Closed
Bug 485790
Opened 15 years ago
Closed 15 years ago
TM: Crash [@ 0x000fdecb]
Categories
(Core :: JavaScript Engine, defect, P1)
Core
JavaScript Engine
Tracking
()
VERIFIED
FIXED
mozilla1.9.1b4
People
(Reporter: gkw, Assigned: gal)
References
Details
(4 keywords, Whiteboard: [sg:critical?] fixed-in-tracemonkey)
Crash Data
Attachments
(2 files)
|
2.38 KB,
text/plain
|
Details | |
|
920 bytes,
patch
|
brendan
:
review+
|
Details | Diff | Splinter Review |
(function(){{__proto__.prop = this} __proto__= null})()
for each (let x in [function(){}, []]) { x.valueOf() }
crash both debug and opt js shells with -j only, in both Mac Leopard and WinXP. Turning security-sensitive and nominating blocking1.9.1? because it crashes at a scary memory address.
autoBisect shows bug 463238 or http://hg.mozilla.org/tracemonkey/rev/1c6be1c210b9 may be related:
The first bad revision is:
changeset: 26344:1c6be1c210b9
user: Andreas Gal
date: Fri Mar 20 18:52:11 2009 -0700
summary: Support calling arbitrary JSFastNatives from trace (463238, r=brendan).Flags: blocking1.9.1?
|
||
Updated•15 years ago
|
Assignee: general → gal
Flags: blocking1.9.1? → blocking1.9.1+
|
|
||
Updated•15 years ago
|
Priority: -- → P1
|
Assignee | |
Comment 2•15 years ago
|
||
#0 0x0025bebd in ?? () #1 0x00000000 in ?? () (gdb) x/i $pc 0x25bebd: mov (%eax),%edx (gdb) x/20i $pc 0x25bebd: mov (%eax),%edx 0x25bebf: mov 0x4(%edx),%eax 0x25bec2: mov 0x10(%eax),%eax 0x25bec5: cmp $0xa545e,%eax 0x25beca: mov -0xc(%ebp),%eax 0x25becd: jne 0x2a1f55 0x25bed3: mov 0x10(%edx),%edx 0x25bed6: cmp $0x82,%edx 0x25bedc: jne 0x2a1f64 0x25bee2: mov 0x8(%eax),%eax 0x25bee5: test %eax,%eax 0x25bee7: je 0x2a1f73 0x25beed: mov (%eax),%eax 0x25beef: mov 0x4(%eax),%edx 0x25bef2: mov (%edx),%edx 0x25bef4: cmp $0xa2d44,%edx 0x25befa: jne 0x2a1f82 0x25bf00: mov 0x10(%eax),%eax 0x25bf03: cmp $0xa3,%eax 0x25bf08: jne 0x2a1f91 (gdb) 0x25bf0e: mov %ecx,0x20(%ebx) 0x25bf11: movl $0x296230,0x18(%ebx) 0x25bf18: lea -0x10(%ebp),%eax 0x25bf1b: movl $0x296230,-0x10(%ebp) 0x25bf22: mov %ecx,-0xc(%ebp) 0x25bf25: movl $0x25a318,0x1e0(%esi) 0x25bf2f: sub $0x4,%esp 0x25bf32: push %eax 0x25bf33: push $0x0 0x25bf35: push %esi 0x25bf36: call 0xa9726 <_ZL11obj_valueOfP9JSContextjPl> 0x25bf3b: add $0x10,%esp 0x25bf3e: movl $0x0,0x1e0(%esi) 0x25bf48: mov 0x1e4(%esi),%edx 0x25bf4e: mov -0x10(%ebp),%ecx 0x25bf51: mov %ecx,0x18(%ebx) 0x25bf54: and $0x1,%eax 0x25bf57: xor $0x1,%eax 0x25bf5a: shl $0x1,%eax 0x25bf5d: or %eax,%edx (gdb) p $eax $1 = 0
|
||
Comment 3•15 years ago
|
||
Slightly clearer example that still crashes:
__proto__.prop = this;
__proto__ = null;
for each (let x in [function(){}, []]) { x.valueOf() }|
|
Assignee | |
Comment 4•15 years ago
|
||
ld2 = ld $stack2[8]
ld3 = ld ld2[NULL]
ops = ld ld3[4]
ld4 = ld ops[16]
guard(native-map) = eq ld4, OP(&js_ObjectOps)
xf2: xf guard(native-map) -> pc=0x30dbe2 imacpc=0x0 sp+32 rp+0
mov eax,8(ecx) ecx($stack2) ebx(sp) esi(cx) edi(state)
mov -12(ebp),eax eax(ld2) ecx($stack2) ebx(sp) esi(cx) edi(state)
mov edx,0(eax) eax(ld2) ecx($stack2) ebx(sp) esi(cx) edi(state)
*** we die here ***
mov eax,4(edx) ecx($stack2) edx(ld3) ebx(sp) esi(cx) edi(state)
mov eax,16(eax) eax(ops) ecx($stack2) edx(ld3) ebx(sp) esi(cx) edi(state)
cmp eax,676958 eax(ld4) ecx($stack2) edx(ld3) ebx(sp) esi(cx) edi(state)
mov eax,-12(ebp) ecx($stack2) edx(ld3) ebx(sp) esi(cx) edi(state)
jne 0x2a1f55 eax(ld2) ecx($stack2) edx(ld3) ebx(sp) esi(cx) edi(state)|
|
Assignee | |
Comment 5•15 years ago
|
||
JS_REQUIRES_STACK bool
TraceRecorder::test_property_cache(JSObject* obj, LIns* obj_ins, JSObject*& obj2, jsuword& pcval)
{
jsbytecode* pc = cx->fp->regs->pc;
JS_ASSERT(*pc != JSOP_INITPROP && *pc != JSOP_SETNAME && *pc != JSOP_SETPROP);
// Mimic the interpreter's special case for dense arrays by skipping up one
// hop along the proto chain when accessing a named (not indexed) property,
// typically to find Array.prototype methods.
JSObject* aobj = obj;
if (OBJ_IS_DENSE_ARRAY(cx, obj)) {
aobj = OBJ_GET_PROTO(cx, obj);
obj_ins = stobj_get_fslot(obj_ins, JSSLOT_PROTO);
}
We are compiling with obj == dense array and emit this code, but we don't guard that obj will be a dense array at runtime. The access then fails subsequently when we run through the code with a non-dense array.|
|
Assignee | |
Comment 6•15 years ago
|
||
Attachment #370104 -
Flags: review?(brendan)
|
||
Updated•15 years ago
|
Attachment #370104 -
Flags: review?(brendan) → review+
|
|
Assignee | |
Comment 7•15 years ago
|
||
http://hg.mozilla.org/tracemonkey/rev/87d7e4dd96be
Whiteboard: fixed-in-tracemonkey
|
|
Assignee | |
Comment 8•15 years ago
|
||
Assuming this sticks, please remove security flag once this has been merged into m-c.
|
|
||
Comment 9•15 years ago
|
||
http://hg.mozilla.org/mozilla-central/rev/87d7e4dd96be
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
|
|
||
Comment 10•15 years ago
|
||
http://hg.mozilla.org/releases/mozilla-1.9.1/rev/b55630d9e670
Keywords: fixed1.9.1
|
Reporter | |
Updated•15 years ago
|
Flags: in-testsuite?
|
||
Updated•15 years ago
|
Group: core-security
Flags: wanted1.9.0.x-
Flags: wanted1.8.1.x-
Whiteboard: fixed-in-tracemonkey → [sg:critical?] fixed-in-tracemonkey
|
||
Comment 11•15 years ago
|
||
js1_8_1/trace/trace-test.js http://hg.mozilla.org/tracemonkey/rev/61892f57b46a
Flags: in-testsuite? → in-testsuite+
|
|
||
Comment 12•15 years ago
|
||
v 1.9.1, 1.9.2
Status: RESOLVED → VERIFIED
Keywords: fixed1.9.1 → verified1.9.1
|
|
||
Comment 13•15 years ago
|
||
cvsroot/mozilla/js/tests/js1_8_1/trace/trace-test.js,v <-- trace-test.js new revision: 1.14; previous revision: 1.13 /cvsroot/mozilla/js/tests/shell.js,v <-- shell.js
|
||
Updated•13 years ago
|
Crash Signature: [@ 0x000fdecb]
You need to log in
before you can comment on or make changes to this bug.
Description
•