=2)
6: sort(this=0x1c10f61 <JS Object>#0#,comparefn=0x1e00135 <undefined>)
10: /* anonymous */(this=0x1c10f95 <JS Global Object>#3#)
==== Details ================================================
[1]: DefaultString(this=0x1c11101 <JS Object>#1#,x=0x1c13fb5
<FixedArray[2]>#2#) {
// stack-allocated locals
var s = 0x1e00135 <undefined>
var v = 0x1e00135 <undefined>
// expression stack (top to bottom)
[04] : 0x1e037a1 <String[8]: toString>
[03] : 0x1c13fb5 <FixedArray[2]>#2#
[02] : 0x1c13fb5 <FixedArray[2]>#2#
--------- s o u r c e c o d e ---------
function DefaultString(x) {? if ((typeof(x.toString) === 'function')) {?
var s = x.toString();? if (%IsPrimitive(s)) return s;? }? if
((typeof(x.valueOf) === 'function')) {? var v = x.valueOf();? if
(%IsPrimitive(v)) return v;? }? throw
%MakeTypeError('cannot_convert_to_primitive', []);?}
-----------------------------------------
}
[2]: ToString(this=0x1c11101 <JS Object>#1#,x=0x1c13fb5 <FixedArray[2]>#2#)
{
// expression stack (top to bottom)
[02] : 0x1e044fd <String[13]: DefaultString>
[01] : 0x1c11101 <JS Object>#1#
[00] : 0x1e00315 <String[8]: ToString>
--------- s o u r c e c o d e ---------
function ToString(x) {? if ((typeof(x) === 'string')) return x;? if
((typeof(x) === 'number')) return %NumberToString(x);? if ((typeof(x) ===
'boolean')) return x ? 'true' : 'false';? if ((typeof(x) === 'undefined'))
return 'undefined';? return ((x === null)) ? 'null' :
%ToString(%DefaultString(x));?}
-----------------------------------------
}
[3]: Compare(this=0x1c11101 <JS Object>#1#,x=0x1c13fb5
<FixedArray[2]>#2#,y=0x18250ad <String[3]: /x/>) {
// expression stack (top to bottom)
[00] : 0x1e00315 <String[8]: ToString>
--------- s o u r c e c o d e ---------
function Compare(x,y) {? if (x === y) return 0;? if (custom_compare)
{? return comparefn.call(null, x, y);? }? if (%_IsSmi(x) &&
%_IsSmi(y)) {? return %SmiLexicographicCompare(x, y);? }? x =
ToString(x);? y = ToString(y);? if (x == y) return 0;? else return
x < y ? -1 : 1;? }
-----------------------------------------
}
[4]: InsertionSort(this=0x1c11101 <JS Object>#1#,a=0x1c10f61 <JS
Object>#0#,from=0,to=2) {
// stack-allocated locals
var max = 1
var key = 0x18250ad <String[3]: /x/>
var mid = 0
var j = 0x1e00135 <undefined>
var order = 0x1e00135 <undefined>
var i = 1
var min = 0
var element = 0x18227d9 <JS RegExp>#4#
// expression stack (top to bottom)
[08] : 0x1c14259 <JS Function Compare>#5#
--------- s o u r c e c o d e ---------
function InsertionSort(a, from, to) {? for (var i = from + 1; i < to;
i++) {? var element = a[i];? var key =? (custom_compare
|| %_IsSmi(element)) ? element : ToString(element);? var min = from;?
var max = i;? while (min < max) {? var mid = min + ((max -
min) >> 1);? var...
-----------------------------------------
}
[5]: QuickSort(this=0x1c11101 <JS Object>#1#,a=0x1c10f61 <JS
Object>#0#,from=0,to=2) {
// stack-allocated locals
var pivot = 0x1e00135 <undefined>
var high_start = 0x1e00135 <undefined>
var pivot_key = 0x1e00135 <undefined>
var order = 0x1e00135 <undefined>
var i = 0x1e00135 <undefined>
var low_end = 0x1e00135 <undefined>
var element = 0x1e00135 <undefined>
var pivot_index = 0x1e00135 <undefined>
// expression stack (top to bottom)
[08] : 0x1c14275 <JS Function InsertionSort>#6#
--------- s o u r c e c o d e ---------
function QuickSort(a, from, to) {? if (to - from <= 22) {?
InsertionSort(a, from, to);? return;? }? var pivot_index =
$floor($random() * (to - from)) + from;? var pivot = a[pivot_index];?
var pivot_key =? (custom_compare || %_IsSmi(pivot)) ? pivot :
ToString(pivot);? a[pivot_index] = ...
-----------------------------------------
}
[6]: sort(this=0x1c10f61 <JS Object>#0#,comparefn=0x1e00135 <undefined>) {
// stack-allocated locals
var is_array = 0x1e00179 <false>
var max_prototype_element = 0
var num_non_undefined = 2
var length = 2
var ShadowPrototypeElements = 0x1c142c9 <JS Function
ShadowPrototypeElements>#7#
var CopyFromPrototype = 0x1c142ad <JS Function CopyFromPrototype>#8#
// heap-allocated locals
var comparefn = 0x1e00135 <undefined>
var custom_compare = 0x1e00179 <false>
var InsertionSort = 0x1c14275 <JS Function InsertionSort>#6#
var QuickSort = 0x1c14291 <JS Function QuickSort>#9#
var Compare = 0x1c14259 <JS Function Compare>#5#
// expression stack (top to bottom)
[06] : 0x1c14291 <JS Function QuickSort>#9#
--------- s o u r c e c o d e ---------
function sort(comparefn) {? var custom_compare = (typeof(comparefn) ===
'function');? function Compare(x,y) {? if (x === y) return 0;? if
(custom_compare) {? return comparefn.call(null, x, y);? }? if
(%_IsSmi(x) && %_IsSmi(y)) {? return %SmiLexicographicCompare(x, y);?
}? x = ToStri...
-----------------------------------------
}
[10]: /* anonymous */(this=0x1c10f95 <JS Global Object>#3#) {
// stack-allocated locals
var .result = 0x1e00135 <undefined>
// expression stack (top to bottom)
[04] : 0x1e00135 <undefined>
[03] : 0x1e001e1 <String[1]: x>
[02] : 0x1c10f61 <JS Object>#0#
[01] : 0x1c10f61 <JS Object>#0#
--------- s o u r c e c o d e ---------
x = undefined;?
-----------------------------------------
}
==== Key ============================================
#0# 0x1c10f61: 0x1c10f61 <JS Object>
#1# 0x1c11101: 0x1c11101 <JS Object>
$NaN: 0x1e04179 <Number: nan>
$Math: 0x180f11d <a MathConstructor>>#10#
global: 0x1c10f61 <JS Object>#0#
$RegExp: 0x1c1104d <JS Function RegExp>#11#
kMessages: 0x1814429 <an Object>>#12#
$Infinity: 0x1e04f71 <Number: inf>
hexCharArray: 0x180c4cd <JS array[16]>#13#
kVowelSounds: 0x1812dbd <an Object>>#14#
functionCache: 0x181d649 <an Object>>#15#
lastMatchInfo: 0x1821bcd <JS array[5]>#16#
visited_arrays: 0x180559d <JS array[0]>#17#
kLineLengthLimit: 78
hexCharCodeArray: 0x180c57d <JS array[16]>#18#
kApiFunctionCache: 0x181d649 <an Object>>#15#
reusableMatchInfo: 0x1807eed <JS array[5]>#19#
kCapitalVowelSounds: 0x1813255 <an Object>>#20#
kStackOverflowBoilerplate: 0x181af8d <a RangeError>>#21#
kAddMessageAccessorsMarker: 0x1814979 <an Object>>#22#
#2# 0x1c13fb5: 0x1c13fb5 <FixedArray[2]>
0: 0x1c13f99 <JS Function>#23#
1: 0x1e00135 <undefined>
#3# 0x1c10f95: 0x1c10f95 <JS Global Object>
#4# 0x18227d9: 0x18227d9 <JS RegExp>
source: 0x1e0765d <String[1]: x>
global: 0x1e00179 <false>
multiline: 0x1e00179 <false>
lastIndex: 0
ignoreCase: 0x1e00179 <false>
#5# 0x1c14259: 0x1c14259 <JS Function Compare>
#6# 0x1c14275: 0x1c14275 <JS Function InsertionSort>
#7# 0x1c142c9: 0x1c142c9 <JS Function ShadowPrototypeElements>
#8# 0x1c142ad: 0x1c142ad <JS Function CopyFromPrototype>
#9# 0x1c14291: 0x1c14291 <JS Function QuickSort>
#10# 0x180f11d: 0x180f11d <a MathConstructor>>
E: 0x1e047fd <Number: 2.718281828459045>
PI: 0x1e0487d <Number: 3.141592653589793>
LN2: 0x1e0482d <Number: 0.6931471805599453>
LN10: 0x1e04815 <Number: 2.302585092994046>
SQRT2: 0x1e048b5 <Number: 1.414213562373095>
LOG2E: 0x1e04849 <Number: 1.442695040888963>
LOG10E: 0x1e04865 <Number: 0.4342944819032518>
SQRT1_2: 0x1e04899 <Number: 0.7071067811865476>
#11# 0x1c1104d: 0x1c1104d <JS Function RegExp>
#12# 0x1814429: 0x1814429 <an Object>>
pcre_error: 0x1e07141 <String[31]: PCRE function %0, error code %1>
not_defined: 0x1e068ad <String[17]: %0 is not defined>
stack_trace: 0x1e06f91 <String[15]\: Stack Trace:\n%0>
cyclic_proto: 0x1e06ed5 <String[22]: Cyclic __proto__ value>
regexp_flags: 0x1e06e8d <String[61]: Cannot supply flags when
constructing one RegExp from another>
illegal_eval: 0x1e06f69 <String[32]: Unsupported indirect eval() call>
invalid_json: 0x1e067c1 <String[29]: String '%0' is not valid JSON>
illegal_break: 0x1e0708d <String[23]: Illegal break statement>
unknown_label: 0x1e06df5 <String[20]: Undefined label '%0'>
redeclaration: 0x1e067e9 <String[33]: %0 '%1' has already been
declared>
invalid_break: 0x1e06969 <String[23]: Invalid break statement>
invalid_regexp: 0x1e06a19 <String[27]: Invalid RegExp pattern /%0/>
expected_label: 0x1e06aed <String[14]: Expected label>
stack_overflow: 0x1e069d9 <String[32]: Maximum call stack size exceeded>
null_to_object: 0x1e06b05 <String[29]: Cannot convert null to object>
apply_overflow: 0x1e070dd <String[52]: Function.prototype.apply cannot
support %0 arguments>
illegal_return: 0x1e069b9 <String[24]: Illegal return statement>
unexpected_eos: 0x1e06fed <String[23]: Unexpected end of input>
with_expression: 0x1e06b2d <String[20]: %0 has no properties>
not_constructor: 0x1e06bad <String[23]: %0 is not a constructor>
unable_to_parse: 0x1e06b75 <String[11]: Parse error>
apply_wrong_args: 0x1e06cd9 <String[55]: Function.prototype.apply:
Arguments list has wrong type>
unexpected_token: 0x1e07031 <String[19]: Unexpected token %0>
invalid_continue: 0x1e06815 <String[26]: Invalid continue statement>
malformed_regexp: 0x1e06c2d <String[36]: Invalid regular expression:
/%0/: %1>
undefined_method: 0x1e06ac9 <String[28]: Object %1 has no method '%0'>
illegal_continue: 0x1e0700d <String[26]: Illegal continue statement>
null_or_undefined: 0x1e06a95 <String[43]: Cannot access property of null
or undefined>
reduce_no_initial: 0x1e06f35 <String[43]: Reduce of empty array with no
initial value>
no_input_to_regexp: 0x1e06a01 <String[14]: No input to %0>
uncaught_exception: 0x1e06c81 <String[11]: Uncaught %0>
illegal_invocation: 0x1e068c9 <String[18]: Illegal invocation>
apply_non_function: 0x1e068e5 <String[75]: Function.prototype.apply was
called on %0, which is a %1 and not a function>
circular_structure: 0x1e0687d <String[37]: Converting circular structure to
JSON>
newline_after_throw: 0x1e07069 <String[27]: Illegal newline after throw>
unterminated_regexp: 0x1e070ad <String[37]: Invalid regular expression:
missing />
called_non_callable: 0x1e06e11 <String[20]: %0 is not a function>
no_catch_or_finally: 0x1e06d19 <String[34]: Missing catch or finally after
try>
result_not_primitive: 0x1e06989 <String[40]: Result of %0 must be a
primitive, was %1>
invalid_array_length: 0x1e06a3d <String[20]: Invalid array length>
property_not_function: 0x1e06d45 <String[44]: Property '%0' of object %1 is
not a function>
no_setter_in_callback: 0x1e06a59 <String[52]: Cannot set property %0 of %1
which has only a getter>
invalid_lhs_in_for_in: 0x1e06cb1 <String[32]: Invalid left-hand side in
for-in>
duplicate_regexp_flag: 0x1e06d79 <String[24]: Duplicate RegExp flag %0>
error_loading_debugger: 0x1e06b89 <String[25]: Error loading debugger %0>
unexpected_token_number: 0x1e06c95 <String[17]: Unexpected number>
invalid_in_operator_use: 0x1e06db9 <String[49]: Cannot use 'in' operator to
search for '%0' in %1>
unexpected_token_string: 0x1e0704d <String[17]: Unexpected string>
invalid_lhs_in_prefix_op: 0x1e06781 <String[53]: Invalid left-hand side
expression in prefix operation>
unrecognized_regexp_flag: 0x1e06e69 <String[27]: Unrecognized RegExp
flag %0>
non_object_property_load: 0x1e06c05 <String[31]: Cannot read property '%0'
of %1>
non_object_property_call: 0x1e07119 <String[29]: Cannot call method '%0'
of %1>
invalid_lhs_in_assignment: 0x1e06b49 <String[36]: Invalid left-hand side in
assignment>
non_object_property_store: 0x1e06c59 <String[30]: Cannot set property '%0'
of %1>
invalid_lhs_in_postfix_op: 0x1e06ef5 <String[54]: Invalid left-hand side
expression in postfix operation>
instanceof_nonobject_proto: 0x1e06839 <String[58]: Function has non-object
prototype '%0' in instanceof check>
invalid_array_apply_length: 0x1e06fa9 <String[59]: Function.prototype.apply
supports only up to 1024 arguments>
cannot_convert_to_primitive: 0x1e06939 <String[40]: Cannot convert object
to primitive value>
multiple_defaults_in_switch: 0x1e06bcd <String[48]: More than one default
clause in switch statement>
unexpected_token_identifier: 0x1e06d99 <String[21]: Unexpected identifier>
instanceof_function_expected: 0x1e06e2d <String[52]: Expecting a function
in instanceof check, but got %0>
#13# 0x180c4cd: 0x180c4cd <JS array[16]>
0: 0x1e03a21 <String[1]: 0>
1: 0x1e061d9 <String[1]: 1>
2: 0x1e061e5 <String[1]: 2>
3: 0x1e061f1 <String[1]: 3>
4: 0x1e061fd <String[1]: 4>
5: 0x1e06209 <String[1]: 5>
6: 0x1e06215 <String[1]: 6>
7: 0x1e06221 <String[1]: 7>
8: 0x1e0622d <String[1]: 8>
9: 0x1e06239 <String[1]: 9>
...
#14# 0x1812dbd: 0x1812dbd <an Object>>
e: 0x1e00161 <true>
a: 0x1e00161 <true>
u: 0x1e00161 <true>
o: 0x1e00161 <true>
y: 0x1e00161 <true>
i: 0x1e00161 <true>
#15# 0x181d649: 0x181d649 <an Object>>
#16# 0x1821bcd: 0x1821bcd <JS array[5]>
0: 2
1: 0x1e001d9 <String[0]: >
2: 0x1e00135 <undefined>
3: 0
4: 0
#17# 0x180559d: 0x180559d <JS array[0]>
#18# 0x180c57d: 0x180c57d <JS array[16]>
0: 48
1: 49
2: 50
3: 51
4: 52
5: 53
6: 54
7: 55
8: 56
9: 57
...
#19# 0x1807eed: 0x1807eed <JS array[5]>
0: 2
1: 0x1e001d9 <String[0]: >
2: 0x1e001d9 <String[0]: >
3: -1
4: -1
#20# 0x1813255: 0x1813255 <an Object>>
r: 0x1e00161 <true>
x: 0x1e00161 <true>
h: 0x1e00161 <true>
f: 0x1e00161 <true>
l: 0x1e00161 <true>
e: 0x1e00161 <true>
a: 0x1e00161 <true>
u: 0x1e00161 <true>
o: 0x1e00161 <true>
n: 0x1e00161 <true>
y: 0x1e00161 <true>
s: 0x1e00161 <true>
i: 0x1e00161 <true>
m: 0x1e00161 <true>
#21# 0x181af8d: 0x181af8d <a RangeError>>
#22# 0x1814979: 0x1814979 <an Object>>
#23# 0x1c13f99: 0x1c13f99 <JS Function>
=====================
Abort trap
$ svn log | head
------------------------------------------------------------------------
r1952 | [email protected] | 2009-05-14 20:26:59 +0800 (Thu, 14 May 2009) |
2 lines
Fix x64 build.
Review URL: http://codereview.chromium.org/115351
------------------------------------------------------------------------
r1951 | [email protected] | 2009-05-14 20:18:25 +0800 (Thu, 14 May 2009) |
4 lines
Reapply revision 1949. Stupid error.
--
You received this message because you are listed in the owner
or CC fields of this issue, or because you starred this issue.
You may adjust your issue notification preferences at:
http://code.google.com/hosting/settings
--~--~---------~--~----~------------~-------~--~----~
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
-~----------~----~----~----~------~----~------~--~---
