Closed
Bug 488816
Opened 15 years ago
Closed 15 years ago
TM: Crash [@ 0x000fdf5b]
Categories
(Core :: JavaScript Engine, defect, P1)
Tracking
()
RESOLVED
FIXED
mozilla1.9.1b4
People
(Reporter: gkw, Assigned: gal)
References
Details
(4 keywords, Whiteboard: fixed-in-tracemonkey)
Crash Data
Attachments
(1 file, 2 obsolete files)
|
2.58 KB,
patch
|
brendan
:
review+
|
Details | Diff | Splinter Review |
eval("\
(function(){\
for(y in [{},{},{}])\
((function(){\
for(let y in [0])\
y = this\
})())\
})()\
");
crashes opt and debug js shells with -j at a scary location (setting security-sensitive).
autoBisect shows this is probably related to bug 488203 :
The first bad revision is:
changeset: 27199:bf37cd061e3c
user: Andreas Gal
date: Tue Apr 14 19:52:09 2009 -0700
summary: Properly compute 'this' object on trace and wrap if necessary (488203, r=mrbkap).
===
Exception Type: EXC_BAD_ACCESS (SIGBUS)
Exception Codes: KERN_PROTECTION_FAILURE at 0x0000000000000000
Crashed Thread: 0
Thread 0 Crashed:
0 ??? 0x000fdf5b 0 + 1040219
1 ??? 0xbfffed98 0 + 3221220760
2 js-opt-tm-intelmac 0x000a825b js_RecordLoopEdge(JSContext*, TraceRecorder*, unsigned int&) + 519
3 js-opt-tm-intelmac 0x000a836e js_MonitorLoopEdge(JSContext*, unsigned int&) + 58
4 js-opt-tm-intelmac 0x0003ecef js_Interpret + 43919
5 js-opt-tm-intelmac 0x00043796 js_Execute + 572
6 js-opt-tm-intelmac 0x0004f121 obj_eval(JSContext*, JSObject*, unsigned int, long*, long*) + 1911
7 js-opt-tm-intelmac 0x00043f81 js_Invoke + 1719
8 js-opt-tm-intelmac 0x0003479e js_Interpret + 1598
9 js-opt-tm-intelmac 0x00043796 js_Execute + 572
10 js-opt-tm-intelmac 0x0000c90a JS_ExecuteScript + 60
11 js-opt-tm-intelmac 0x00004257 Process(JSContext*, JSObject*, char*, int) + 1559
12 js-opt-tm-intelmac 0x0000680f main + 863
13 js-opt-tm-intelmac 0x0000210b _start + 209
14 js-opt-tm-intelmac 0x00002039 start + 41Flags: blocking1.9.1?
|
Assignee | |
Updated•15 years ago
|
Assignee: general → gal
|
|
Assignee | |
Comment 1•15 years ago
|
||
Confirmed with TM tip. Good test case + reduction. Great work Gary.
|
|
Assignee | |
Updated•15 years ago
|
Priority: -- → P1
Target Milestone: --- → mozilla1.9.1b4
|
|
Assignee | |
Comment 2•15 years ago
|
||
|
|
Assignee | |
Comment 3•15 years ago
|
||
Attachment #373414 -
Attachment is obsolete: true
Attachment #373415 -
Flags: review?(brendan)
|
||
Updated•15 years ago
|
Flags: blocking1.9.1? → blocking1.9.1+
|
||
Comment 4•15 years ago
|
||
Comment on attachment 373415 [details] [diff] [review] slightly less broken english in the comments >+ /* >+ * In global code, bake in the global object as 'this' object. >+ */ >+ if (!cx->fp->callee) { > JS_ASSERT(callDepth == 0); >+ JSObject* thisObj = js_ComputeThisForFrame(cx, cx->fp); >+ if (!thisObj) >+ ABORT_TRACE("js_ComputeThis failed"); >+ JS_ASSERT(JSVAL_IS_OBJECT(cx->fp->argv[-1])); > this_ins = INS_CONSTPTR(thisObj); Blank line here. >+ /* >+ * We don't have argv[-1] in global code, so we don't update the tracker here. >+ */ >+ return true; >+ } Blank line here. >+ /* >+ * Traces type-specialize between null and objects, so if we currently see a null >+ * value in argv[-1], this trace will only match if we see null at runtime as well. >+ * Bake in the global object as 'this' object, updating the tracker as well. We >+ * can only detect this condition prior to calling js_ComputeThisForFrame, since it >+ * updates the interpreter's copy of argv[-1]. >+ */ >+ if (JSVAL_IS_NULL(cx->fp->argv[-1])) { >+ JSObject* thisObj = js_ComputeThisForFrame(cx, cx->fp); >+ if (!thisObj) >+ ABORT_TRACE("js_ComputeThis failed"); Where's that bug on propagating errors to the interpreter? Graydon mentioned the control flow graph complexity of jstracer.cpp being very high, when looking into the general problem. >+ JS_ASSERT(JSVAL_IS_OBJECT(cx->fp->argv[-1])); You want to exclude null here, so !JSVAL_IS_PRIMITIVE(cx->fp->argv[-1]). >+ JS_ASSERT(thisObj == globalObj); >+ this_ins = INS_CONSTPTR(thisObj); >+ set(&cx->fp->argv[-1], this_ins); > return true; > } > this_ins = get(&cx->fp->argv[-1]); Blank line here. /be
|
|
Assignee | |
Comment 5•15 years ago
|
||
Attachment #373415 -
Attachment is obsolete: true
Attachment #373422 -
Flags: review?(brendan)
Attachment #373415 -
Flags: review?(brendan)
|
|
||
Updated•15 years ago
|
Attachment #373422 -
Flags: review?(brendan) → review+
|
|
Assignee | |
Comment 6•15 years ago
|
||
http://hg.mozilla.org/tracemonkey/rev/aae39925c259 Please remove security flag. The underlying patch never made it into trunk.
Whiteboard: fixed-in-tracemonkey
|
|
||
Updated•15 years ago
|
Group: core-security
|
|
||
Comment 7•15 years ago
|
||
http://hg.mozilla.org/mozilla-central/rev/aae39925c259
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
|
||
Updated•15 years ago
|
|
|
||
Comment 8•15 years ago
|
||
http://hg.mozilla.org/releases/mozilla-1.9.1/rev/e0e2c0525fb8
Keywords: fixed1.9.1
|
Reporter | |
Updated•15 years ago
|
Flags: in-testsuite?
|
||
Updated•13 years ago
|
Crash Signature: [@ 0x000fdf5b]
|
||
Comment 9•11 years ago
|
||
Bug in removed tracer code, setting in-testsuite- flag.
Flags: in-testsuite? → in-testsuite-
You need to log in
before you can comment on or make changes to this bug.
Description
•