899399 - runtime error: member call on null pointer of type 'js::GlobalObject'

Status: NEW

(Core :: JavaScript Engine, defect)

Description

[Yeuk Hon Wong]

Attachment: stack.txt

Follow the instruction here:
https://developer.mozilla.org/en-US/docs/Building_SpiderMonkey_with_UBSan

I was able to find this runtime error in every test (just to give you an example):


## test262/intl402/ch12/12.2/12.2.2_a.js: rc = 0, run time = 0.641127
 PASSED!
/home/vagrant/mozilla-central/js/src/jsproxy.cpp:3485:12: runtime error: member call
 on null pointer of type 'js::GlobalObject'
../ion/shared/IonFrames-x86-shared.h:72:42: runtime error: member call on null point
er of type 'js::ion::IonJSFrameLayout'
../ion/shared/IonFrames-x86-shared.h:77:42: runtime error: member call on null point
er of type 'js::ion::IonJSFrameLayout'
/home/vagrant/mozilla-central/js/src/obj-ubsan-0721-4-no-align-3/shell/js:0x13dcaf4: runtime error: load of value 183, which is not a valid value for type 'bool'


I will report separate bug for each of the runtime error. 

You can see the stack trace for the example above in the attachment.


This is probably introduced since this revision: https://hg.mozilla.org/mozilla-central/diff/09dcdc2b2120/js/src/jsproxy.cpp#l1.70

Comment 1

[Yeuk Hon Wong]

Attachment: stack_on_crash.txt

This is the stack when we compiled with -fsanitize=undefined-trap -fsanitze-undefined-trap-on-error instead (see MDN page as well for the detail).

Comment 2

[Yeuk Hon Wong]

It seems like the issue is due to the undefined rval /home/vagrant/mozilla-central/js/src/jsobj.cpp around 1016-1019? Correct me I am wrong:

http://dxr.mozilla.org/mozilla-central/source/js/src/jsobj.cpp#l964

The execution goes to the last return which doesn't do anything to rval.
http://pastebin.mozilla.org/2742263

Comment 3

[Jesse Ruderman]

Was that comment meant for bug 899404?

Comment 4

[Yeuk Hon Wong]

Oh man. Yes. My bad. I blame tabs!