677194 - Assertion failure: !JSVAL_IS_PRIMITIVE(val) in nsDOMConstructor::HasInstance

Status: RESOLVED FIXED

(Core :: DOM: Core & HTML, defect)

Description

[Bob Clary [:bc] (inactive)]

1. http://www.pagewash.com/nph-index.cgi/000010A/uggc:/=2fjjj.oop.pb.hx/ivrganzrfr/ivrganz/2011/08/110805_ihivrgatbna_rkcynangvba.fugzy

2. Assertion failure: !JSVAL_IS_PRIMITIVE(val), at /work/mozilla/builds/nightly/mozilla/dom/base/nsDOMClassInfo.cpp:6051

trunk only: mac, linux, windows

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_PROTECTION_FAILURE at address: 0x00000000
0x06b6d489 in CrashInJS () at /work/mozilla/builds/nightly/mozilla/js/src/jsutil.cpp:92
92	    *((int *) NULL) = 123;  /* To continue from here in GDB: "return" then "continue". */
(gdb) bt
#0  0x06b6d489 in CrashInJS () at /work/mozilla/builds/nightly/mozilla/js/src/jsutil.cpp:92
#1  0x06b6d4f3 in JS_Assert (s=0x6de34ed "!JSVAL_IS_PRIMITIVE(val)", file=0x6de1fc4 "/work/mozilla/builds/nightly/mozilla/dom/base/nsDOMClassInfo.cpp", ln=6051) at /work/mozilla/builds/nightly/mozilla/js/src/jsutil.cpp:103
#2  0x05836d86 in nsDOMConstructor::HasInstance (this=0x256b3400, wrapper=0x256b3520, cx=0x23cb1b80, obj=0x1e4c158, v=@0x1a524248, bp=0xbfffb1e4, _retval=0xbfffb1e0) at /work/mozilla/builds/nightly/mozilla/dom/base/nsDOMClassInfo.cpp:6051
#3  0x05837441 in nsDOMConstructorSH::HasInstance (this=0x1aa881a0, wrapper=0x256b3520, cx=0x23cb1b80, obj=0x1e4c158, val=@0x1a524248, bp=0xbfffb1e4, _retval=0xbfffb1e0) at /work/mozilla/builds/nightly/mozilla/dom/base/nsDOMClassInfo.cpp:11041
#4  0x05d8ee39 in XPC_WN_Helper_HasInstance (cx=0x23cb1b80, obj=0x1e4c158, valp=0x1a524248, bp=0xbfffb60c) at /work/mozilla/builds/nightly/mozilla/js/src/xpconnect/src/xpcwrappednativejsops.cpp:1072
#5  0x06a94f0f in js::HasInstance (cx=0x23cb1b80, obj=0x1e4c158, v=0x1a524248, bp=0xbfffb60c) at jsinterp.cpp:1026
#6  0x06a8d187 in js::Interpret () at /work/mozilla/builds/nightly/mozilla/js/src/jsinterp.cpp:5393
#7  0x06a95ad2 in js::RunScript (cx=0x23cb1b80, script=0x256b7b10, fp=0x1a524020) at jsinterp.cpp:613
#8  0x06a95cc3 in js::Execute (cx=0x23cb1b80, script=0x256b7b10, scopeChain=@0x1e20038, thisv=@0xbfffc430, type=js::EXECUTE_GLOBAL, evalInFrame=0x0, result=0x0) at jsinterp.cpp:911
#9  0x06a95e73 in js::ExternalExecute (cx=0x23cb1b80, script=0x256b7b10, scopeChainArg=@0x1e20038, rval=0x0) at jsinterp.cpp:947
#10 0x069c1918 in EvaluateUCScriptForPrincipalsCommon (cx=0x23cb1b80, obj=0x1e20038, principals=0x245044f4, chars=0x2553f008, length=12704, filename=0x23ededa8 "http://www.pagewash.com///nph-index.cgi/000010H/uggc:/=2ffgngvp.oop.pb.hx/senzrjbexf/oneyrfdhr/1.8.33/=2fqrfxgbc/3/fpevcg/oneyrfdhr.wf", lineno=1, rval=0x0, compileVersion=JSVERSION_DEFAULT) at /work/mozilla/builds/nightly/mozilla/js/src/jsapi.cpp:4970
#11 0x069c1c6b in JS_EvaluateUCScriptForPrincipalsVersion (cx=0x23cb1b80, obj=0x1e20038, principals=0x245044f4, chars=0x2553f008, length=12704, filename=0x23ededa8 "http://www.pagewash.com///nph-index.cgi/000010H/uggc:/=2ffgngvp.oop.pb

Comment 1

[Bob Clary [:bc] (inactive)]

Attachment: testcase

<script>
function foo(o) {
        o instanceof CSS2Properties;
}
foo({})

Comment 2

[Jesse Ruderman]

Another testcase:

({}) instanceof NodeFilter;

Comment 3

[Josh Matthews [:jdm]]

http://mxr.mozilla.org/mozilla-central/source/dom/base/nsDOMClassInfo.cpp#5889 shows this condition is now checked, and the testcases don't reproduce the crashes for me any more.

Comment 4

[Bob Clary [:bc] (inactive)]

Automation can still reproduce with

http://www.pagewash.com///nph-index.cgi/000010A/uggc:/=2fjjj.obkvgia.arg/onv/32766

http://www.pagewash.com/////nph-index.cgi/000010A/uggc:/=2foebxrepurpx.svaen.bet/Fhccbeg/AbErfhygf.nfck=3fFrnepuTebhc=3dVaqvivqhny%26FrnepuGlcr=3dSerrSbez%26FrnepuGrkg=3dqbzavp%26SAnzr=3d%26ZAnzr=3d%26YAnzr=3d%26SvezAnzr=3d%26PEQAhzore=3d-1%26VaqiyOPPgtel=3d-1%26VaqiyVNPgt

On all three platforms and branches. I reproduced with 2/14's Nightly on Mac OS X 10.5 locally. I also reproduced locally with both test cases. 

You did test with a debug build?

Comment 5

[Josh Matthews [:jdm]]

Whoops. I was under the misguided impression that JS asserts were non-debug. We should just transform the !JSVAL_IS_PRIMITIVE assertion into an early return instead.

Comment 7

[Curtis Koenig [:curtisk-use curtis.koenig+bzATgmail.com]]]

marked per request of Ms2ger

Comment 8

[Ed Morley [:emorley]]

(Removing mentored bug annotation, given s-s and so not accessible to new contributors).

Comment 9

[Josh Matthews [:jdm]]

Attachment: Change assertion to an early-return bailout.

I threw my r? into the air / it fell to earth, I know not where.

Comment 10

[:Ms2ger (he/him; ⌚ UTC+1/+2)]

Sorry, misread the code. This isn't actually s-s.

Comment 11

[Bob Clary [:bc] (inactive)]

not security sensitive per comment 10.

Comment 12

[Daniel Veditz [:dveditz]]

Assigning to Josh because it's his patch.

Comment 13

[Ryan VanderMeulen [:RyanVM]]

https://hg.mozilla.org/integration/mozilla-inbound/rev/e466bffc6a7b

Any chance of getting a test?

Comment 14

[Josh Matthews [:jdm]]

Yes, it should be easy to create a crashtest that will fail in debug builds. I'll do that.

Comment 15

[:Ms2ger (he/him; ⌚ UTC+1/+2)]

Attachment: Test

Comment 16

[Phil Ringnalda (:philor)]

https://hg.mozilla.org/mozilla-central/rev/e466bffc6a7b

Comment 17

[:Ms2ger (he/him; ⌚ UTC+1/+2)]

Landed test:

https://hg.mozilla.org/mozilla-central/rev/a0488fd9207b