Closed
Bug 1098961
Opened 10 years ago
Closed 10 years ago
Crash [@ js::TypeDescrIsSimpleType] or Assertion failure: args[0].isObject(), at builtin/TypedObject.cpp
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla36
Tracking | Status | |
---|---|---|
firefox33 | --- | unaffected |
firefox34 | --- | unaffected |
firefox35 | --- | unaffected |
firefox36 | --- | affected |
firefox-esr31 | --- | unaffected |
People
(Reporter: gkw, Assigned: bhackett1024)
References
Details
(4 keywords, Whiteboard: [jsbugmon:update])
Crash Data
Attachments
(3 files)
Array.prototype[Symbol.iterator] = function() {
for (var i = 3; --i >= 0;) {
yield this[i]
}
}
new TypedObject.ArrayType(TypedObject.int32, 0).build(x => 1)
asserts js debug shell on m-c changeset 7f0d92595432 with --no-ion --no-threads at Assertion failure: args[0].isObject(), at builtin/TypedObject.cpp.
Debug configure options:
CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --enable-optimize --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests
This was found by combining random jit-tests together with jsfunfuzz, the specific files are:
http://hg.mozilla.org/mozilla-central/file/7f0d92595432/js/src/jit-test/tests/for-of/semantics-03.js
http://hg.mozilla.org/mozilla-central/file/7f0d92595432/js/src/jit-test/tests/ion/inlining/TypedObject-TypeDescrIsArrayType-unknown.js
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/ceca39a1a154
user: Brian Hackett
date: Fri Nov 07 08:37:21 2014 -0700
summary: Bug 1092318 - Remove unsized array typed objects, r=nmatsakis.
Brian, is bug 1092318 a possible regressor?
Flags: needinfo?(bhackett1024)
Reporter | ||
Comment 1•10 years ago
|
||
(lldb) bt 5
* thread #1: tid = 0x1b27b1, 0x00000001000c7c4c js-dbg-opt-64-dm-nsprBuild-darwin-7f0d92595432`js::TypeDescrIsSimpleType((null)=<unavailable>, argc=<unavailable>, vp=<unavailable>) + 396 at TypedObject.cpp:2713, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
* frame #0: 0x00000001000c7c4c js-dbg-opt-64-dm-nsprBuild-darwin-7f0d92595432`js::TypeDescrIsSimpleType((null)=<unavailable>, argc=<unavailable>, vp=<unavailable>) + 396 at TypedObject.cpp:2713
frame #1: 0x0000000100631492 js-dbg-opt-64-dm-nsprBuild-darwin-7f0d92595432`js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) [inlined] js::CallJSNative(native=0x00000001006df5b0)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) + 166 at jscntxtinlines.h:231
frame #2: 0x00000001006313ec js-dbg-opt-64-dm-nsprBuild-darwin-7f0d92595432`js::Invoke(cx=0x0000000101c01b90, args=CallArgs at 0x00007fff5fbfcad0, construct=<unavailable>) + 428 at Interpreter.cpp:482
frame #3: 0x000000010064e491 js-dbg-opt-64-dm-nsprBuild-darwin-7f0d92595432`Interpret(cx=<unavailable>, state=<unavailable>) + 43393 at Interpreter.cpp:2527
frame #4: 0x0000000100643ae9 js-dbg-opt-64-dm-nsprBuild-darwin-7f0d92595432`js::RunScript(cx=0x0000000101c01b90, state=0x00007fff5fbfd918) + 345 at Interpreter.cpp:432
(lldb)
Reporter | ||
Comment 2•10 years ago
|
||
This also causes a null de-ref in js opt shells compiled using:
CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --disable-debug --enable-optimize --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests
Crash Signature: [@ js::TypeDescrIsSimpleType]
Keywords: crash
Summary: Assertion failure: args[0].isObject(), at builtin/TypedObject.cpp → Crash [@ js::TypeDescrIsSimpleType] or Assertion failure: args[0].isObject(), at builtin/TypedObject.cpp
Reporter | ||
Updated•10 years ago
|
status-firefox33:
--- → unaffected
status-firefox34:
--- → unaffected
status-firefox35:
--- → unaffected
status-firefox-esr31:
--- → unaffected
Reporter | ||
Comment 3•10 years ago
|
||
(lldb) bt 5
* thread #1: tid = 0x1b2b23, 0x0000000100095bbe js-dbgDisabled-opt-64-dm-nsprBuild-darwin-7f0d92595432`js::TypeDescrIsSimpleType(js::ThreadSafeContext*, unsigned int, JS::Value*) [inlined] js::BarrieredBase<js::types::TypeObject*>::operator->(this=<unavailable>) const at Barrier.h:455, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x8)
* frame #0: 0x0000000100095bbe js-dbgDisabled-opt-64-dm-nsprBuild-darwin-7f0d92595432`js::TypeDescrIsSimpleType(js::ThreadSafeContext*, unsigned int, JS::Value*) [inlined] js::BarrieredBase<js::types::TypeObject*>::operator->(this=<unavailable>) const at Barrier.h:455
frame #1: 0x0000000100095bbe js-dbgDisabled-opt-64-dm-nsprBuild-darwin-7f0d92595432`js::TypeDescrIsSimpleType(js::ThreadSafeContext*, unsigned int, JS::Value*) [inlined] JSObject::getClass(this=0x0000000000000000) const at jsobj.h:138
frame #2: 0x0000000100095bbe js-dbgDisabled-opt-64-dm-nsprBuild-darwin-7f0d92595432`js::TypeDescrIsSimpleType(js::ThreadSafeContext*, unsigned int, JS::Value*) [inlined] js::ValueOperations<JS::MutableHandle<JS::Value> >::toObject(this=0x0000000000000000, i=<unavailable>) const + 4 at TypedObject.h:1054
frame #3: 0x0000000100095bba js-dbgDisabled-opt-64-dm-nsprBuild-darwin-7f0d92595432`js::TypeDescrIsSimpleType((null)=0x0000000101613c90, argc=1, vp=0x000000010187fa70) + 10 at TypedObject.cpp:2716
frame #4: 0x0000000100456830 js-dbgDisabled-opt-64-dm-nsprBuild-darwin-7f0d92595432`js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) [inlined] js::CallJSNative(native=0x00000001004bafa0, args=0x000000010187fa80)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) + 65 at jscntxtinlines.h:231
(lldb)
Assignee | ||
Comment 5•10 years ago
|
||
This isn't a regression from bug 1092318. The testcase below crashes in 527d5142b7c5, which is the parent revision to bug 1092318:
Array.prototype[Symbol.iterator] = function() {
for (var i = 3; --i >= 0;) {
yield this[i]
}
}
new TypedObject.ArrayType(TypedObject.int32, 0).build(1, x => 1)
The problem here is that the typed object self hosting code uses destructuring internally, and when that destructuring code runs it accesses this iteration stuff whose behavior can be changed in arbitrary ways by the referring script. I guess this could be fixed by either banning array-style destructuring in self hosted code, or modifying its semantics so it uses the builtin array iterator.
Assignee | ||
Updated•10 years ago
|
Flags: needinfo?(bhackett1024)
Assignee | ||
Comment 6•10 years ago
|
||
After talking with Till we decided that banning operations which can invoke these iteration hooks is the best course of action here. This patch adds an assert to that effect and fixes up the places in TypedObject.js where this bites. Other self hosted code doesn't use array style destructuring.
Assignee: nobody → bhackett1024
Attachment #8524062 -
Flags: review?(nmatsakis)
Comment 7•10 years ago
|
||
Comment on attachment 8524062 [details] [diff] [review]
patch
Review of attachment 8524062 [details] [diff] [review]:
-----------------------------------------------------------------
Nice find by the fuzzers. (And reason 1 of N that I am not a huge fan of destructuring sugar.)
::: js/src/frontend/BytecodeEmitter.cpp
@@ +3426,5 @@
> EmitIteratorNext(ExclusiveContext *cx, BytecodeEmitter *bce, ParseNode *pn=nullptr)
> {
> + // Disallow use of .next() iteration in self hosted code, as this can
> + // access user modifiable iteration hooks.
> + MOZ_ASSERT(bce->emitterMode != BytecodeEmitter::SelfHosting);
Put the rationale in the assertion itself so that people who encounter this know immediately why this is prohibited without having to find the assertion in source code:
MOZ_ASSERT(bce->emitterMode != BytecodeEmitter::SelfHosting,
".next() iteration is prohibited in self-hosted code because it "
"could run user-modifiable iteration code");
Comment 8•10 years ago
|
||
Comment on attachment 8524062 [details] [diff] [review]
patch
Review of attachment 8524062 [details] [diff] [review]:
-----------------------------------------------------------------
I agree with Jeff's comment regarding having a message in the assertion.
Attachment #8524062 -
Flags: review?(nmatsakis) → review+
Assignee | ||
Comment 9•10 years ago
|
||
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla36
You need to log in
before you can comment on or make changes to this bug.
Description
•