Closed
Bug 485790
Opened 15 years ago
Closed 15 years ago
TM: Crash [@ 0x000fdecb]
Categories
(Core :: JavaScript Engine, defect, P1)
Core
JavaScript Engine
Tracking
()
VERIFIED
FIXED
mozilla1.9.1b4
People
(Reporter: gkw, Assigned: gal)
References
Details
(4 keywords, Whiteboard: [sg:critical?] fixed-in-tracemonkey)
Crash Data
Attachments
(2 files)
2.38 KB,
text/plain
|
Details | |
920 bytes,
patch
|
brendan
:
review+
|
Details | Diff | Splinter Review |
(function(){{__proto__.prop = this} __proto__= null})() for each (let x in [function(){}, []]) { x.valueOf() } crash both debug and opt js shells with -j only, in both Mac Leopard and WinXP. Turning security-sensitive and nominating blocking1.9.1? because it crashes at a scary memory address. autoBisect shows bug 463238 or http://hg.mozilla.org/tracemonkey/rev/1c6be1c210b9 may be related: The first bad revision is: changeset: 26344:1c6be1c210b9 user: Andreas Gal date: Fri Mar 20 18:52:11 2009 -0700 summary: Support calling arbitrary JSFastNatives from trace (463238, r=brendan).
Flags: blocking1.9.1?
Updated•15 years ago
|
Assignee: general → gal
Flags: blocking1.9.1? → blocking1.9.1+
Updated•15 years ago
|
Priority: -- → P1
Assignee | ||
Comment 2•15 years ago
|
||
#0 0x0025bebd in ?? () #1 0x00000000 in ?? () (gdb) x/i $pc 0x25bebd: mov (%eax),%edx (gdb) x/20i $pc 0x25bebd: mov (%eax),%edx 0x25bebf: mov 0x4(%edx),%eax 0x25bec2: mov 0x10(%eax),%eax 0x25bec5: cmp $0xa545e,%eax 0x25beca: mov -0xc(%ebp),%eax 0x25becd: jne 0x2a1f55 0x25bed3: mov 0x10(%edx),%edx 0x25bed6: cmp $0x82,%edx 0x25bedc: jne 0x2a1f64 0x25bee2: mov 0x8(%eax),%eax 0x25bee5: test %eax,%eax 0x25bee7: je 0x2a1f73 0x25beed: mov (%eax),%eax 0x25beef: mov 0x4(%eax),%edx 0x25bef2: mov (%edx),%edx 0x25bef4: cmp $0xa2d44,%edx 0x25befa: jne 0x2a1f82 0x25bf00: mov 0x10(%eax),%eax 0x25bf03: cmp $0xa3,%eax 0x25bf08: jne 0x2a1f91 (gdb) 0x25bf0e: mov %ecx,0x20(%ebx) 0x25bf11: movl $0x296230,0x18(%ebx) 0x25bf18: lea -0x10(%ebp),%eax 0x25bf1b: movl $0x296230,-0x10(%ebp) 0x25bf22: mov %ecx,-0xc(%ebp) 0x25bf25: movl $0x25a318,0x1e0(%esi) 0x25bf2f: sub $0x4,%esp 0x25bf32: push %eax 0x25bf33: push $0x0 0x25bf35: push %esi 0x25bf36: call 0xa9726 <_ZL11obj_valueOfP9JSContextjPl> 0x25bf3b: add $0x10,%esp 0x25bf3e: movl $0x0,0x1e0(%esi) 0x25bf48: mov 0x1e4(%esi),%edx 0x25bf4e: mov -0x10(%ebp),%ecx 0x25bf51: mov %ecx,0x18(%ebx) 0x25bf54: and $0x1,%eax 0x25bf57: xor $0x1,%eax 0x25bf5a: shl $0x1,%eax 0x25bf5d: or %eax,%edx (gdb) p $eax $1 = 0
Comment 3•15 years ago
|
||
Slightly clearer example that still crashes: __proto__.prop = this; __proto__ = null; for each (let x in [function(){}, []]) { x.valueOf() }
Assignee | ||
Comment 4•15 years ago
|
||
ld2 = ld $stack2[8] ld3 = ld ld2[NULL] ops = ld ld3[4] ld4 = ld ops[16] guard(native-map) = eq ld4, OP(&js_ObjectOps) xf2: xf guard(native-map) -> pc=0x30dbe2 imacpc=0x0 sp+32 rp+0 mov eax,8(ecx) ecx($stack2) ebx(sp) esi(cx) edi(state) mov -12(ebp),eax eax(ld2) ecx($stack2) ebx(sp) esi(cx) edi(state) mov edx,0(eax) eax(ld2) ecx($stack2) ebx(sp) esi(cx) edi(state) *** we die here *** mov eax,4(edx) ecx($stack2) edx(ld3) ebx(sp) esi(cx) edi(state) mov eax,16(eax) eax(ops) ecx($stack2) edx(ld3) ebx(sp) esi(cx) edi(state) cmp eax,676958 eax(ld4) ecx($stack2) edx(ld3) ebx(sp) esi(cx) edi(state) mov eax,-12(ebp) ecx($stack2) edx(ld3) ebx(sp) esi(cx) edi(state) jne 0x2a1f55 eax(ld2) ecx($stack2) edx(ld3) ebx(sp) esi(cx) edi(state)
Assignee | ||
Comment 5•15 years ago
|
||
JS_REQUIRES_STACK bool TraceRecorder::test_property_cache(JSObject* obj, LIns* obj_ins, JSObject*& obj2, jsuword& pcval) { jsbytecode* pc = cx->fp->regs->pc; JS_ASSERT(*pc != JSOP_INITPROP && *pc != JSOP_SETNAME && *pc != JSOP_SETPROP); // Mimic the interpreter's special case for dense arrays by skipping up one // hop along the proto chain when accessing a named (not indexed) property, // typically to find Array.prototype methods. JSObject* aobj = obj; if (OBJ_IS_DENSE_ARRAY(cx, obj)) { aobj = OBJ_GET_PROTO(cx, obj); obj_ins = stobj_get_fslot(obj_ins, JSSLOT_PROTO); } We are compiling with obj == dense array and emit this code, but we don't guard that obj will be a dense array at runtime. The access then fails subsequently when we run through the code with a non-dense array.
Assignee | ||
Comment 6•15 years ago
|
||
Attachment #370104 -
Flags: review?(brendan)
Updated•15 years ago
|
Attachment #370104 -
Flags: review?(brendan) → review+
Assignee | ||
Comment 7•15 years ago
|
||
http://hg.mozilla.org/tracemonkey/rev/87d7e4dd96be
Whiteboard: fixed-in-tracemonkey
Assignee | ||
Comment 8•15 years ago
|
||
Assuming this sticks, please remove security flag once this has been merged into m-c.
Comment 9•15 years ago
|
||
http://hg.mozilla.org/mozilla-central/rev/87d7e4dd96be
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Comment 10•15 years ago
|
||
http://hg.mozilla.org/releases/mozilla-1.9.1/rev/b55630d9e670
Keywords: fixed1.9.1
Reporter | ||
Updated•15 years ago
|
Flags: in-testsuite?
Updated•15 years ago
|
Group: core-security
Flags: wanted1.9.0.x-
Flags: wanted1.8.1.x-
Whiteboard: fixed-in-tracemonkey → [sg:critical?] fixed-in-tracemonkey
Comment 11•15 years ago
|
||
js1_8_1/trace/trace-test.js http://hg.mozilla.org/tracemonkey/rev/61892f57b46a
Flags: in-testsuite? → in-testsuite+
Comment 12•15 years ago
|
||
v 1.9.1, 1.9.2
Status: RESOLVED → VERIFIED
Keywords: fixed1.9.1 → verified1.9.1
Comment 13•15 years ago
|
||
cvsroot/mozilla/js/tests/js1_8_1/trace/trace-test.js,v <-- trace-test.js new revision: 1.14; previous revision: 1.13 /cvsroot/mozilla/js/tests/shell.js,v <-- shell.js
Updated•13 years ago
|
Crash Signature: [@ 0x000fdecb]
You need to log in
before you can comment on or make changes to this bug.
Description
•