303277 - crash with a watchpoint for __proto__ property [@ js_SetProtoOrParent]

Status: VERIFIED FIXED

(Core :: JavaScript Engine, defect)

Description

[shutdown]

User-Agent:       Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Build Identifier: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.8b4) Gecko/20050802 Firefox/1.0+

If the object has a watchpoint for __proto__ property,
JavaScript engine will crash when __proto__ is set.
http://talkback-public.mozilla.org/talkback/fastfind.jsp?search=2&type=iid&id=8054749


Reproducible: Always

Steps to Reproduce:
1. javascript: o={}; o.watch("__proto__", function(){return null;}); o.__proto__=null; void 0;

Actual Results:  
crash @ js3250.dll

Expected Results:  
no crash.

Comment 1

[Bob Clary [:bc] (inactive)]

Assertion failure: (uint32)slot < JS_MIN(((obj)->map)->freeslot,
((obj)->map)->nslots), at c:/work/mozilla/builds/ff/trunk/mozilla/j
s/src/jsobj.c:357

+	cx	0x03b92610
-	obj	0x03b39f18
+	map	0x03f39f38
+	slots	0x033217bc
+	pobj	0x00000000
	slot	7814838

NTDLL! 7c901230()
js_SetProtoOrParent(JSContext * 0x03b92610, JSObject * 0x03b39f18, unsigned long
7814838, JSObject * 0x00000000) line 357 + 72 bytes
obj_setSlot(JSContext * 0x03b92610, JSObject * 0x03b39f18, long 15629676, long *
0x00129874) line 181 + 21 bytes
js_watch_set(JSContext * 0x03b92610, JSObject * 0x03b39f18, long 15629676, long
* 0x00129874) line 377 + 149 bytes
js_Interpret(JSContext * 0x03b92610, unsigned char * 0x03f3d0c2, long *
0x00129968) line 3301 + 1239 bytes
js_Execute(JSContext * 0x03b92610, JSObject * 0x03b3b0e0, JSScript * 0x03f3d070,
JSStackFrame * 0x00000000, unsigned int 0, long * 0x00129a70) line 1403 + 19 bytes
JS_EvaluateUCScriptForPrincipals(JSContext * 0x03b92610, JSObject * 0x03b3b0e0,
JSPrincipals * 0x031a608c, const unsigned short * 0x03f37418, unsigned int 80,
const char * 0x0319c2e8, unsigned int 1, long * 0x00129a70) line 3853 + 25 bytes
nsJSContext::EvaluateString(const nsAString_internal & {...}, void * 0x03b3b0e0,
nsIPrincipal * 0x031a6088, const char * 0x0319c2e8, unsigned int 1, const char *
0x00000000, nsAString_internal * 0x00129cd0, int * 0x00129c74) line 1060 + 67 bytes
nsJSThunk::EvaluateScript(nsIChannel * 0x03f45828) line 255 + 90 bytes
nsJSChannel::InternalOpen(int 1, nsIStreamListener * 0x03f458c0, nsISupports *
0x00000000, nsIInputStream * * 0x00000000) line 508 + 30 bytes
nsJSChannel::AsyncOpen(nsJSChannel * const 0x03f16db8, nsIStreamListener *
0x03f458c0, nsISupports * 0x00000000) line 480
nsDocumentOpenInfo::Open(nsIChannel * 0x03f16db8) line 224 + 18 bytes
nsURILoader::OpenURI(nsURILoader * const 0x030c0a98, nsIChannel * 0x03f16db8,
int 0, nsIInterfaceRequestor * 0x03bba808) line 915 + 19 bytes
nsDocShell::DoChannelLoad(nsIChannel * 0x03f16db8, nsIURILoader * 0x030c0a98)
line 6751 + 63 bytes
nsDocShell::DoURILoad(nsIURI * 0x03f457c0, nsIURI * 0x00000000, int 1,
nsISupports * 0x031a6088, const char * 0x00000000, nsIInputStream * 0x00000000,
nsIInputStream * 0x00000000, int 1, nsIDocShell * * 0x00000000, nsIRequest * *
0x0012a1d0) line 6603 + 35 bytes
nsDocShell::InternalLoad(nsDocShell * const 0x03bba890, nsIURI * 0x03f457c0,
nsIURI * 0x00000000, nsISupports * 0x00000000, unsigned int 1, const unsigned
short * 0x03c48380, const char * 0x00000000, nsIInputStream * 0x00000000,
nsIInputStream * 0x00000000, unsigned int 1, nsISHEntry * 0x00000000, int 1,
nsIDocShell * * 0x00000000, nsIRequest * * 0x00000000) line 6376 + 97 bytes
nsDocShell::LoadURI(nsDocShell * const 0x03bba890, nsIURI * 0x03f457c0,
nsIDocShellLoadInfo * 0x03d464e8, unsigned int 0, int 1) line 789 + 84 bytes
nsDocShell::LoadURI(nsDocShell * const 0x03bba8a0, const unsigned short *
0x03f3a6c8, unsigned int 0, nsIURI * 0x00000000, nsIInputStream * 0x00000000,
nsIInputStream * 0x00000000) line 2821 + 38 bytes
XPTC_InvokeByIndex(nsISupports * 0x03bba8a0, unsigned int 8, unsigned int 5,
nsXPTCVariant * 0x0012a620) line 102
XPCWrappedNative::CallMethod(XPCCallContext & {...}, XPCWrappedNative::CallMode
CALL_METHOD) line 2119 + 43 bytes
XPC_WN_CallMethod(JSContext * 0x0318e0a0, JSObject * 0x03b39ee8, unsigned int 5,
long * 0x03d8e248, long * 0x0012a8f0) line 1350 + 14 bytes
js_Invoke(JSContext * 0x0318e0a0, unsigned int 5, unsigned int 0) line 1173 + 23
bytes
js_Interpret(JSContext * 0x0318e0a0, unsigned char * 0x03442beb, long *
0x0012b3a4) line 3463 + 15 bytes
js_Invoke(JSContext * 0x0318e0a0, unsigned int 2, unsigned int 6) line 1193 + 19
bytes
fun_apply(JSContext * 0x0318e0a0, JSObject * 0x03bcb5b8, unsigned int 2, long *
0x03d8e060, long * 0x0012b4e4) line 1589 + 15 bytes
js_Invoke(JSContext * 0x0318e0a0, unsigned int 2, unsigned int 0) line 1173 + 23
bytes
js_Interpret(JSContext * 0x0318e0a0, unsigned char * 0x03c37cf3, long *
0x0012bf98) line 3463 + 15 bytes
js_Invoke(JSContext * 0x0318e0a0, unsigned int 0, unsigned int 2) line 1193 + 19
bytes
nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJSClass * const 0x03d87b40,
nsXPCWrappedJS * 0x03d7e510, unsigned short 33, const nsXPTMethodInfo *
0x031ddc10, nsXPTCMiniVariant * 0x0012c2e8) line 1339 + 22 bytes
nsXPCWrappedJS::CallMethod(nsXPCWrappedJS * const 0x03d7e510, unsigned short 33,
const nsXPTMethodInfo * 0x031ddc10, nsXPTCMiniVariant * 0x0012c2e8) line 462
PrepareAndDispatch(nsXPTCStubBase * 0x03d7e510, unsigned int 33, unsigned int *
0x0012c398, unsigned int * 0x0012c388) line 117 + 31 bytes
SharedStub() line 147
nsAutoCompleteController::EnterMatch() line 1011
nsAutoCompleteController::HandleEnter(nsAutoCompleteController * const
0x03c95020, int * 0x0012c628) line 272
XPTC_InvokeByIndex(nsISupports * 0x03c95020, unsigned int 9, unsigned int 1,
nsXPTCVariant * 0x0012c628) line 102
XPCWrappedNative::CallMethod(XPCCallContext & {...}, XPCWrappedNative::CallMode
CALL_METHOD) line 2119 + 43 bytes
XPC_WN_CallMethod(JSContext * 0x0318e0a0, JSObject * 0x03c7b5f8, unsigned int 0,
long * 0x03d8df98, long * 0x0012c8f8) line 1350 + 14 bytes
js_Invoke(JSContext * 0x0318e0a0, unsigned int 0, unsigned int 0) line 1173 + 23
bytes
js_Interpret(JSContext * 0x0318e0a0, unsigned char * 0x03c3ac83, long *
0x0012d3ac) line 3463 + 15 bytes
js_Invoke(JSContext * 0x0318e0a0, unsigned int 1, unsigned int 2) line 1193 + 19
bytes
js_InternalInvoke(JSContext * 0x0318e0a0, JSObject * 0x03bcb5b8, long 62102848,
unsigned int 0, unsigned int 1, long * 0x0012d5a4, long * 0x0012d5a0) line 1270
+ 20 bytes
JS_CallFunctionValue(JSContext * 0x0318e0a0, JSObject * 0x03bcb5b8, long
62102848, unsigned int 1, long * 0x0012d5a4, long * 0x0012d5a0) line 3918 + 31 bytes
nsJSContext::CallEventHandler(JSObject * 0x03bcb5b8, JSObject * 0x03b39d40,
unsigned int 1, long * 0x0012d5a4, long * 0x0012d5a0) line 1400 + 33 bytes
nsJSEventListener::HandleEvent(nsJSEventListener * const 0x03ed0a50, nsIDOMEvent
* 0x0319bb98) line 175 + 51 bytes
nsXBLPrototypeHandler::ExecuteHandler(nsIDOMEventReceiver * 0x03ece8f8,
nsIDOMEvent * 0x0319bb98) line 499
nsXBLKeyEventHandler::HandleEvent(nsXBLKeyEventHandler * const 0x03c289a8,
nsIDOMEvent * 0x0319bb98) line 144
nsEventListenerManager::HandleEventSubType(nsListenerStruct * 0x03c28b08,
nsIDOMEvent * 0x0319bb98, nsIDOMEventTarget * 0x03ece8f8, unsigned int 4,
unsigned int 4) line 1580 + 20 bytes
nsEventListenerManager::HandleEvent(nsEventListenerManager * const 0x03c198d0,
nsPresContext * 0x0321cf98, nsEvent * 0x0012f13c, nsIDOMEvent * * 0x0012e90c,
nsIDOMEventTarget * 0x03ece8f8, unsigned int 4, nsEventStatus * 0x0012ef30) line
1684
nsXULElement::HandleDOMEvent(nsPresContext * 0x0321cf98, nsEvent * 0x0012f13c,
nsIDOMEvent * * 0x0012e90c, unsigned int 4, nsEventStatus * 0x0012ef30) line 2201
nsXULElement::HandleDOMEvent(nsPresContext * 0x0321cf98, nsEvent * 0x0012f13c,
nsIDOMEvent * * 0x0012e90c, unsigned int 4, nsEventStatus * 0x0012ef30) line 2180
nsXULElement::HandleDOMEvent(nsPresContext * 0x0321cf98, nsEvent * 0x0012f13c,
nsIDOMEvent * * 0x0012e90c, unsigned int 4, nsEventStatus * 0x0012ef30) line 2180
nsGenericElement::HandleDOMEvent(nsPresContext * 0x0321cf98, nsEvent *
0x0012f13c, nsIDOMEvent * * 0x0012e90c, unsigned int 7, nsEventStatus *
0x0012ef30) line 2074
nsHTMLInputElement::HandleDOMEvent(nsPresContext * 0x0321cf98, nsEvent *
0x0012f13c, nsIDOMEvent * * 0x00000000, unsigned int 1, nsEventStatus *
0x0012ef30) line 1382 + 31 bytes
PresShell::HandleEventInternal(nsEvent * 0x0012f13c, nsIView * 0x03224ca0,
unsigned int 1, nsEventStatus * 0x0012ef30) line 6357 + 64 bytes
PresShell::HandleEvent(PresShell * const 0x0321d79c, nsIView * 0x03224ca0,
nsGUIEvent * 0x0012f13c, nsEventStatus * 0x0012ef30, int 1, int & 1) line 6193 +
25 bytes
nsViewManager::HandleEvent(nsView * 0x03224ca0, nsGUIEvent * 0x0012f13c, int 0)
line 2458
nsViewManager::DispatchEvent(nsViewManager * const 0x03224bf8, nsGUIEvent *
0x0012f13c, nsEventStatus * 0x0012f08c) line 2230 + 20 bytes
HandleEvent(nsGUIEvent * 0x0012f13c) line 174
nsWindow::DispatchEvent(nsWindow * const 0x03224d74, nsGUIEvent * 0x0012f13c,
nsEventStatus & nsEventStatus_eIgnore) line 1171 + 10 bytes
nsWindow::DispatchWindowEvent(nsGUIEvent * 0x0012f13c) line 1192
nsWindow::DispatchKeyEvent(unsigned int 131, unsigned short 0, unsigned int 13,
long 1835009, unsigned int 0) line 3359 + 15 bytes
nsWindow::OnKeyDown(unsigned int 13, unsigned int 28, long 1835009) line 3497
nsWindow::ProcessMessage(unsigned int 256, unsigned int 13, long 1835009, long *
0x0012f6ac) line 4358 + 32 bytes
nsWindow::WindowProc(HWND__ * 0x000c02b2, unsigned int 256, unsigned int 13,
long 1835009) line 1348 + 27 bytes
USER32! 77d48734()
USER32! 77d48816()
USER32! 77d489cd()
USER32! 77d48a10()
nsAppShell::Run(nsAppShell * const 0x01352560) line 135
nsAppStartup::Run(nsAppStartup * const 0x013524c0) line 145 + 26 bytes
XRE_main(int 3, char * * 0x003f6fc0, const nsXREAppData * 0x0042101c kAppData)
line 2219 + 35 bytes
main(int 3, char * * 0x003f6fc0) line 61 + 18 bytes
mainCRTStartup() line 338 + 17 bytes

Comment 2

[Brendan Eich [:brendan]]

Old bug, easy enough to fix.

/be

Comment 3

[Brendan Eich [:brendan]]

Attachment: fix

Asking shaver to review (soon, too!).  This patch fixes two old bugs:

1.  js_watch_set passed the "user" id, not the property id, to the watchpoint
handler.

The user id is what JSPropertyOp implementations see, and it differs from the
property id precisely when SPROP_HAS_SHORTID is set in sprop->flags -- in that
case, it's INT_TO_JSVAL(sprop->shortid).  We must pass the correct userid to
all JSPropertyOp implementations as the |id| formal, but we must not pass
userid to the watchpoint handler or any high-level js_*Property object-op. 
Those all take the property id (propid for short), either as a jsval
(ID_TO_VALUE(sprop->id)) or as a jsid (namely, sprop->id).

2.  Fix the immediate problem here: prototype properties such as __proto__ that
have a shortid were not being shadowed with a native property of the same id,
flags, and shortid.  To fix that, we must call js_DefineNativeProperty in
JS_SetWatchPoint, not js_DefineProperty.

Fixing 2 exposed 1, so I fixed that too.

Timeless, if you could have a look, test, and whatever else you like, I'd
appreciate it.	Whoever gets this checked in wins a SpiderMonkey no-prize.

/be

Comment 4

[Brendan Eich [:brendan]]

Taking.

/be

Comment 5

[Mike Shaver (:shaver -- probably not reading bugmail closely)]

Comment on attachment 191517 [details] [diff] [review]
fix

r=shaver

Comment 6

[Brendan Eich [:brendan]]

Fixed.

/be

Comment 7

[Bob Clary [:bc] (inactive)]

Checking in regress-303277.js;
/cvsroot/mozilla/js/tests/js1_5/Regress/regress-303277.js,v  <--  regress-303277.js
initial revision: 1.1
done

Comment 8

[Bob Clary [:bc] (inactive)]

verified fixed 1.8.x and trunk.