Closed Bug 540131 Opened 15 years ago Closed 15 years ago

TM: Crash [@ js_ValueToString] or [@ block_getProperty] (64-bit) or "Assertion failure: !js_IsActiveWithOrBlock(cx, fp->scopeChain, 0), at ../jsinterp.cpp"

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 540528
Tracking Flags:
Tracking Status
status1.9.2 --- unaffected
status1.9.1 --- unaffected

People

(Reporter: gkw, Unassigned)

References

Details

(Keywords: assertion, regression, testcase, Whiteboard: [ccbr][sg:dupe 540528]) 

try {
  (function() {
    let(x = (eval("for(y in[0,0,0,0]){}"))) {}
  })()
} catch(e) {}

asserts js debug shell with -j on TM tip at Assertion failure: !js_IsActiveWithOrBlock(cx, fp->scopeChain, 0), at ../jsinterp.cpp:3303 but does not crash on js opt shell.
Summary: "Assertion failure: !js_IsActiveWithOrBlock(cx, fp->scopeChain, 0), at ../jsinterp.cpp" with try...catch, eval, for → TM: "Assertion failure: !js_IsActiveWithOrBlock(cx, fp->scopeChain, 0), at ../jsinterp.cpp" with try...catch, eval, for
autoBisect shows this is probably related to bug 495331:

The first bad revision is:
changeset:   37046:910ee7db07de
user:        David Mandelin
date:        Fri Jan 15 11:32:14 2010 -0800
summary:     Bug 495331: trace JSOP_LAMBDA for non-heavyweight, non-null closures, r=jorendorff,dvander
Blocks: 495331
(function() {
  for (let z in [true]) {
    (new(eval("for(l in[0,0,0,0]){}"))
     (((function f(a, b) {
      if (a.length == b) {
        return (z)
      }
      f(a, b + 1)
    })([,,], 0)), []))
  }
})()

crashes js opt 64-bit shell with -j on TM tip at block_getProperty near null and asserts js debug 64-bit shell with -j on TM tip at an identical assertion message. This testcase asserts 32-bit debug shell but does not crash in an opt one.
Summary: TM: "Assertion failure: !js_IsActiveWithOrBlock(cx, fp->scopeChain, 0), at ../jsinterp.cpp" with try...catch, eval, for → TM: Crash [@ block_getProperty] (64-bit) or "Assertion failure: !js_IsActiveWithOrBlock(cx, fp->scopeChain, 0), at ../jsinterp.cpp" with try...catch, eval, for
(function() {
  (eval("\
    (function() {\
      let(e = eval(\"\
        for(z=0;z<5;z++){}\
      \"))\
      (function(){\
        x = e\
      })()\
    })\
  "))()
})();
print(x)


crashes js opt 32-bit shell with -j on TM tip at js_ValueToString at 0xe401005a (scary address) and asserts js debug 32-bit shell with -j on TM tip at an identical assertion.

Turning security-sensitive because of this scary address.


Exception Type:  EXC_BAD_ACCESS (SIGSEGV)
Exception Codes: KERN_INVALID_ADDRESS at 0x00000000e401005a
Crashed Thread:  0  Dispatch queue: com.apple.main-thread

Thread 0 Crashed:  Dispatch queue: com.apple.main-thread
0   js-opt-32-tm-darwin           	0x000c981c js_ValueToString + 108
1   js-opt-32-tm-darwin           	0x00003c16 Print(JSContext*, unsigned int, long*) + 166
2   js-opt-32-tm-darwin           	0x00057726 js_Interpret + 36646
3   js-opt-32-tm-darwin           	0x0005e4bc js_Execute + 444
4   js-opt-32-tm-darwin           	0x0000d72c JS_ExecuteScript + 60
5   js-opt-32-tm-darwin           	0x000044b8 Process(JSContext*, JSObject*, char*, int) + 1336
6   js-opt-32-tm-darwin           	0x00008536 main + 1734
7   js-opt-32-tm-darwin           	0x0000245d _start + 208
8   js-opt-32-tm-darwin           	0x0000238c start + 40
Group: core-security
Summary: TM: Crash [@ block_getProperty] (64-bit) or "Assertion failure: !js_IsActiveWithOrBlock(cx, fp->scopeChain, 0), at ../jsinterp.cpp" with try...catch, eval, for → TM: Crash [@ js_ValueToString] or [@ block_getProperty] (64-bit) or "Assertion failure: !js_IsActiveWithOrBlock(cx, fp->scopeChain, 0), at ../jsinterp.cpp"
Whiteboard: [ccbr][sg:critical?]
(In reply to comment #2)
> (function() {
>   for (let z in [true]) {
>     (new(eval("for(l in[0,0,0,0]){}"))
>      (((function f(a, b) {
>       if (a.length == b) {
>         return (z)
>       }
>       f(a, b + 1)
>     })([,,], 0)), []))
>   }
> })()
> 
> crashes js opt 64-bit shell with -j on TM tip at block_getProperty near null
> and asserts js debug 64-bit shell with -j on TM tip at an identical assertion
> message. This testcase asserts 32-bit debug shell but does not crash in an opt
> one.


Crash stack:

Exception Type:  EXC_BAD_ACCESS (SIGSEGV)
Exception Codes: KERN_INVALID_ADDRESS at 0x000000000000000e
Crashed Thread:  0  Dispatch queue: com.apple.main-thread

Thread 0 Crashed:  Dispatch queue: com.apple.main-thread
0   js-opt-64-tm-darwin           	0x0000000100064bcd block_getProperty(JSContext*, JSObject*, long, long*) + 29
1   js-opt-64-tm-darwin           	0x000000010006c091 js_NativeGet + 433
2   js-opt-64-tm-darwin           	0x0000000100055b9e js_Interpret + 33726
3   js-opt-64-tm-darwin           	0x000000010005d5cb js_Execute + 523
4   js-opt-64-tm-darwin           	0x000000010000cbe0 JS_ExecuteScript + 32
5   js-opt-64-tm-darwin           	0x0000000100003f9d Process(JSContext*, JSObject*, char*, int) + 1213
6   js-opt-64-tm-darwin           	0x0000000100007961 main + 1441
7   js-opt-64-tm-darwin           	0x0000000100002206 _start + 224
8   js-opt-64-tm-darwin           	0x0000000100002125 start + 33
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → DUPLICATE
Group: core-security
status1.9.1: --- → unaffected
status1.9.2: --- → unaffected
Whiteboard: [ccbr][sg:critical?] → [ccbr][sg:dupe 540528]
A testcase for this bug was automatically identified at js/src/jit-test/tests/closures/bug540131-2.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.